sec: remove plaintext passwords from realm ConfigMap
All checks were successful
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / Validate & Security Scan (pull_request) Successful in 10s

Use keycloak-config-cli env var substitution $(env:VAR_NAME) to inject
user passwords from K8s Secret instead of hardcoding them in ConfigMap.

- realm-configmap.yaml: passwords replaced with $(env:KC_INFRA_ADMIN_PASSWORD)
  and $(env:KC_INFRA_CLAUDE_PASSWORD)
- keycloak ArgoCD app: added keycloakConfigCli.extraEnvVarsSecret
- Secrets sourced from OpenBao via create-keycloak-secrets.sh

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
root 2026-02-22 13:24:44 +01:00
parent 08b0c41f45
commit 65930ceb1e
2 changed files with 3 additions and 2 deletions

View File

@ -51,7 +51,7 @@ data:
"enabled": true,
"firstName": "Admin",
"groups": ["infra-admins"],
"credentials": [{"type": "password", "value": "Kc@Adm1nInfra2026!", "temporary": false}],
"credentials": [{"type": "password", "value": "$(env:KC_INFRA_ADMIN_PASSWORD)", "temporary": false}],
"requiredActions": []
},
{
@ -60,7 +60,7 @@ data:
"enabled": true,
"firstName": "Claude",
"groups": ["infra-bots"],
"credentials": [{"type": "password", "value": "Kc@Cl4udeBot2026!", "temporary": false}],
"credentials": [{"type": "password", "value": "$(env:KC_INFRA_CLAUDE_PASSWORD)", "temporary": false}],
"requiredActions": []
}
],

View File

@ -45,6 +45,7 @@ spec:
registry: docker.io
repository: bitnamilegacy/keycloak-config-cli
tag: 6.4.0-debian-12-r11
extraEnvVarsSecret: keycloak-configcli-secrets
postgresql:
enabled: true
image: