Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1277

Kubernetes Secrets Store CSI Driver in Operator

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Currently, the RHBK Operator uses secret/example-kc-initial-admin for the Admin username and password. This prevents customers from implementing a more secure way of accessing the Admin Console through SealedSecret or ExternalSecret objects.

      We need to provide support for Kubernetes Secrets Store CSI Driver in Operator for User-provided Secrets, as per GHI#15830

      External Secrets are referenced in the OpenShift Documentation and also Red Hat Blog Posts, although both seem to differ on the approaches (and the customer seemed to have mentioned the latter).

      Since RH SSO / RHBK are solutions to provide enhanced security for our customers, it makes sense that they are able to rely on better security mechanisms to define the initial admin username and password.
      It's unknown at the moment whether the best approach would be to reference a different Secret (not managed by the Operator), files mounted from a Secret or both. This will depend on the future ability from the Operator to mount Secrets as files again without the "unsupported" approach and whether we want to cover an External Secrets Store, External Secrets Operator (ESO) or both, assuming the Secrets from ESO can be mounted as files.
      For SealedSecret, it seems like the solution to External Secrets would already address them as well.

              sthorger@redhat.com Stian Thorgersen
              rhn-support-igueye Issa Gueye
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: