search

crossplane-contrib / provider-keycloak

Apache License 2.0
21 stars 11 forks source link

Improve ProviderConfigRef Secret #159

Open mircea-pavel-anton opened 6 days ago

mircea-pavel-anton commented 6 days ago

In the documentation, it is mentioned that additional fields supported by the upstream Terraform provider are supported.

I think that having the JSON structure to the connection secret is quite limiting. When I deploy Keycloak via the bitnami helm chart, for example, I need to provide a secret with the password. Having this in json format poses some challenges as to extracting and processing that data to format it nicely

I see that the Terraform provider also supports environment variables. That would be much better UX in allowing me to pick and choose keys from multiple sources (configmaps/secrets).

Is this supported?

Breee commented 6 days ago

Make an example please. One thing you have to keep in mind is, that a crossplane provider potentially can configure multiple keycloak instances. So a provider config is used for exactly one instance of keycloak. Just passing environment variables to the provider will not be good enough

mircea-pavel-anton commented 6 days ago

Sure thing!

I didn't mean injecting env vars into the provider deployment itself. I was talking more about restructuring the provider config credential secret into individual keys as opposed to a single json value, and I was referencing the names of the env vars to be used as keys as a possibility.

Currently, it is defined like this:

---
apiVersion: keycloak.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: keycloak-provider-config
spec:
  credentials:
    source: Secret
    secretRef:
      name: keycloak-credentials
      key: credentials
      namespace: crossplane-system
---
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-credentials
  namespace: crossplane-system
  labels: 
    type: provider-credentials
type: Opaque
stringData:
  credentials: |
    {
      "client_id":"admin-cli",
      "username": "admin",
      "password": "admin",
      "url": "https://keycloak.example.com",
      "base_path": "/auth",
      "realm": "master"
    }

However what I was proposing is the ability to define it either like this:

---
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-credentials
  namespace: crossplane-system
  labels: 
    type: provider-credentials
type: Opaque
stringData:
      client_id: "admin-cli"
      username: "admin"
      password: "admin"
      url: "https://keycloak.example.com"
      base_path: "/auth"
      realm: "master"

Or like this:

---
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-credentials
  namespace: crossplane-system
  labels: 
    type: provider-credentials
type: Opaque
stringData:
      KEYCLOAK_CLIENT_ID: "admin-cli"
      KEYCLOAK_USER: "admin"
      KEYCLOAK_PASSWORD: "admin"
      KEYCLOAK_URL: "https://keycloak.example.com"
      KEYCLOAK_BASE_PATH: "/auth"
      KEYCLOAK_REALM: "master

And then rearrange this data into the required format at runtime.

Additionally, sourcing these pieces of information from more than one source could be helpful. For example, having a configMap with the url, client id, realm name and base path and then a secret just with the password or client secret.