pretty sure the testNoAutoMountServiceAccount passed locally, just to be extra sure i will re-run it locally tomorrow

For the Keycloak Multi-Site setup, IMHO we assume that the CA used in OpenShift is imported automatically so we can communicate with Infinispan securely.

Looping in @ryanemerson / @pruivo to ensure that the docs are updated for that.

For mult-site HA, Infinispan requires /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
Documentation

@pruivo - in addition to that, when Keycloak talks to Infinispan in that setup, it uses TLS. And to verify the Infinispan certificate, it needs to know about the CA. I remember there was some kind of mechanism.

Maybe @shawkins can refresh my memory here how Keycloak picks up that CA?

@ahus1 The operator automatically adds the certificate to the truststore:

@pruivo, thank you, I was looking for that code snippet but didn't find it. So this option would be required in the Keycloak HA setup as described in https://www.keycloak.org/high-availability/deploy-keycloak-kubernetes

So if this is merged for the 26.3 release and we decide to update the docs in a follow-up issue, that follow-up issue should be a blocker for the 26.3 release.

@ahus1 How so? This PR is disabling the service account tokens (/var/run/secrets/kubernetes.io/serviceaccount/token ), and I don't find any relation to the service certificates in the Kubernetes docs.

@pruivo - OK, then I was just worried without a reason. Then proceed here, and our tests in the cluster will show if it breaks. Sorry for the noise!

This is the only doc I found: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting
If something breaks after this PR is merged, we will know the culprit 🤣

I don't find any relation to the service certificates in the Kubernetes docs

Based on #38843 (comment) it would appear that the CA cert is also not mounted when automountServiceAccountToken: false.

@ahus1 How so? This PR is disabling the service account tokens (/var/run/secrets/kubernetes.io/serviceaccount/token ), and I don't find any relation to the service certificates in the Kubernetes docs.

the /var/run/secrets/kubernetes.io/serviceaccount/ca.crt (and that entire directory) is controlled by that flag, should i add the a clarification in some doc page that this option has to be true for multi-site setup in k8s?

should i add the a clarification in some doc page that this option has to be true for multi-site setup in k8s?

+1

added the automountServiceAccountToken: true to the example keycloak used in this doc

Hey @vmuzikar would it be possible to get someone to take a look here?

Thanks in advance!