Red Hat build of Keycloak 22 provides out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault.

The file-based vault implementation is especially useful for Kubernetes/OpenShift secrets. One can mount Kubernetes secrets into the Red Hat build of Keycloak Container, and the data fields will be available in the mounted folder with a flat-file structure.

The Java KeyStore-based vault implementation is useful for storing secrets in bare metal installations. One can use the KeyStore vault, which is encrypted using a password.

The Operator already allows adding more config options from the Keycloak Quarkus distribution to Keycloak CR as per GHI#13456.

We need to provide a Vault full support in the Operator, allowing config options for Vault probably requiring to extend current Vault functionality to accommodate more fields throughout Realm representation.

Cf. GHI#14403