Update keycloak-config-cli using SPIRE example to Keycloak >= 24.0.0

spiffe / helm-charts-hardened

Apache License 2.0

12 stars 26 forks source link

Update keycloak-config-cli using SPIRE example to Keycloak >= 24.0.0 #387

Open moritzschmitz-oviva opened 1 week ago

moritzschmitz-oviva commented 1 week ago

Keycloak >= 24.0.0 deprecated the use of password-protected truststores. This makes the integration with SPIRE quite a bit easier. This PR should update the example to reflect the changes.

kfox1111 commented 1 day ago

Thanks for the pr. :)

I like the idea of switching to pems from the java trust store.

I think there is one problem with the pr though.

The example should be able to refresh certificates when spire issues new ones. They expire fairly regularly, so that plumbing still needs to be in place. The spiffe-helper and java-spiffe-helper can do the refresh. I think the spire-agent can not. Could spire-agent be switched out with the spire-helper?

moritzschmitz-oviva commented 1 day ago

The example should be able to refresh certificates when spire issues new ones.

For this example Keycloak itself most likely is the problem. The certs get loaded at startup and are not reloaded during runtime.

kfox1111 commented 1 day ago

Yeah, there definitely is an issue in Keycloak: https://github.com/keycloak/keycloak/issues/26524

But for the example, we should probably give the recommendation as proper as possible, with rotation working, so when its fixed in Keycloak, those that copied the example don't have to go back and figure out how to fix it.