Skip to content
/ pkcli Public

A tool that can help out securing private keys in exported Keycloak realms if you are using ArgoCD , AVP and Vault.

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

loxley/pkcli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
.github
.github
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.rs
build.rs
 
 

Repository files navigation

Alt Text

pkcli

What is pkcli?

It is a tool written in Rust that can help out securing private keys in exported Keycloak realms if you are using ArgoCD , AVP and Vault.

  • replace privateKeys with argocd-vault-plugin inline paths (so its matching paths in Vault)
  • convert exported data to a KeyCloakRealmImport CR ready for import
  • save the extracted privateKeys to Vault for AVP to use (only this supported for the time being)

Why?

Because I wanted an excuse to learn a bit of Rust and I had a usecase for it.

And I finally got an excuse to generate a fancy Github picture. ☝️

Usage

The following steps are performed if not adding update-avp or update-vault.

  1. Read Keycloak export and parse privateKeys with ArgoCD Vault Plugin paths pointing to a secret in Vault. The parsed AVP path would look something like this: <path:secret/data/some/path/cluster#id>.
  2. Write the file as a KeyCloakRealmImport Custom Resource in YAML using same name as the export name for easy cluster import.
  3. Create/Append/Update secrets as needed in Vault. Vault API path: /v1/secret/data/some/path/cluster and the vault field(key) name would be id.

Id is the relevant Keycloak config id under components.org.keycloak.keys.KeyProvider array.

Examples:

# Read keycloak data exported with `kc.sh`, parse and write AVP paths and update Vault (the default)
./pkcli -f exported_keycloak_data.json -c <CLUSTER>

# Read exported keycloak data, update `privateKeys` with argocd-vault-plugin paths
./pkcli -f exported_keycloak_data.json -c <CLUSTER> update-avp

# Read exported keycloak data, update Vault with secrets without writing yaml
./pkcli -f exported_keycloak_data.json -c <CLUSTER> update-vault

# Read from stdin and redirect stdout to a file
cat exported_keycloak_data.json | ./pkcli -f- -c <CLUSTER> -k <KEYCLOAK-CR-NAME> > realm.yaml

# Read keycloak data exports from a directory
./pkcli -d exported_keycloak_data -c <CLUSTER>

Todo

  • Add arg for output directory
  • Add concurrency (yeye, overkill but I want to learn it)
  • Authenticate with Vault AppRole
  • Support other Secret Managers (on GCP, Azure, AWS etc.)
  • Run the actual kc.sh export script in a kubernetes pod and grab the realm data

License

This project is licensed under the Beerware License. If you like it, feel free to buy me a beer if we ever meet!

About

A tool that can help out securing private keys in exported Keycloak realms if you are using ArgoCD , AVP and Vault.

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

v1.2.0 Latest
Nov 21, 2024
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages