Skip to content

Kubernetes Operator to sync Keycloak attributes to Openshift user objects.

License

Notifications You must be signed in to change notification settings

appuio/keycloak-attribute-sync-controller

Repository files navigation

keycloak-attribute-sync-controller

Kubernetes Operator to sync Keycloak attributes to Openshift user objects.

Installation

The controller can be installed using kubectl.

kubectl apply -k config/default

Usage

User Attributes stored within Keycloak can be synchronized into OpenShift. The following table describes the set of configuration options for the sync:

Name Description Defaults Required
caSecret Reference to a secret containing a SSL certificate to use for communication. The CA must have the key ca.crt. No
credentialsSecret Reference to a secret containing authentication details (See below) Yes
loginRealm Realm to authenticate against master No
realm Realm to synchronize Yes
attribute The attribute to sync to the user object Yes
targetAnnotation The annotation to sync the attribute to No
targetLabel The label to sync the attribute to No

The following is an example of a minimal configuration that can be applied to integrate with a Keycloak provider:

apiVersion: v1
kind: Secret
metadata:
  name: keycloack-read-users-secrets
type: Opaque
data:
  username: ...
  password: ...
---
apiVersion: keycloak.appuio.io/v1alpha1
kind: AttributeSync
metadata:
  name: sync-special-attribute
spec:
  url: https://keycloak.example.com/
  realm: example
  loginRealm: master
  credentialsSecret:
    name: keycloack-read-users-secrets
    namespace: ...
  attribute: example.com/special-attribute
  targetAnnotation: example.com/special-attribute
  schedule: "@every 5m"

Authenticating to Keycloak

A user with permissions to query for Keycloak groups must be available. The following permissions must be associated to the user:

  • Password must be set (Temporary option unselected) on the Credentials tab
  • On the Role Mappings tab, select master-realm or realm-management next to the Client Roles dropdown and then select query-users and view-users.

A secret must be created in the same namespace that contains the AttributeSync resource. It must contain the following keys for the user previously created:

  • username - Username for authenticating with Keycloak
  • password - Password for authenticating with Keycloak

The secret can be created by executing the following command:

oc create secret generic keycloak-attribute-sync --from-literal=username=<username> --from-literal=password=<password>

Scheduled Execution

A cron style expression can be specified for which a synchronization event will occur. The following specifies that a synchronization should occur nightly at 3AM

apiVersion: keycloak.appuio.io/v1alpha1
kind: AttributeSync
metadata:
  name: sync-default-org
spec:
  schedule: "0 3 * * *"

If a schedule is not provided, synchronization will occur only when the object is reconciled by the platform.

Limitations

  • Only the first Keycloak attribute under the given key is used.
  • The key to look up the OCP user object is the Keycloak field Username. This is currently hardcoded.