Allow user password to be auto-generated or set from secret

[sirockin]

Description

Currently as mentioned here although creating a user resource leads to a secrets file being generated with the user credentials in it, we are required to explicitly set the password in the user resource.

Storing credentials in non-secrets is poor practice especially in this case, where an admin user could be created and exposed to the outside world.

Better would be either (or both)

1. Automatically generate a password if it is not provided, and store it in the secret
2. If the secret is changed externally, use that to update the user password

Discussion

No response

Motivation

1. Encourage good practices in storing secrets
2. Facilitate credential rotation

Details

No response

[andreaTP]

Hi @sirockin ! Sorry for the late answer. This is an interesting feature indeed, but I would expect it to be supported out of the box by Keycloak itself and not hacked around in the operator.

Probably a good starting point would be to extend the Vault support for user credentials.

I would encourage you to open an issue in keycloak/keycloak so that this request can be tracked in the development of the new operator.

[giddel]

We need similar behaviour for client credentials. If a k8s secret containing the credentials is already available so the operator should use these credentials and must not overwrite them or generate new ones. And so we can provide the credentials secure via GitOps and Sops.

[stianst]

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!