KEYCLOAK-17209 - proposal to add mounts of secrets

[RomanManz]

JIRA ID

KEYCLOAK-17209

Additional Information

This adds the possibility to mount secret volumes to the operator as described in PR 318 and as discussed in https://groups.google.com/g/keycloak-dev/c/A9PlX6XIR9w/m/pZjHDHffAgAJ.
It relates to PR 321, but without projectedVolumes.

Verification Steps

apiVersion: v1
kind: ConfigMap
metadata:
  name: test-config
data:
  test.properties: |
    blah=true
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-spi
data:
  vault-spi.cli: |
    embed-server --server-config=standalone-ha.xml --std-out=echo
    batch
    /subsystem=keycloak-server/spi=vault/:add
    /subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true,properties={dir => "/test-secret"})
    /subsystem=keycloak-server/spi=vault:write-attribute(name=default-provider,value=files-plaintext)
    run-batch
    stop-embedded-server
---
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  bindCredential: Zm9v
type: Opaque
---
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: example-keycloak
  labels:
    app: sso
spec:
  instances: 1
  externalAccess:
    enabled: True
  keycloakDeploymentSpec:
    experimental:
      args:
        - "-Djboss.as.management.blocking.timeout=600"
      env:
        - name: PROXY_ADDRESS_FORWARDING
          value: "false"
      volumes:
        defaultMode: 0777
        items:
          - configMap:
              name: test-config
              mountPath: /test-config
          - configMap:
              name: vault-spi
              mountPath: /opt/jboss/startup-scripts
          - secret:
              name: test-secret
              mountPath: /test-secret
              defaultMode: 0440
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - keycloak
              topologyKey: "topology.kubernetes.io/zone"
          - weight: 90
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - keycloak
              topologyKey: "kubernetes.io/hostname"      

Checklist:

• Automated Tests
• Documentation changes if necessary
• (If required) Discussed on Keycloak DEV

Additional Notes

The SPI example seems to be missing this line:
/subsystem=keycloak-server/spi=vault:write-attribute(name=default-provider,value=files-plaintext).

[slaskawi]

@RomanManz Could you please rebase this? I've just merged quite a large PR around Secrets and ConfigMaps.

[slaskawi]

@RomanManz Just a friendly reminder.

[RomanManz]

Hello @slaskawi ,
thanks for the reminder, overlooked the msg before.
It seems PR321 was merged and that the VolumeSpec inside pkg/apis/keycloak/v1alpha1/keycloak_types.go changed. If that is true I think I can close my PR, since PR321 includes already the mounting of secrets.
Does that make sense?
Thanks a lot!

[RomanManz]

I take this as a yes ;-)