Closed daniel-palmer-gu closed 20 hours ago
Breee
commented
3 months ago Hmmm, in the current terraform provider not i guess.
i think you could import the realm-management role and set it's ManagementPolicy to "Observe":
see: https://docs.crossplane.io/latest/concepts/managed-resources/
https://docs.crossplane.io/latest/concepts/managed-resources/#managementpolicies
or with deletionPolicy: Orphan
Then you can just reference it by k8s object
daniel-palmer-gu
commented
3 months ago Are there any examples of importing a resource? Not sure I am tracking how to accomplish that.
I think the feature I am looking for is the equivalent of data sources in terraform. For my example, I would want to be able to use a role data source to find the role by name and retrieve the id for use with other resources. https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/data-sources/role
Breee
commented
3 months ago Yeah here: https://docs.crossplane.io/knowledge-base/guides/import-existing-resources/
it's important that you set managementPolicies: ["Observe"] - else crossplane will rip everything apart if you delete your imported ressources
smoehrle
commented
3 months ago In addition: there is also this open issue for crossplane which might be the feature you're asking for: https://github.com/crossplane/crossplane/issues/4141
daniel-palmer-gu
commented
3 months ago Thanks for the quick replies!
I'll play around with importing resources and see if that gets me where I need to be. Assuming I find a solution, I'll write back with an example solution in case someone else is wanting to do the same.
daniel-palmer-gu
commented
3 months ago So in order to import a client role, I must first know the client id. Unfortunately, I can't import built-in clients as to do so also requires the client id.
For example, if I attempt to import the realm-management client on a realm I created called test-realm, the client can't be found. Using the following to import the Client:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
annotations:
crossplane.io/external-name: test-realm/realm-management
name: realm-management
spec:
forProvider: {}
providerConfigRef:
name: "non-default-config"
managementPolicies: ["Observe"]Results in the following status:
status:
atProvider: {}
conditions:
- lastTransitionTime: "2024-03-11T17:18:19Z"
message: "observe failed: cannot run import: \e[0m\e[1mkeycloak_openid_client.realm-management:
Importing from ID \"test-realm/realm-management\"...\e[0m\n\e[31m\e[31m╷\e[0m\e[0m\n\e[31m│\e[0m
\e[0m\e[1m\e[31mError: \e[0m\e[0m\e[1merror sending GET request to REDACTED/REDACTED/realms/test-realm/clients/realm-management:
404 Not Found. Response body: {\"error\":\"Could not find client\"}\e[0m\n\e[31m│\e[0m
\e[0m\n\e[31m│\e[0m \e[0m\e[0m\n\e[31m╵\e[0m\e[0m\n\e[0m\e[0m\n: import failed"
reason: ReconcileError
status: "False"
type: Synced However, If I provide the client id in the import, it works as expected:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
annotations:
crossplane.io/external-name: test-realm/75291e36-a704-49a7-b471-a211cf8c2adf
name: realm-management
spec:
forProvider: {}
providerConfigRef:
name: "non-default-provider"
managementPolicies: ["Observe"]resulting in:
status:
atProvider:
accessTokenLifespan: ""
accessType: BEARER-ONLY
adminUrl: ""
backchannelLogoutRevokeOfflineSessions: false
backchannelLogoutSessionRequired: false
backchannelLogoutUrl: ""
baseUrl: ""
clientAuthenticatorType: client-secret
clientId: realm-management
clientOfflineSessionIdleTimeout: ""
clientOfflineSessionMaxLifespan: ""
clientSessionIdleTimeout: ""
clientSessionMaxLifespan: ""
consentRequired: false
consentScreenText: ""
description: ""
directAccessGrantsEnabled: false
displayOnConsentScreen: false
enabled: true
frontchannelLogoutEnabled: false
frontchannelLogoutUrl: ""
fullScopeAllowed: false
id: 75291e36-a704-49a7-b471-a211cf8c2adf
implicitFlowEnabled: false
import: false
loginTheme: ""
name: ${client_realm-management}
oauth2DeviceAuthorizationGrantEnabled: false
oauth2DeviceCodeLifespan: ""
oauth2DevicePollingInterval: ""
realmId: test-realm
rootUrl: ""
serviceAccountUserId: ""
serviceAccountsEnabled: false
standardFlowEnabled: true
useRefreshTokens: false
useRefreshTokensClientCredentials: false
conditions:
- lastTransitionTime: "2024-03-11T17:25:03Z"
reason: ReconcileSuccess
status: "True"
type: Synced
- lastTransitionTime: "2024-03-11T17:25:04Z"
reason: Available
status: "True"
type: Ready Hm i guess you need the client-id.
You can extract that when you open your client in keycloak copy it from the URL.
https://keycloak.example.com/auth/admin/master/console/#/master/clients/707b5c15-bf19-457e-9a7c-9be41f74dda9/settingswhere 707b5c15-bf19-457e-9a7c-9be41f74dda9 would be the id you search.
Can you check if it works for you with the client-id?
Sadly that's how keycloak does it. sometimes you reference things by name / sometime you reference it by a uuid. would be cool to write a wrapper around that to enable selecting stuff by readable names
---
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
annotations:
crossplane.io/external-name: "master/152d4b09-aaf8-414a-8649-63976cc01af2"
name: admin-cli
spec:
forProvider: {}
providerConfigRef:
name: "keycloak-provider-config"
managementPolicies: ["Observe"]k get client
NAME READY SYNCED EXTERNAL-NAME AGE
admin-cli True True master/152d4b09-aaf8-414a-8649-63976cc01af2 9m19sIf a wrapper seems feasible, that would be awesome.
There are two alternatives I can think of that go outside of provider-keycloak:
QuadmanSWE
commented
2 months ago Yeah here: https://docs.crossplane.io/knowledge-base/guides/import-existing-resources/ it's important that you set
managementPolicies: ["Observe"]- else crossplane will rip everything apart if you delete your imported ressources
I tried to create a client with observe managementpolicies but I get this error. I am running crossplane 1.15.1 with provider-keycloak v1.15.0. What did I miss when installing crossplane?
`spec.managementPolicies` is set to a non-default value but the feature is not enabled: [Observe]Here is my realm and client by the way, I am trying to create a realm with a default user that is realm admin so that when someone asks for a new realm they can logon once as this user and then let them selves in with federation or something.
Realm shows up and works great, any user I create works too but I can't add realm-admin to them.
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
name: developers-realm
spec:
forProvider:
realm: developers-realm
enabled: true
displayName: "Home of the Developers"
providerConfigRef:
name: keycloak-config
---
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: realm-management
spec:
forProvider:
realmIdRef:
name: developers-realm
providerConfigRef:
name: keycloak-config
managementPolicies: ["Observe"]To answer my own question, this provider doesn't allow observe by default: https://github.com/crossplane-contrib/provider-keycloak/blob/7d1abb98ad9863effaf74a484e15f63c68e440d6/cmd/provider/main.go#L51
I could enable it by setting this envvar, for example by using a controllerconfig ref in the provider.
kind: ControllerConfig
metadata:
name: enable-management-policies-config
spec:
args:
- --enable-management-policies To answer my own question, this provider doesn't allow observe by default:
I could enable it by setting this envvar, for example by using a controllerconfig ref in the provider.
kind: ControllerConfig metadata: name: enable-management-policies-config spec: args: - --enable-management-policies
In release v0.16.0 management policies are now enabled by default - i think this makes sense for this provider
vladimirblahoz
commented
2 months ago Right now I am trying to attempt the exactly same thing - assign realm-management client roles to my service account. And if I understood correctly to achieve that I need:
clientIdSelector, or directly through clientId obtaining that from that imported client resource.crossplane.io/external-name annotation and managementPolicies: [ "Observe" ]Meaning the chicken-egg problem is real. I am really in a need to be able to automate everything, so looking up the built-in client's ID through the keycloak UI is a no-go and this starts to be quite problematic for me.
Breee
commented
2 months ago I agree, how the keycloak API / backend currently works is problematic for our usecases. There is two approaches that come to my mind:
@smoehrle do we have something ready to test this using composition functions?
Breee
commented
2 months ago Ok guys, i made a poc: https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients which calls a composition function: https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients/-/blob/main/function/fn.py?ref_type=heads#L40
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: xbuiltinclients.crossplane.corewire.io # required to be in the format <plural>.<group>
spec:
group: crossplane.corewire.io
names:
kind: XBuiltinClients
plural: xbuiltinclients
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
realm:
type: string
provider_config_name:
type: string
url:
type: string
username:
type: string
password:
type: string
required:
- realm
- provider_config_name
- url
- username
- password
required:
- specapiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: keycloak-builtin-clients
spec:
compositeTypeRef:
apiVersion: crossplane.corewire.io/v1alpha1
kind: XBuiltinClients
mode: Pipeline
pipeline:
- step: keycloak-builtin-clients
functionRef:
name: function-keycloak-builtin-clients---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-keycloak-builtin-clients
#annotations:
# # This tells crossplane beta render to connect to the function locally.
# render.crossplane.io/runtime: Development
spec:
# This is ignored when using the Development runtime.
package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients:v1.0.6
packagePullPolicy: AlwaysapiVersion: crossplane.corewire.io/v1alpha1
kind: XBuiltinClients
metadata:
name: keycloak-builtin-clients
spec:
realm: master
provider_config_name: keycloak-provider-config
url: http://172.25.0.31:80/auth/
username: admin
password: adminThat generates me the clients:
$ k get clients
NAME READY SYNCED EXTERNAL-NAME AGE
account True True master/d0721a8e-9b57-4b9e-ab1c-8122184fe932 6m9s
account-console True True master/7288704c-dd24-486d-bf4b-c0d375075940 6m9s
admin-cli True True master/47f56720-63fe-4270-8c50-9d6255a15c1c 6m9s
broker True True master/290085fe-f831-4eaa-bff3-4016923a2f3b 6m9s
master-realm True True master/8ce939fe-01fd-4b3c-91ed-78d439a55f85 6m9s
security-admin-console True True master/789bd109-35c5-42c3-9525-5e52f037e220 6m9sObviously this is not Production ready, as i for simplicity just passed in everything the function needs to talk to keycloak
Would something like that be okay for you to use?
Of course prettified / enhanced - as this just gets all current clients of a keycloak instance and imports them using external names. Optimally we just pass a list of builtin clients we want.
lmk and i'll provide something
QuadmanSWE
commented
2 months ago I will give this a try as soon as I can take the time. Very nice from the look of it.
QuadmanSWE
commented
2 months ago @Breee Not sure how to interpret the docs in the poc on gitlab but my guess is this is what I should run to be able to give it a try?
crossplane xpkg install function registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients:v1.0.6
Or should I just deploy 1-4 in the examples and swap out the credentials? What would we then do to make this work with the crossplane keycloak provider so that we don't have to supply credentials at all?
QuadmanSWE
commented
2 months ago So I kind of get it to work but only for the master realm and only if I provide the root admin username and password. It syncs all the clients and they look good individually but the keycloak-buildin-clients Xbuildinclients doesn't flag as ready.
Name: keycloak-builtin-clients
Namespace:
Labels: crossplane.io/composite=keycloak-builtin-clients
Annotations: <none>
API Version: crossplane.corewire.io/v1alpha1
Kind: XBuiltinClients
Metadata:
Creation Timestamp: 2024-04-21T10:11:24Z
Finalizers:
composite.apiextensions.crossplane.io
Generation: 4
Resource Version: 10874
UID: d7c24563-4df2-410c-9e7b-332f8e4d1b77
Spec:
Composition Ref:
Name: keycloak-builtin-clients
Composition Revision Ref:
Name: keycloak-builtin-clients-08d0f48
Composition Update Policy: Automatic
Password: somepw
provider_config_name: keycloak-config
Realm: master
Resource Refs:
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: account
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: account-console
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: admin-cli
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: argocd
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: broker
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: crossplane
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: developers-realm-realm
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: master-realm
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: oauth2proxy
API Version: openidclient.keycloak.crossplane.io/v1alpha1
Kind: Client
Name: security-admin-console
URL: http://keycloak.platform:80
Username: ds
Status:
Conditions:
Last Transition Time: 2024-04-21T10:11:24Z
Reason: ReconcileSuccess
Status: True
Type: Synced
Last Transition Time: 2024-04-21T10:11:24Z
Message: Unready resources: master-account, master-account-console, master-admin-cli, and 7 more
Reason: Creating
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-master-realm" is not yet ready
Normal SelectComposition 5m30s defined/compositeresourcedefinition.apiextensions.crossplane.io Successfully selected composition: keycloak-builtin-clients
Normal ComposeResources 5m30s defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-argocd" is not yet ready
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-account-console" is not yet ready
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-security-admin-console" is not yet ready
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-admin-cli" is not yet ready
Normal SelectComposition 5m30s defined/compositeresourcedefinition.apiextensions.crossplane.io Selected composition revision: keycloak-builtin-clients-08d0f48
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-oauth2proxy" is not yet ready
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-developers-realm-realm" is not yet ready
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-crossplane" is not yet ready
Normal ComposeResources 5m30s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Composed resource "master-broker" is not yet ready
Normal ComposeResources 5m30s (x6 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io (combined from similar events): Composed resource "master-account-console" is not yet ready
Normal ComposeResources 5m29s (x5 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io (combined from similar events): Successfully composed resources
Normal ComposeResources 5m29s (x2 over 5m30s) defined/compositeresourcedefinition.apiextensions.crossplane.io Successfully composed resources
@Breee Not sure how to interpret the docs in the poc on gitlab but my guess is this is what I should run to be able to give it a try?
crossplane xpkg install function registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients:v1.0.6Or should I just deploy 1-4 in the examples and swap out the credentials? What would we then do to make this work with the crossplane keycloak provider so that we don't have to supply credentials at all?
You just apply examples 1-4 in that order. It's really just a PoC. Nothing we should use for a prod environment. But as I said, if something like that Works for you I can Provide something more mature that is based on the crossplane Ecosystem using functions
Just as a reminder, all of this can be also just automated with a really simple Script, e.g. In python.
QuadmanSWE
commented
2 months ago So far it just creates the clients, but we would also need to get the client roles so that they can be assigned to users which this doesn't appear to do.
The way to use it though is exactly what I had in mind at least, not sure about you @daniel-palmer-gu ?
But of course instead of using username and password and url we would use an existing providerconfig.
I'd be happy to help develop / test / document this stuff into a prod ready feature of this provider.
Breee
commented
2 months ago Sure - this was just a poc as I said - if this is useable for you guys we should raise a new feature request issue and define what builtin stuff we want to be able to import using the methodology i used. You can formulate that if you want - else I will do that later today
QuadmanSWE
commented
2 months ago As someone operating a keycloak instance, I want to be able to import the default client roles which are created as part of the realm creation into crossplane, so that I can assign "realm-admin" to a user I create with composite resource defintion.
Let me know if you want a mock up of a claim of such an XRD.
daniel-palmer-gu
commented
2 months ago For selfish reasons, I would prefer a fix within the provider. However, a way to accomplish this is better than none, so I would accept a function to meet the need.
Breee
commented
2 months ago Breee
commented
4 weeks ago QuadmanSWE
commented
4 weeks ago Having issue with tls_insecure_skip_verify not being respected in my keycloak credentials. works well for creating realms but not for the built in objects function. I am running on a dev cluster where the istio ingress gateway run with a self signed cert for *.platform.local and I changed the dns in kubernetes so that kc.platform.local points to it directly without going out and back in because the dns name is not on my network just in my hosts file.
Should I set up keycloak some other way to not run into this problem with ssl from the function?
apiVersion: keycloak.crossplane.io/v1alpha1
kind: XBuiltinObjects
metadata:
annotations:
argocd.argoproj.io/tracking-id: crossplane-keycloak-provider:keycloak.crossplane.io/XBuiltinObjects:crossplane-system/keycloak-builtin-objects-master
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"keycloak.crossplane.io/v1alpha1","kind":"XBuiltinObjects","metadata":{"annotations":{"argocd.argoproj.io/tracking-id":"crossplane-keycloak-provider:keycloak.crossplane.io/XBuiltinObjects:crossplane-system/keycloak-builtin-objects-master"},"name":"keycloak-builtin-objects-master"},"spec":{"builtinClients":["account","account-console","admin-cli","broker","master-realm","security-admin-console"],"builtinRealmRoles":["offline_access","uma_authorization","admin","create-realm"],"providerConfigName":"keycloak-provider-config","providerSecretName":"keycloak-credentials","realm":"master"}}
creationTimestamp: "2024-06-09T11:55:10Z"
finalizers:
- composite.apiextensions.crossplane.io
generation: 3
labels:
crossplane.io/composite: keycloak-builtin-objects-master
name: keycloak-builtin-objects-master
resourceVersion: "13686"
uid: e6e666d7-233d-4447-81ce-930b9d6b3d39
spec:
builtinClients:
- account
- account-console
- admin-cli
- broker
- master-realm
- security-admin-console
builtinRealmRoles:
- offline_access
- uma_authorization
- admin
- create-realm
compositionRef:
name: keycloak-builtin-objects
compositionRevisionRef:
name: keycloak-builtin-objects-c000411
compositionUpdatePolicy: Automatic
providerConfigName: keycloak-provider-config
providerSecretName: keycloak-credentials
realm: master
status:
conditions:
- lastTransitionTime: "2024-06-09T11:56:35Z"
message: 'cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects":
cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unknown
desc = Unexpected <class ''keycloak.exceptions.KeycloakConnectionError''>: Can''t
connect to server (HTTPSConnectionPool(host=''kc.platform.local'', port=443):
Max retries exceeded with url: /realms/master/protocol/openid-connect/token
(Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:992)''))))'
reason: ReconcileError
status: "False"
type: SyncedThat's definitely my fault and I probably don't even handle that yet, i'll look into it asap. I got some time right now
On Sun, Jun 9, 2024, 14:19 David Söderlund @.***> wrote:
Having issue with tls_insecure_skip_verify not being respected in my keycloak credentials. works well for creating realms but not for the built in objects function. I am running on a dev cluster where the istio ingress gateway run with a self signed cert for *.platform.local and I changed the dns in kubernetes so that kc.platform.local points to it directly without going out and back in because the dns name is not on my network just in my hosts file.
Should I set up keycloak some other way to not run into this problem with ssl from the function?
apiVersion: keycloak.crossplane.io/v1alpha1 kind: XBuiltinObjects metadata: annotations: argocd.argoproj.io/tracking-id: crossplane-keycloak-provider:keycloak.crossplane.io/XBuiltinObjects:crossplane-system/keycloak-builtin-objects-master kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"keycloak.crossplane.io/v1alpha1","kind":"XBuiltinObjects","metadata":{"annotations":{"argocd.argoproj.io/tracking-id":"crossplane-keycloak-provider:keycloak.crossplane.io/XBuiltinObjects:crossplane-system/keycloak-builtin-objects-master"},"name":"keycloak-builtin-objects-master"},"spec":{"builtinClients":["account","account-console","admin-cli","broker","master-realm","security-admin-console"],"builtinRealmRoles":["offline_access","uma_authorization","admin","create-realm"],"providerConfigName":"keycloak-provider-config","providerSecretName":"keycloak-credentials","realm":"master"}} creationTimestamp: "2024-06-09T11:55:10Z" finalizers:
- composite.apiextensions.crossplane.io generation: 3 labels: crossplane.io/composite: keycloak-builtin-objects-master name: keycloak-builtin-objects-master resourceVersion: "13686" uid: e6e666d7-233d-4447-81ce-930b9d6b3d39 spec: builtinClients:
- account
- account-console
- admin-cli
- broker
- master-realm
- security-admin-console builtinRealmRoles:
- offline_access
- uma_authorization
- admin
- create-realm compositionRef: name: keycloak-builtin-objects compositionRevisionRef: name: keycloak-builtin-objects-c000411 compositionUpdatePolicy: Automatic providerConfigName: keycloak-provider-config providerSecretName: keycloak-credentials realm: master status: conditions:
- lastTransitionTime: "2024-06-09T11:56:35Z" message: 'cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects": cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unknown desc = Unexpected <class ''keycloak.exceptions.KeycloakConnectionError''>: Can''t connect to server (HTTPSConnectionPool(host=''kc.platform.local'', port=443): Max retries exceeded with url: /realms/master/protocol/openid-connect/token (Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)''))))' reason: ReconcileError status: "False" type: Synced
image.png (view on web) https://github.com/crossplane-contrib/provider-keycloak/assets/8070109/ccba222b-9222-4a5a-a459-5d56243db0e5
— Reply to this email directly, view it on GitHub https://github.com/crossplane-contrib/provider-keycloak/issues/74#issuecomment-2156509911, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC3JPMOT4PAK6FNFPFKAP2DZGRB5BAVCNFSM6AAAAABENKKAMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJWGUYDSOJRGE . You are receiving this because you were mentioned.Message ID: @.***>
QuadmanSWE
commented
4 weeks ago Thanks, looking forward to it.
If I had a cloud cluster with a real domain I could try it out but for developers this would be required anyway so that they don't have to run a bunch of advanced PKI.
I will try and register a copy of the credentials that try to connect to keycloak on the internal svc name but if I recall correctly that needs some work inside keycloak as well to allow the connection on http and on a different url.
QuadmanSWE
commented
4 weeks ago No actually that did it. Finally. Thanks so much @Breee . Here is my example highlighting the commit that made it work: https://github.com/QuadmanSWE/ds-ref-platform/commit/0525b79fab6756dc010b298ff4c758e17a222ad2
Breee
commented
4 weeks ago No actually that did it. Finally. Thanks so much @Breee . Here is my example highlighting the commit that made it work: QuadmanSWE/ds-ref-platform@0525b79
It should not, as i just commited a fix and started building v0.8.0. Releasing right now with this pipeline.
In your commit you use http not https. Anyway - good that you solved the issue
QuadmanSWE
commented
4 weeks ago No actually that did it. Finally. Thanks so much @Breee . Here is my example highlighting the commit that made it work: QuadmanSWE/ds-ref-platform@0525b79
It should not, as i just commited a fix and started building v0.8.0. Releasing right now with this pipeline.
In your commit you use http not https. Anyway - good that you solved the issue
Changing it from https to http and going on the internal url from the function worked, I now have two sets of credential secrets. one that uses https and the external istio gateway name and one that uses http and the internal keycloak service name.
Works like a charm, but I will try it out with just one set of credentials / urls / protocols just to make sure.
This brings me tremendous joy (role naming scheme will take some time getting used to though 😄 ) :
Breee
commented
20 hours ago should be fixed with #83
Is there a way to reference built-in objects other than through a id? It does not appear provider-keycloak provides a good way to reference built-in objects.
For example, if I want to give a user admin permissions to a realm via a client role on the
realm-managementclient, there is no good way of referencing that role. Technically, provider-keycloak can reference it if you go to Keycloak and find the role id. However, that is inconvenient and prevents automating this type of action.It would be nice if provider-keycloak could be given the role/client role name within Keycloak as a reference. This would be convenient for other built-in objects as well.
It looks like this is something #71 is trying to accomplish as well.