Enable SSO for vault (!374) · Merge requests · Sylva-projects / sylva-core

This MR enables SSO for Vault by configuring an OIDC backend on Vault.

This MR assumes that an admin group is configured at Keycloak side (!299 (merged))

We anticipate the situation where keycloak is deployed by fetching a password stored in Vault (!287 (merged)), which actually raises an issue:

Indeed, configuring the OIDC backend of Vault requires the Keycloak OIDC client to be configured (when enabling the oidc backend, there is a check of the keycloak oidc_discovery_url). However, it leads to a chicken and egg problem if keycloak configuration depends on vault (assuming that Keycloak is configured with an admin password stored on Vault).

We solve the issue by using the vault-config-operator to enable the OIDC backend once the Keycloak OIDC client for Vault is ready. It obviously assumes that the operator available (!401 (merged))

This MR is based on (!287 (merged))

Edited May 16, 2023 by Pierrick Seite

Enable SSO for vault

Merge request reports