feat: added keycloak client secret (#366)

* feat: added keycloak client secret

On-behalf-of: SAP [email protected]

* fix: removed password arg

On-behalf-of: SAP [email protected]

* version bump

On-behalf-of: SAP [email protected]

Author: OlegErshov

charts/security-operator/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: security-operator
 description: A Helm chart for security-operator
 type: application
-version: 0.18.21
+version: 0.18.22
 appVersion: "v0.9.20"
 dependencies:
   - name: security-operator-crds

charts/security-operator/README.md

@@ -24,6 +24,8 @@ A Helm chart for security-operator
 | image.name | string | `"ghcr.io/platform-mesh/security-operator"` |  |
 | initializer.extraArgs | list | `[]` |  |
 | initializer.kubeconfigSecret | string | `""` | The kubeconfig secret for the initializer |
+| keycloak.client.secret.key | string | `"attribute.client_secret"` |  |
+| keycloak.client.secret.name | string | `"security-operator-client-secret"` |  |
 | keycloakSecret | string | `"keycloak-admin"` |  |
 | kubeconfigSecret | string | `""` | The kubeconfig secret for operator and generator |
 | logLevel | string | `"info"` |  |

charts/security-operator/templates/deployment.yaml

@@ -25,9 +25,6 @@ spec:
         {{- include "common.PortsMetricsHealth" . | nindent 10 }}
         args:
           - fga
-          {{- with .Values.keycloakSecret }}
-          - --invite-keycloak-password-file=/keycloak-credentials/secret
-          {{- end }}
           {{- with .Values.fga.inviteKeycloakBaseUrl }}
           - --invite-keycloak-base-url={{ . }}
           {{- end }}
@@ -46,6 +43,11 @@ spec:
           - name: KCP_KUBECONFIG
             value: /api-kubeconfig/kubeconfig
           {{- end }}
+          - name: INVITE_KEYCLOAK_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.keycloak.client.secret.name }}
+                key: {{ .Values.keycloak.client.secret.key }}
         volumeMounts:
           {{- if .Values.kubeconfigSecret }}
           - name: external-api-server

charts/security-operator/tests/__snapshot__/deployment_test.yaml.snap

@@ -162,7 +162,6 @@ operator match the snapshot:
           containers:
             - args:
                 - fga
-                - --invite-keycloak-password-file=/keycloak-credentials/secret
                 - --leader-elect
                 - --metrics-bind-address=:9090
                 - --health-probe-bind-address=:8090
@@ -178,6 +177,11 @@ operator match the snapshot:
                   value: openfga.platform-mesh-system.svc.cluster.local:8081
                 - name: KCP_KUBECONFIG
                   value: /api-kubeconfig/kubeconfig
+                - name: INVITE_KEYCLOAK_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      key: attribute.client_secret
+                      name: security-operator-client-secret
               image: ghcr.io/platform-mesh/security-operator:1.0.0
               imagePullPolicy: IfNotPresent
               livenessProbe:
@@ -593,7 +597,6 @@ operator match the snapshot w. sentry:
           containers:
             - args:
                 - fga
-                - --invite-keycloak-password-file=/keycloak-credentials/secret
                 - --leader-elect
                 - --metrics-bind-address=:9090
                 - --health-probe-bind-address=:8090
@@ -614,6 +617,11 @@ operator match the snapshot w. sentry:
                   value: test
                 - name: FGA_TARGET
                   value: openfga.platform-mesh-system.svc.cluster.local:8081
+                - name: INVITE_KEYCLOAK_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      key: attribute.client_secret
+                      name: security-operator-client-secret
               image: ghcr.io/platform-mesh/security-operator:1.0.0
               imagePullPolicy: IfNotPresent
               livenessProbe:

charts/security-operator/values.yaml

@@ -29,6 +29,12 @@ caSecret: ""
 
 baseDomain: ""
 
+keycloak:
+  client:
+    secret:
+      name: security-operator-client-secret
+      key: attribute.client_secret
+
 initializer:
   # -- The kubeconfig secret for the initializer
   kubeconfigSecret: ""