You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue is being ported over from a previously reported one here: keycloak#499, as it affects the realm operator as well. Apart from the usual issues with storing secrets in an unencrypted CR, It is particularly problematic to manage the password safely in a gitops environment.
Currently as mentioned keycloak#409 although creating a user resource leads to a secrets file being generated with the user credentials in it, we are required to explicitly set the password in the user resource.
Storing credentials in non-secrets is poor practice especially in this case, where an admin user could be created and exposed to the outside world.
Better would be either (or both)
Automatically generate a password if it is not provided, and store it in the secret
If the secret is changed externally, use that to update the user password"
Discussion
Setting
requiredActions:
- "UPDATE_PASSWORD"
as a means of forcing ab initial password change, also does not work as the operator continuously syncs the user CR, causing the action to be permanently required.
Motivation
Encourage good practices in storing secrets
Facilitate credential rotation
Description
This issue is being ported over from a previously reported one here: keycloak#499, as it affects the realm operator as well. Apart from the usual issues with storing secrets in an unencrypted CR, It is particularly problematic to manage the password safely in a gitops environment.
Discussion
Setting
as a means of forcing ab initial password change, also does not work as the operator continuously syncs the user CR, causing the action to be permanently required.
Motivation
Encourage good practices in storing secrets
Facilitate credential rotation
Details
references:
The text was updated successfully, but these errors were encountered: