add examples

examples/clients.yaml

@@ -62,3 +62,50 @@ spec:
     validRedirectUris:
       - "myapp://callback"  # Replace with your mobile app's custom URI scheme
 
+---
+# Example 5: Client for ArgoCD Application
+apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
+kind: Client
+metadata:
+  name: argocd
+spec:
+  forProvider:
+    name: argocd
+    clientId: argocd
+    accessType: CONFIDENTIAL
+    standardFlowEnabled: true
+    directAccessGrantsEnabled: true
+    rootUrl: "https://argocd.example.com"
+    adminUrl: "https://argocd.example.com"
+    webOrigins: 
+      - https://argocd.example.com
+    validRedirectUris:
+      - https://argocd.example.com/auth/callback
+    validPostLogoutRedirectUris:
+      - https://argocd.example.com
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config
+
+---
+# Example 6: Client for Kubernetes Application
+apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
+kind: Client
+metadata:
+  name: kubernetes
+spec:
+  forProvider:
+    name: kubernetes
+    clientId: kubernetes
+    accessType: CONFIDENTIAL
+    standardFlowEnabled: true
+    directAccessGrantsEnabled: true
+    serviceAccountsEnabled: true
+    authorization:
+      - policyEnforcementMode: ENFORCING
+    validRedirectUris:
+      - http://localhost:18000
+      - http://localhost:8000
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config

examples/groupmappers.yaml

@@ -0,0 +1,54 @@
+# Example 1: User Federation Group Mapper
+# This example fetches an LDAP group from an OpenLDAP server into Keycloak.
+apiVersion: ldap.keycloak.crossplane.io/v1alpha1
+kind: GroupMapper
+metadata:
+  name: admin-group
+spec:
+  forProvider:
+    name: "amsterdam"
+    ldapGroupsDn: "ou=groups,dc=example,dc=local"
+    groupNameLdapAttribute: "cn"
+    groupObjectClasses: ["groupOfNames"]
+    groupsPath: "LDAP-ADMIN"
+    membershipLdapAttribute: "member"
+    membershipAttributeType: "DN"
+    membershipUserLdapAttribute: "memberOf"
+    groupsLdapFilter: "(&(objectClass=groupOfNames)(cn=amsterdam))"
+    mode: "READ_ONLY"
+    userRolesRetrieveStrategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"
+    preserveGroupInheritance: false
+    memberofLdapAttribute: "memberOf"
+    ldapUserFederationIdRef:
+      name: example
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config
+
+---
+# Example 2: User Federation Group Mapper
+# This example fetches an LDAP group from an Active Directory server into Keycloak.
+apiVersion: ldap.keycloak.crossplane.io/v1alpha1
+kind: GroupMapper
+metadata:
+  name: admin-group
+spec:
+  forProvider:
+    name: "amsterdam"
+    ldapGroupsDn: "ou=groups,dc=example,dc=local"
+    groupNameLdapAttribute: "cn"
+    groupObjectClasses: ["group"]
+    groupsPath: "LDAP-ADMIN"
+    membershipLdapAttribute: "member"
+    membershipAttributeType: "DN"
+    membershipUserLdapAttribute: "sAMAccountName"
+    groupsLdapFilter: "(&(objectClass=group)(cn=amsterdam))"
+    mode: "READ_ONLY"
+    userRolesRetrieveStrategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"
+    preserveGroupInheritance: false
+    memberofLdapAttribute: "memberOf"
+    ldapUserFederationIdRef:
+      name: example
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config

examples/hardcodedrolemapper.yaml

@@ -0,0 +1,15 @@
+# Example 1: To map a Client Role to all LDAP users
+# This example maps a Client Role named k8s-admin from the Kubernetes client to all LDAP users.
+apiVersion: ldap.keycloak.crossplane.io/v1alpha1
+kind: HardcodedRoleMapper
+metadata:
+  name: default-kubernetes-role
+spec:
+  forProvider:
+    name: "default-kubernetes-role"
+    role: kubernetes.k8s-admin  # Client.<Role name>
+    ldapUserFederationIdRef:
+      name: my-realm
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config

examples/protocol-mappers.yaml

@@ -136,4 +136,52 @@ spec:
       "attribute.name": "x509subject"
       "attribute.nameformat": "Basic"
   providerConfigRef:
-    name: keycloak-provider-config
+    name: keycloak-provider-config
+
+---
+# Example 7: User Client Role Mapper
+# This example uses the User Client Role mapper to include roles as claims.
+apiVersion: client.keycloak.crossplane.io/v1alpha1
+kind: ProtocolMapper
+metadata:
+  name: kubernetes-roles
+spec:
+  forProvider:
+    clientIdRef: 
+      name: kubernetes
+    config:
+      usermodel.clientRoleMapping.clientId: kubernetes
+      access.token.claim: "true"
+      claim.name: roles
+      id.token.claim: "true"
+      multivalued: "true"
+    name: roles
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-client-role-mapper
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config
+
+---
+# Example 8: User Attribute
+# This example uses the User Attribute mapper to include roles as claims.
+apiVersion: client.keycloak.crossplane.io/v1alpha1
+kind: ProtocolMapper
+metadata:
+  name: kubernetes-name
+spec:
+  forProvider:
+    clientIdRef: 
+      name: kubernetes
+    config:
+      access.token.claim: "true"
+      claim.name: name
+      id.token.claim: "true"
+      user.attribute: name
+    name: name
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config
+

examples/roles.yaml

@@ -62,3 +62,34 @@ spec:
   providerConfigRef:
     name: "keycloak-provider-config"
 
+---
+# Example 5: Roles with Group
+# This example map multiple Client Roles to an internal Group
+apiVersion: group.keycloak.crossplane.io/v1alpha1
+kind: Roles
+metadata:
+  name: ldap-admin-role-mapper
+spec:
+  forProvider:
+    groupIdRef: 
+      name: ldap-admin
+    roleIdsRefs:
+      - name: k8s-admin
+      - name: argocd-admin
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config
+
+---
+# Example 65: Roles with Group
+# This example creates a Realm Role
+apiVersion: role.keycloak.crossplane.io/v1alpha1
+kind: Role
+metadata:
+  name: k8s-realm-role
+spec:
+  forProvider:
+    name: k8s-role
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config

examples/userattributemapper.yaml

@@ -0,0 +1,17 @@
+# Example 1: to add User Attribute Mapper in User Federation
+# This example creates a new firstname mapper to use givenName as the LDAP attribute.
+apiVersion: ldap.keycloak.crossplane.io/v1alpha1
+kind: UserAttributeMapper
+metadata:
+  name: firstname
+spec:
+  forProvider:
+    name: "firstname"
+    userModelAttribute: "firstName"
+    ldapAttribute: "givenName"
+    alwaysReadValueFromLdap: true
+    ldapUserFederationIdRef:
+      name: my-realm
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config

examples/userfederation.yaml

@@ -0,0 +1,63 @@
+# Example 1: User Federation to integrate LDAP with Keycloak
+# This example integrates OpenLDAP with Keycloak..
+apiVersion: ldap.keycloak.crossplane.io/v1alpha1
+kind: UserFederation
+metadata:
+  name: my-realm
+spec:
+  forProvider:
+    name: "example"
+    connectionUrl: "ldap://10.0.1.8:389"
+    startTls: false
+    bindDn: "cn=admin,dc=example,dc=local"
+    bindCredentialSecretRef:
+      key: "password"
+      name: "ldap-password"
+      namespace: "crossplane-system"
+    editMode: "UNSYNCED"
+    usersDn: "ou=users,dc=example,dc=local"
+    usernameLdapAttribute: "uid"
+    rdnLdapAttribute: "uid"
+    uuidLdapAttribute: "entryUUID"
+    userObjectClasses: ["inetOrgPerson", "shadowAccount"]
+    searchScope: "SUBTREE"
+    importEnabled: true
+    batchSizeForSync: 100
+    changedSyncPeriod: 604800
+    trustEmail: true
+    validatePasswordPolicy: false
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config
+
+# Example 2: User Federation to integrate LDAP with Keycloak
+# This example integrates Active Directory with Keycloak.
+apiVersion: ldap.keycloak.crossplane.io/v1alpha1
+kind: UserFederation
+metadata:
+  name: my-realm
+spec:
+  forProvider:
+    name: "example"
+    connectionUrl: "ldap://10.0.1.8:389"
+    startTls: false
+    bindDn: "cn=admin,dc=example,dc=local"
+    bindCredentialSecretRef:
+      key: "password"
+      name: "ldap-password"
+      namespace: "crossplane-system"
+    editMode: "UNSYNCED"
+    usersDn: "ou=users,dc=example,dc=local"
+    usernameLdapAttribute: "sAMAccountName"
+    rdnLdapAttribute: "cn"
+    uuidLdapAttribute: "sAMAccountName"
+    userObjectClasses: ["person", "organizationalPerson","user"]
+    searchScope: "SUBTREE"
+    importEnabled: true
+    batchSizeForSync: 100
+    changedSyncPeriod: 604800
+    trustEmail: true
+    validatePasswordPolicy: false
+    realmId: my-realm
+  providerConfigRef:
+    name: keycloak-provider-config