Hi everyone,
I'm currently taking a look at the Keycloak Realm Operator. It looks promising. However, if you let the operator manage Keycloak Clients, it will write their secrets into k8s Secrets in the namespace which the operator is watching only. This can be a bit inconvenient if you have apps that are secured by Keycloak and spread across multiple namespaces.
I haven't found a way to let the operator write Keycloak Secrets into different namespaces yet. A workaround would be to replicate the Secrets in other namespaces, either by kubectl or using a service like kubernetes-replicator.
I suggest to add this kind of replication feature to the Keycloak Realm Operator, and to the new Keycloak Operator at some other point. A replication could be triggered by e. g. annotating a target namespace with information about the realm and the client whose secrets should be written to the targeted namespace. Then, the operator would scan all namespaces and check if the annotation is set. If that's the case, then it creates the k8s Secret containing the desired client's secret in the detected namespace.
A possible example:
apiVersion: v1
kind: Namespace
metadata:
name: myproject
annotations:
{
"my-realm": ['my-client']
}
Here, you could specify any clients of a realm whose secrets you need to have injected into 'myproject' namespace.
Cheers,
Kevin