KEYCLOAK-17209 Add support for bind cred secret

[soleblaze]

This adds support for storing the bind credentials in a secret.

JIRA ID

https://issues.redhat.com/browse/KEYCLOAK-17209

Additional Information

The ldap bind credentials should be stored in a secret instead of in cleartext in the keycloak CR.

Verification Steps

Add the steps required to check this change. Following an example.

1. Create a secret in the keycloak namespace that contains the bind password
2. Create a realm that connects to an existing ldap server

 apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  labels:
    app: sso
  name: ldap-realm
spec:
  instanceSelector:
    matchLabels:
      app: sso
  realm:
    displayName: LDAPRealm
    enabled: true
    id: ldap-realm
    realm: ldap-realm
    userFederationProviders:
      - displayName: "ldap"
        providerName: "ldap"
        config:
          vendor: "ad"
          connectionUrl: "ldap://localhost"
          bindDn: "USERNAME"
          bindCredentialSecret: "bindcred"
          usersDn: DC=example,DC=com"
          usernameLDAPAttribute: "mail"
          uuidLDAPAttribute: "objectGUID"
          searchScope: "2" # sub
          useTruststoreSpi: "ldapsOnly"
          trustEmail: "true"
          userObjectClasses: "person, organizationalPerson, user"
          rdnLDAPAttribute: "cn"
          editMode: "READ_ONLY"
          # debug: "false"
    userFederationMappers:
      - name: username
        federationProviderDisplayName: ldap
        federationMapperType: user-attribute-ldap-mapper
        config:
          always.read.value.from.ldap: 'true'
          is.binary.attribute: 'false'
          is.mandatory.in.ldap: 'true'
          ldap.attribute: mail
          read.only: 'true'
          user.model.attribute: username
      - name: MSAD account controls
        federationProviderDisplayName: ldap
        federationMapperType:  msad-user-account-control-mapper
        config:
          ldap.password.policy.hints.enabled: 'false'
      - name: last name
        federationProviderDisplayName: ldap
        federationMapperType: user-attribute-ldap-mapper
        config:
          always.read.value.from.ldap: 'true'
          is.binary.attribute: 'false'
          is.mandatory.in.ldap: 'true'
          ldap.attribute: sn
          read.only: 'true'
          user.model.attribute: lastName
      - name: email
        federationProviderDisplayName: ldap
        federationMapperType: user-attribute-ldap-mapper
        config:
          always.read.value.from.ldap: 'true'
          is.binary.attribute: 'false'
          is.mandatory.in.ldap: 'true'
          ldap.attribute: mail
          read.only: 'true'
          user.model.attribute: email
      - name: full name
        federationProviderDisplayName: ldap
        federationMapperType: full-name-ldap-mapper
        config:
          ldap.full.name.attribute: cn
          read.only: 'true'
          write.only: 'false'

3. Log into the admin keycloak console and validate that the realm was created with the appropriate bind credential password and that it authenticates to ldap successfully
4. Validate that the Bind Credential is not stored in the keycloakrealm CR

Checklist:

• Automated Tests
• Documentation changes if necessary
• (If required) Discussed on Keycloak DEV

[soleblaze]

After a discussion in keycloak-dev it sounds like the better way to do this is to use keycloak's existing vault support.