github.com/doodlescheduling/k8skeycloak-controller
Keycloak realm declaration for kubernetes. Compared to the keycloak-operator this controller actually reconciles the entire realm throughout all depths. The keycloak-operator basically only creates the realm and syncs top level changes only.
This controller supports KeycloakRealm, KeycloakClient and KeycloakUser. However by design it does not actually deploy keycloak, it only manages one or multiple keycloakrealms. This controller runs great in combination with the official keycloak operator which deploys keycloak while this controller can manage the realm.
Under the hood the controller is a wrapper around the awesome keycloak-config-cli which implements the entire realm update using the Keycloak REST API.
You need a running keycloak server. This controllers does not manage or deploy keycloak itself but rather manages realms. Also it is required to create a secret which contains the credentials for a user with enough permissions to create/manage realms.
Example:
apiVersion: v1
data:
password: YWRtaW4=
username: YWRtaW4=
kind: Secret
metadata:
name: keycloak-admin
The realm is the entire representation of the realm and is synced accordingly.
It supports secrets substition to inject secrets from kubernetes secrets.
You can use ${secret:secretName:secretField} anywhere in the realm definition.
This would create a realm called default if it does not exists. If it exists it would try to update it according to the specs.
apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakRealm
metadata:
name: default
spec:
address: http://keycloak-http.keycloak/auth
authSecret:
name: keycloak-admin
passwordField: password
userField: username
interval: 10m
suspend: false
realm:
realm: test
accessCodeLifespan: 60
accessCodeLifespanLogin: 1800
accessCodeLifespanUserAction: 300
accessTokenLifespan: 300
accessTokenLifespanForImplicitFlow: 900
accountTheme: test
actionTokenGeneratedByAdminLifespan: 43200
actionTokenGeneratedByUserLifespan: 300
adminEventsDetailsEnabled: true
adminEventsEnabled: true
directGrantFlow: direct grant
displayName: Test
dockerAuthenticationFlow: docker auth
duplicateEmailsAllowed: false
editUsernameAllowed: false
enabled: true
eventsEnabled: true
eventsExpiration: 1209600
loginTheme: foo
verifyEmail: true
waitIncrementSeconds: 60
webAuthnPolicyAcceptableAaguids: []
webAuthnPolicyAttestationConveyancePreference: not specified
webAuthnPolicyAuthenticatorAttachment: not specified
webAuthnPolicyAvoidSameAuthenticatorRegister: false
webAuthnPolicyCreateTimeout: 0
webAuthnPolicyPasswordlessAcceptableAaguids: []
webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified
webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified
webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false
webAuthnPolicyPasswordlessCreateTimeout: 0
webAuthnPolicyPasswordlessRequireResidentKey: not specified
webAuthnPolicyPasswordlessRpId: ""
webAuthnPolicyPasswordlessSignatureAlgorithms:
- ES256
webAuthnPolicyPasswordlessUserVerificationRequirement: not specified
webAuthnPolicyRequireResidentKey: not specified
webAuthnPolicyRpId: ""
webAuthnPolicySignatureAlgorithms:
- ES256
webAuthnPolicyUserVerificationRequirement: not specified
version: 18.0.2
Please see chart/k8skeycloak-controller for the helm chart docs.
Alternatively you may get the bundled manifests in each release to deploy it using kustomize or use them directly.
The controller is configured by arguments. For all possible arguments you may access the help using -h.
The controller tries to reconcile the realm in the specified interval (if specified) or if there is any spec change.
The reconciliation can be paused by setting spec.suspend to true:
kubectl patch keycloakrealms.keycloak.infra.doodle.com myrealm -p '{"spec":{"suspend": true}}' --type=merge
This can be very useful if one wants to change and test some settings using the keycloak web ui where the controller should not interfere.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.