[keycloak-dev] [keycloak-user] Plain-text vault

Sebastian Laskawiec slaskawi at redhat.com
Thu Sep 19 02:10:11 EDT 2019 

On Wed, Sep 18, 2019 at 4:37 PM Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> Recently, vault capability has been introduced recently in Keycloak
> (master) with an out-of-the-box implementation that is basically providing
> secrets in the same format as if mounting secrets volume within Kubernetes
> [1]. Now there have been considerations regarding name and storage layout
> which I would like to gather feedback on.
>
> The questions are the following ones. Both have arguments for the current
> implementation explained below:
> 1. Is there any better way of storing the credentials?
> 2. Is there a better name for the OOTB implementation?
>
> Storage layout:
> The aim: The plain text vault implementation respects realm to prevent
> leaking a secret used in one vault into another realm. The implementation
> also accounts for Kubernetes secret keys naming restrictions [1] which are
> only consisting of alphanumeric characters, ‘-’, ‘_’ or ‘.’. Note that
> forward slash is not among allowed characters.
>
> Since the vault adheres to the same format as provided by Kubernetes
> secrets volume, it also limits the file possible names for easy usage.
> While kubernetes support exposing the secret keys as files in various
> subdirectories of the mount directory, the default way of providing secrets
> is via flat file structure (no subdirectories). To achieve structure where
> secret would be looked up in a file with a given key within a realm
> directory (i.e. realm_name/secret_key), every secret would have to be
> accompanied with "path" specification which is not particularly user
> friendly.
>
> Having kubernetes secrets per realm and mounting them into separate
> directories could be an option, however that limits the ability to easily
> add a new realm because the Pod definition would need to change with every
> new realm to incorporate the new volume, and the whole deployment restarted
> to reflect the changes. Alternatively, secrets for all realms could be
> mounted into a single directory and "path" would be defined for every
> secret as described above - but that is error-prone as well.
>
> Thus the implementation where realm name and secret key would be separated
> by a single underscore, and to prevent ambiguity, every underscore within
> the either realm name and secret keys would be doubled. In other words, to
> get secret called "some-secret" or "other_secret" from vault from within
> realm called "realm-1" or "other_realm", the files would be called
> "realm-1_some-secret" and "other__realm_other__secret", respectively. This
> is clearly readable in the former case but may be error-prone in the
> latter.
>
> Name:
> The SPI name was chosen to be "plaintext" since the secrets are stored
> openly in the files. Perhaps there is a better name? "kubernetes"? Any
> other suggestion or +1 or -1 with arguments to the alternatives are
> welcome.
>

+1 I like the plaintext name. It's pretty much generic and so it the
functionality (even though it was designed with K8s usecase in mind).


>
> I would love to hear your opinion on the two questions.
>
> [Apologies for cross-posting, this can gain valuable feedback from both
> devs and users though]
>
> --Hynek
>
> [1] https://kubernetes.io/docs/concepts/configuration/secret/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-dev mailing list