set auto-mount service account token to false in keycloak pods #40605
Conversation
|
pretty sure the |
|
For the Keycloak Multi-Site setup, IMHO we assume that the CA used in OpenShift is imported automatically so we can communicate with Infinispan securely. Looping in @ryanemerson / @pruivo to ensure that the docs are updated for that. |
|
For mult-site HA, Infinispan requires |
|
@ahus1 The operator automatically adds the certificate to the truststore: |
|
@pruivo, thank you, I was looking for that code snippet but didn't find it. So this option would be required in the Keycloak HA setup as described in https://www.keycloak.org/high-availability/deploy-keycloak-kubernetes So if this is merged for the 26.3 release and we decide to update the docs in a follow-up issue, that follow-up issue should be a blocker for the 26.3 release. |
|
@ahus1 How so? This PR is disabling the service account tokens ( |
|
@pruivo - OK, then I was just worried without a reason. Then proceed here, and our tests in the cluster will show if it breaks. Sorry for the noise! |
|
This is the only doc I found: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting |
Based on #38843 (comment) it would appear that the CA cert is also not mounted when |
the |
+1 |
|
added the |
|
Hey @vmuzikar would it be possible to get someone to take a look here? Thanks in advance! |
|
@KyriosGN0 Sorry, will take a look this week. |
...tor/src/main/java/org/keycloak/operator/controllers/KeycloakDeploymentDependentResource.java
Outdated
Show resolved
Hide resolved
...tor/src/main/java/org/keycloak/operator/controllers/KeycloakDeploymentDependentResource.java
Outdated
Show resolved
Hide resolved
|
@shawkins thanks for the review, i agree with your suggestion and have committed them |
operator/src/main/java/org/keycloak/operator/crds/v2alpha1/deployment/KeycloakSpec.java
Outdated
Show resolved
Hide resolved
|
@vmuzikar would it be possible for you take another look? |
|
|
||
| When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically. | ||
| This includes `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` and the `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt` when present. | ||
| In order to not include `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` in Keycloak pods, set the `automountServiceAccountToken` field in the spec to `false` |
There was a problem hiding this comment.
Here, in the CRD property description, or both it should be clearer why you would want to set it to false and when that isn't possible.
If this seems like it's getting too nuanced, then I'm still in favor of using a networkpolicy that denies access from the keycloak pods to the api server.
There was a problem hiding this comment.
@KyriosGN0 Sorry for the late reply.
If this seems like it's getting too nuanced
IMHO it's not.
@KyriosGN0 In order to move this forward, we would need to document that the service account is required by the Kube service accounts identity provider.
why you would want to set it to false
+1
There was a problem hiding this comment.
@shawkins do you mean using external infinispan cluster ?
There was a problem hiding this comment.
Yes - #40605 (comment)
It can also be needed if there is custom provider logic that expects to connect to the api server.
shawkins
left a comment
There was a problem hiding this comment.
Thanks @KyriosGN0 this looks good. Just a couple of minor edits might be good.
vmuzikar
left a comment
There was a problem hiding this comment.
Thank you for the contribution, LGTM!
Signed-off-by: AvivGuiser <[email protected]> # Conflicts: # operator/src/main/java/org/keycloak/operator/crds/v2alpha1/deployment/KeycloakSpec.java
Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
Co-authored-by: Steven Hawkins <[email protected]> Signed-off-by: AvivGuiser <[email protected]>
…ken to true Co-authored-by: Steven Hawkins <[email protected]> Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
Signed-off-by: AvivGuiser <[email protected]>
…false Signed-off-by: AvivGuiser <[email protected]>
Co-authored-by: Steven Hawkins <[email protected]> Signed-off-by: AvivGuiser <[email protected]>
This has been resolved by a docs note.
…oak#40605) closes keycloak#38843 Signed-off-by: AvivGuiser <[email protected]> Co-authored-by: Steven Hawkins <[email protected]>
Closes keycloak#44156 Signed-off-by: Giuseppe Graziano <[email protected]> Add permissions to stability-* workflows (keycloak#44212) Signed-off-by: stianst <[email protected]> Avoid downloading spotless dependencies every time Closes keycloak#44214 Signed-off-by: stianst <[email protected]> fix: correcting termination test on openshift (keycloak#44181) closes: keycloak#44179 Signed-off-by: Steve Hawkins <[email protected]> Translations update from Hosted Weblate (keycloak#44055) * Updated translation for Turkish Language: tr Update translation files Updated by "Cleanup translation files" hook in Weblate. Updated translation for Turkish Language: tr Updated translation for Turkish Language: tr Co-authored-by: Arif EROL <[email protected]> Co-authored-by: Hosted Weblate <[email protected]> Signed-off-by: Arif EROL <[email protected]> Signed-off-by: Hosted Weblate <[email protected]> * Update translation files Updated by "Cleanup translation files" hook in Weblate. Co-authored-by: Hosted Weblate <[email protected]> Signed-off-by: Hosted Weblate <[email protected]> * Updated translation for French Language: fr Updated translation for French Language: fr Update translation files Updated by "Cleanup translation files" hook in Weblate. Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Updated translation for French Language: fr Co-authored-by: Alexander Schwartz <[email protected]> Co-authored-by: Dodouce <[email protected]> Co-authored-by: Hosted Weblate <[email protected]> Co-authored-by: Sylvain Pichon <[email protected]> Signed-off-by: Alexander Schwartz <[email protected]> Signed-off-by: Dodouce <[email protected]> Signed-off-by: Hosted Weblate <[email protected]> Signed-off-by: Sylvain Pichon <[email protected]> * Update translation files Updated by "Cleanup translation files" hook in Weblate. Co-authored-by: Hosted Weblate <[email protected]> Signed-off-by: Hosted Weblate <[email protected]> * Update translation files Updated by "Cleanup translation files" hook in Weblate. Updated translation for Chinese (Traditional Han script) Language: zh_Hant Updated translation for Chinese (Traditional Han script) Language: zh_Hant Co-authored-by: Hosted Weblate <[email protected]> Co-authored-by: 秉虎 <[email protected]> Signed-off-by: Hosted Weblate <[email protected]> Signed-off-by: 秉虎 <[email protected]> --------- Signed-off-by: Arif EROL <[email protected]> Signed-off-by: Hosted Weblate <[email protected]> Signed-off-by: Alexander Schwartz <[email protected]> Signed-off-by: Dodouce <[email protected]> Signed-off-by: Sylvain Pichon <[email protected]> Signed-off-by: 秉虎 <[email protected]> Co-authored-by: Arif EROL <[email protected]> Co-authored-by: Alexander Schwartz <[email protected]> Co-authored-by: Dodouce <[email protected]> Co-authored-by: Sylvain Pichon <[email protected]> Co-authored-by: 秉虎 <[email protected]> Create remember_me column for user sessions Closes keycloak#44112 Signed-off-by: Pedro Ruivo <[email protected]> Co-authored-by: Pedro Ruivo <[email protected]> Add optional parameter in WorkflowResource.toRepresentation to allow retrieval of the rep without the ids Closes keycloak#44183 Signed-off-by: Stefan Guilhen <[email protected]> Fix logger call to align arguments with format pattern fixes keycloak#44229 Signed-off-by: Lucas <[email protected]> MLDSA Keys and Feature-Flag Removing Feature-Flag set auto-mount service account token to false in keycloak pods (keycloak#40605) closes keycloak#38843 Signed-off-by: AvivGuiser <[email protected]> Co-authored-by: Steven Hawkins <[email protected]> Bug fix double-encoding for query parameter acr_values Related bug fix in Keycloak version 26.4 space with mutiple values results in → "+" → "%2B" Reported bug: keycloak#44125 Signed-off-by: jhgojbis <[email protected]> Fixing encoding of forwarded parameters Closes keycloak#44125 Signed-off-by: Pedro Igor <[email protected]> Fix UserSessionProviderOfflineModelTest#testLoadUserSessionsWithNotDeletedOfflineClientSessions Fixes keycloak#43886 Signed-off-by: Pedro Ruivo <[email protected]> Co-authored-by: Pedro Ruivo <[email protected]> Deprecate TopologyInfo Closes keycloak#44047 Signed-off-by: Pedro Ruivo <[email protected]> Co-authored-by: Pedro Ruivo <[email protected]> Find highest sequence number in jgroups_ping * Find the highest sequence number in jgroups_ping table to avoid duplicates Fixes keycloak#44189 Signed-off-by: Pedro Ruivo <[email protected]> Co-authored-by: Pedro Ruivo <[email protected]> Bump the actions-dependencies group with 3 updates (keycloak#44245) Bumps the actions-dependencies group with 3 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact), [github/codeql-action](https://github.com/github/codeql-action) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/upload-artifact` from 4.6.2 to 5.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) Updates `github/codeql-action` from 4.30.8 to 4.31.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@f443b60...014f16e) Updates `actions/download-artifact` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@634f93c...018cc2c) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-dependencies - dependency-name: github/codeql-action dependency-version: 4.31.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-dependencies - dependency-name: actions/download-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-dependencies ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Bump the actions-dependencies group with 3 updates (keycloak#44245) Bumps the actions-dependencies group with 3 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact), [github/codeql-action](https://github.com/github/codeql-action) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/upload-artifact` from 4.6.2 to 5.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) Updates `github/codeql-action` from 4.30.8 to 4.31.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@f443b60...014f16e) Updates `actions/download-artifact` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@634f93c...018cc2c) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-dependencies - dependency-name: github/codeql-action dependency-version: 4.31.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-dependencies - dependency-name: actions/download-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-dependencies ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> JWK Algorithm Key Pair support (keycloak#44203) Closes keycloak#44141 Signed-off-by: stianst <[email protected]> Merge GenerateKeystoreForTestUtil with CryptoKeyStore (keycloak#44223) Closes keycloak#44195 Signed-off-by: stianst <[email protected]> Rename ApiUtil to AdminApiUtil (keycloak#44224) Closes keycloak#44196 Signed-off-by: stianst <[email protected]>
…oak#40605) closes keycloak#38843 Signed-off-by: AvivGuiser <[email protected]> Co-authored-by: Steven Hawkins <[email protected]> Signed-off-by: Ogenbertrand <[email protected]>
fixes #38843