Hey everyone,
I am looking for some help with configuring Keycloak to use mTLS with certificates issued by Spire (SPIFFE | Documentation).
First some context:
- We run Keycloak with three instances deployed inside a GKE cluster. The admin console is exposed to the public and every admin account in the master realm is protected with 2FA.
- We are now making of use of
keycloak-config-clito manage our realm configurations which lead to the question of how to authenticate client, since 2FA is required for all master realm admins.
What we did so far:
It was pretty straight forward to configure mTLS on Keycloak side and then add a proxy on keycloak-config-cli side. However, we don’t like the setup to much because of its many moving parts.
Question:
We also use Spire (SPIFFE | Documentation) in our cluster for service-to-service authentication. Our proxy component (keycloak-config-cli side) easily integrates with it, but we are not sure how to integrate it with Keycloak and I was hoping somebody here has some experience with it?
There is an obvious solution of using an init container to fetch and mount the certificates using the Spire API. Not a solution we like though, because Spire rotates certificates and in this case we would need to restart Keycloak every rotation.
Perhaps the question drills down to: Can I hot-reload the truststore in Keycloak?