-
Enhancement
-
Resolution: Unresolved
-
Major
-
None
-
RHDG Operator CSV 8.6.0 GA
-
None
-
False
-
-
False
-
-
The following configuration shows how to configure a standalone server with token based auth on the 11222 port. It also uses a "keycloak" realm to allow secure communication with a Keycloak instance that has HTTPS enabled:
infinispan: server: interfaces: - name: "public" inetAddress: value: "${infinispan.bind.address:127.0.0.1}" socketBindings: defaultInterface: "public" portOffset: 0 bindings: - socketBinding: name: "default" port: "11222" security: securityRealms: - name: "keycloak" serverIdentities: ssl: truststore: path: "ca.pfx" password: "secret" - name: "default" serverIdentities: ssl: keystore: path: "server.pfx" password: "secret" tokenRealm: name: "token-realm" authServerUrl: "https://127.0.0.1:14568/auth/" clientId: "infinispan-console" oauth2Introspection: clientId: "infinispan-server" clientSslContext: "keycloak" introspectionUrl: "https://127.0.0.1:14568/realms/infinispan/protocol/openid-connect/token/introspect" clientSecret: "1fdca4ec-c416-47e0-867a-3d471af7050f" endpoints: socketBinding: "default" securityRealm: "default"
In theory it should be possible to modify the above configuration and use it in the Operator via the ConfigMap provided in spec.configMapName. However, this is non-obvious and is providing to be a point of confusion for users and support.
A pain point is the need for the user to securely provide the ca.pfx truststore to the server. It may be possible for this to be included as part of spec.security.endpointEncryption.certSecretName, however this needs to be verified and documented.
Optionally, it may also be worth considering providing additional configuration in the CR spec to allow first-class support for token auth configuration. This could entail:
- Allowing configuration of a dedicated Secret for holding truststore(s) for external HTTPs communication
- Allowing a tokenRealm attributes (URL, clientId etc) to be configured in the spec or via a Secret.
- links to
