Update keycloak-config-cli using SPIRE example to Keycloak >= 24.0.0 #387
Conversation
Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>
Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>
moritzschmitz-oviva
requested review from
marcofranssen,
kfox1111,
faisal-memon,
mrsabath and
edwbuck
as code owners
|
Thanks for the pr. :) I like the idea of switching to pems from the java trust store. I think there is one problem with the pr though. The example should be able to refresh certificates when spire issues new ones. They expire fairly regularly, so that plumbing still needs to be in place. The spiffe-helper and java-spiffe-helper can do the refresh. I think the spire-agent can not. Could spire-agent be switched out with the spire-helper? |
For this example Keycloak itself most likely is the problem. The certs get loaded at startup and are not reloaded during runtime. |
|
Yeah, there definitely is an issue in Keycloak: keycloak/keycloak#26524 But for the example, we should probably give the recommendation as proper as possible, with rotation working, so when its fixed in Keycloak, those that copied the example don't have to go back and figure out how to fix it. |
|
@moritzschmitz-oviva Just wanted to check in if youre still working on this? |
|
@moritzschmitz-oviva Just checking in again if you are interested in finishing off this pr? |
Hi @faisal-memon not at the moment, no. Will probably have a look later if nobody else is interested. |
Keycloak >= 24.0.0 deprecated the use of password-protected truststores. This makes the integration with SPIRE quite a bit easier. This PR should update the example to reflect the changes.