Open ckazimie opened 2 weeks ago
Greetings,
there are different ways to do this. You could either reference the builtin role by it's UUID or you use the function / composition we wrote:
https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects
Which allows you to do something like that:
# Example for Master Realm
apiVersion: keycloak.crossplane.io/v1alpha1
kind: XBuiltinObjects
metadata:
name: keycloak-builtin-clients-master
spec:
providerConfigName: keycloak-provider-config
providerSecretName: keycloak-credentials
realm: master
builtinClients:
- account
- account-console
- admin-cli
- broker
- master-realm
- security-admin-console
builtinRealmRoles:
- offline_access
- uma_authorization
- admin
- create-realm
and import everything you need as Observe Only resource into your cluster.
Then you can just reference them by name as you did before with roleIdsRefs
Hi Breee,
Used your function (thank you for it!) but am facing the issue that no clients were imported even though the composition flags as ready and synced. From your provided example I only changed the keycloak URL to point to my in-cluster-url
> kubectl describe xbuiltinobjects.keycloak.crossplane.io
Name: keycloak-builtin-clients-master
Namespace:
Labels: crossplane.io/composite=keycloak-builtin-clients-master
Annotations: <none>
API Version: keycloak.crossplane.io/v1alpha1
Kind: XBuiltinObjects
Metadata:
Creation Timestamp: 2024-07-09T16:03:09Z
Finalizers:
composite.apiextensions.crossplane.io
Generation: 4
Resource Version: 153138
UID: 132e66b2-826d-46bf-8fdc-319ec39fd5bf
Spec:
Builtin Clients:
account
account-console
admin-cli
broker
master-realm
security-admin-console
Builtin Realm Roles:
offline_access
uma_authorization
admin
create-realm
Composition Ref:
Name: keycloak-builtin-objects
Composition Revision Ref:
Name: keycloak-builtin-objects-57f2cc5
Composition Update Policy: Automatic
Provider Config Name: keycloak-provider-config
Provider Secret Name: keycloak-credentials
Realm: master
Resource Refs:
Status:
Conditions:
Last Transition Time: 2024-07-09T16:04:53Z
Reason: ReconcileSuccess
Status: True
Type: Synced
Last Transition Time: 2024-07-09T16:04:53Z
Reason: Available
Status: True
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SelectComposition 20m defined/compositeresourcedefinition.apiextensions.crossplane.io Successfully selected composition: keycloak-builtin-objects
Normal SelectComposition 20m defined/compositeresourcedefinition.apiextensions.crossplane.io Selected composition revision: keycloak-builtin-objects-57f2cc5
Warning ComposeResources 19m (x2 over 19m) defined/compositeresourcedefinition.apiextensions.crossplane.io cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unavailable desc = last resolver error: dns: A record lookup error: lookup function-keycloak-builtin-objects.crossplane-system on 10.43.0.10:53: server misbehaving
Warning ComposeResources 19m (x7 over 20m) defined/compositeresourcedefinition.apiextensions.crossplane.io cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unavailable desc = last resolver error: produced zero addresses
Normal ComposeResources 3m57s (x17 over 19m) defined/compositeresourcedefinition.apiextensions.crossplane.io Successfully composed resources
but
> kubectl get clients.openidclient.keycloak.crossplane.io
No resources found
Any pointer what I could try/did wrong?
What does the function log? / how does your connection config look like?
Also: make sure to use the latest versions
{"tag": "", "level": "error", "filename": "fn.py", "lineno": 221, "ts": 1720590740.901584, "msg": "Could not find matching secret for providerSecretName: keycloak-credentials"}
Thanks for the hint, hadn't realized that the function was a new pod. Could you adapt the example maybe? The secret is called keycloak-credentials-one, but later referenced by keycloak-credentials
However now I have this log in the builtin-objects function
{"tag": "", "level": "info", "filename": "fn.py", "lineno": 203, "ts": 1720593736.9110928, "msg": "Running function"}
││ Traceback (most recent call last):
││ File "src/python/grpcio/grpc/_cython/_cygrpc/aio/server.pyx.pxi", line 729, in grpc._cython.cygrpc._handle_exceptions
││ File "src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi", line 185, in _send_error_status_from_server
││ File "src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi", line 99, in execute_batch
││ grpc._cython.cygrpc.ExecuteBatchError: Failed "execute_batch": (<grpc._cython.cygrpc.SendInitialMetadataOperation object at 0x7f26d34972e0>, <grpc._cytho
Connection details for test env:
apiVersion: v1
kind: Secret
metadata:
name: keycloak-credentials
namespace: crossplane-system
labels:
type: provider-credentials
type: Opaque
stringData:
credentials: |
{
"client_id":"admin-cli",
"username": "admin",
"password": "admin",
"url": "http://keycloak-keycloakx-http.default.svc.cluster.local:8080",
"base_path": "/auth",
"realm": "master"
}
Version of the functions are:
@Breee do you have any idea what could be the cause of the grpc call failing?
hey man, i will look into it soon. Can you also send me the full composition / XR please ?
Also: can you please describe on the XR, it should also log something in its events
Nice, question from you to get me on the right track. The XR logged a timeout, which made me have another look at the connection details in the provider-credentials and seems like I had the wrong port.
In case anybody has similar troubles in the future: This is the event in the XR which was logged upon executing kubectl describe xbuiltinobjects.keycloak.crossplane.io
Warning ComposeResources 4m50s (x281 over 5h7m) defined/compositeresourcedefinition.apiextensions.crossplane.io cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = DeadlineExceeded desc = Deadline Exceeded
Thank you for the support. Great feature!
I am trying to assign a client role:
manage-realm
of the built-in clientrealm-management
to a user that I have defined, however I cannot...What is the proper way? I try to use Roles manifest: