The keycloakclient-controller manages keycloak clients in independent keycloak installations.
A basic configuration for the keycloakcontroller consists of
-
a keycloak-cr with the url of the keycloak, where clients should be managed
-
a keycloakrealm cr with the realm-name, in which clients should be managed (and a selector of the keycloak-cr of this realm)
-
a keycloakclient-cr with the client specific setting (which are quite a few) and a selector of the realm of this client
-
for each keycloak-cr a secret "credential-<keycloak-cr.name> that contains the following data
- ADMIN_PASSWORD: if the controller logs in via admin-consile and grant_type password, not recommended
- ADMIN_USERNAME:
- KEYCLOAKCLIENT_CONTROLLER_NAME: if the controller logs in via a special service account and grant_type client_credentials, recommended
- KEYCLOAKCLIENT_CONTROLLER_PASSWORD:
-
optional secret credential-keycloak-client-secret-seed in namespace des controllers
- SECRET_SEED if the secret for each client should be created via a sha code of (secret-seed + client-name). This is sometimes necessary if a controller should be running in twho separate k8s clusters.
-
optional defaultClientScopes for public KeycloakClients. For KeycloakClients, the defaultClientScopes are usually configured in the KeycloakClient CustomResource. If a certain defaultClientScope is needed in every KeycloakClient, e.g. the Scopes "Nonce" and "basic" for all the public KeycloakClients after the Keycloak25 Update, then this can be configured with the environment Variable ADDITIONAL_DEFAULT_CLIENT_SCOPES and in the case the value "Nonce,basic" (without changing all the KeycloakClient CustomResources)
To create a KeycloakClient in a Keycloak Installation, a KeycloakClient-CustomResource is created, and the keycloakclient-controller sees to creating, changing, deleting the KeycloakClient as specified with the CustomResource (and the referenced keycloakrealm-cr and keycloak-cr)
This Operator has its origin from the Legacy Keycloak Operator. If you look for the official KeycloakOperator from RedHat, please look into the KeycloakOperator.
The Operator is opinionated in a way that it expects that Keycloak and the KeyclokRealm are already set up (i.e. with one of the available Helm Charts) and it only has to handle the KeycloakClients for a Keycloak Installation and a specific realm.
This fits our need as we set up Keycloak and the realm with Helm, and we have a lot of microservices that require their own KeycloakClient. The Microservices are deployed via Helm, so it is easy to simply deploy a KeycloakClient Resource together with the other artefacts of the Microservice and let the Operator handle the creation of the KeycloakClient in Keycloak.
You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster.
Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info
shows).
-
Install Instances of Custom Resources:
make install
-
Build and push your image to the location specified by
IMG
:make docker-build docker-push IMG=<some-registry>/keycloakclient-controller:tag
-
Deploy the controller to the cluster with the image specified by
IMG
:make deploy IMG=<some-registry>/keycloakclient-controller:tag
To delete the CRDs from the cluster:
make uninstall
UnDeploy the controller to the cluster:
make undeploy
// TODO(user): Add detailed information on how you would like others to contribute to this project
This project aims to follow the Kubernetes Operator pattern
It uses Controllers which provides a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster
-
Install the CRDs into the cluster:
make install
-
Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make run
NOTE: You can also run this in one step by running: make install run
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifests
NOTE: Run make --help
for more information on all potential make
targets
More information can be found via the Kubebuilder Documentation
Copyright 2022.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
function myFunction() { // Get the text field var copyText = document.getElementById("myInput");
// Select the text field copyText.select(); copyText.setSelectionRange(0, 99999); // For mobile devices
// Copy the text inside the text field navigator.clipboard.writeText(copyText.value);
// Alert the copied text alert("Copied the text: " + copyText.value); }