-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Readme, more consistent CRD keys
- Loading branch information
Showing
3 changed files
with
87 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,86 @@ | ||
# keycloak-attribute-sync-controller | ||
|
||
Kubernetes Operator to sync Keycloak attributes to Openshift user objects. | ||
|
||
## Installation | ||
|
||
The controller can be installed using `kubectl`. | ||
|
||
```shell | ||
kubectl apply -k config/default | ||
``` | ||
|
||
## Usage | ||
|
||
User Attributes stored within Keycloak can be synchronized into OpenShift. The following table describes the set of configuration options for the sync: | ||
|
||
| Name | Description | Defaults | Required | | ||
| ------------------- | --------------------------------------------------------------------------------------- | -------- | -------- | | ||
| `caSecret` | Reference to a secret containing a SSL certificate to use for communication (See below) | | No | | ||
| `credentialsSecret` | Reference to a secret containing authentication details (See below) | | Yes | | ||
| `insecure` | Ignore SSL verification | `false` | No | | ||
| `loginRealm` | Realm to authenticate against | `master` | No | | ||
| `realm` | Realm to synchronize | | Yes | | ||
| `attribute` | The attribute to sync to the user object | | Yes | | ||
| `targetAnnotation` | The annotation to sync the attribute to | | No | | ||
| `targetLabel` | The label to sync the attribute to | | No | | ||
|
||
The following is an example of a minimal configuration that can be applied to integrate with a Keycloak provider: | ||
|
||
```yaml | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: keycloack-read-users-secrets | ||
type: Opaque | ||
data: | ||
username: ... | ||
password: ... | ||
--- | ||
apiVersion: keycloak.appuio.ch/v1alpha1 | ||
kind: AttributeSync | ||
metadata: | ||
name: sync-default-org | ||
spec: | ||
url: https://id.dev.appuio.cloud/ | ||
realm: appuio-public | ||
loginRealm: appuio-public | ||
credentialsSecret: | ||
name: keycloack-read-users-secrets | ||
namespace: ... | ||
attribute: appuio.io/default-organization | ||
targetAnnotation: default-organization-syncer.appuio.io/sync-time | ||
``` | ||
### Authenticating to Keycloak | ||
A user with rights to query for Keycloak groups must be available. The following permissions must be associated to the user: | ||
* Password must be set (Temporary option unselected) on the _Credentials_ tab | ||
* On the _Role Mappings_ tab, select _master-realm_ or _realm-management_ next to the _Client Roles_ dropdown and then select **query-users** and **view-users**. | ||
A secret must be created in the same namespace that contains the `GroupSync` resource. It must contain the following keys for the user previously created: | ||
|
||
* `username` - Username for authenticating with Keycloak | ||
* `password` - Password for authenticating with Keycloak | ||
|
||
The secret can be created by executing the following command: | ||
|
||
```shell | ||
oc create secret generic keycloak-attribute-sync --from-literal=username=<username> --from-literal=password=<password> | ||
``` | ||
|
||
### Scheduled Execution | ||
|
||
A cron style expression can be specified for which a synchronization event will occur. The following specifies that a synchronization should occur nightly at 3AM | ||
|
||
```shell | ||
apiVersion: keycloak.appuio.ch/v1alpha1 | ||
kind: AttributeSync | ||
metadata: | ||
name: sync-default-org | ||
spec: | ||
schedule: "0 3 * * *" | ||
``` | ||
|
||
If a schedule is not provided, synchronization will occur only when the object is reconciled by the platform. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters