Keycloak Operator API
Packages:
v1.edp.epam.com/v1alpha1
Resource Types:
ClusterKeycloakRealmβ
β© ParentClusterKeycloakRealm is the Schema for the clusterkeycloakrealms API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | ClusterKeycloakRealm | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm. | false |
status | object | ClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm. | false |
ClusterKeycloakRealm.specβ
β© ParentClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
clusterKeycloakRef | string | ClusterKeycloakRef is a name of the ClusterKeycloak instance that owns the realm. | true |
realmName | string | RealmName specifies the name of the realm. | true |
authenticationFlows | object | AuthenticationFlow is the configuration for authentication flows in the realm. | false |
browserSecurityHeaders | map[string]string | BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients. | false |
frontendUrl | string | FrontendURL Set the frontend URL for the realm.
Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm. | false |
localization | object | Localization is the configuration for localization in the realm. | false |
passwordPolicy | []object | PasswordPolicies is a list of password policies to apply to the realm. | false |
realmEventConfig | object | RealmEventConfig is the configuration for events in the realm. | false |
themes | object | Themes is a map of themes to apply to the realm. | false |
tokenSettings | object | TokenSettings is the configuration for tokens in the realm. | false |
ClusterKeycloakRealm.spec.authenticationFlowsβ
β© ParentAuthenticationFlow is the configuration for authentication flows in the realm.
Name | Type | Description | Required |
---|---|---|---|
browserFlow | string | BrowserFlow specifies the authentication flow to use for the realm's browser clients. | false |
ClusterKeycloakRealm.spec.localizationβ
β© ParentLocalization is the configuration for localization in the realm.
Name | Type | Description | Required |
---|---|---|---|
internationalizationEnabled | boolean | InternationalizationEnabled indicates whether to enable internationalization. | false |
ClusterKeycloakRealm.spec.passwordPolicy[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
type | string | Type of password policy. | true |
value | string | Value of password policy. | true |
ClusterKeycloakRealm.spec.realmEventConfigβ
β© ParentRealmEventConfig is the configuration for events in the realm.
Name | Type | Description | Required |
---|---|---|---|
adminEventsDetailsEnabled | boolean | AdminEventsDetailsEnabled indicates whether to enable detailed admin events. | false |
adminEventsEnabled | boolean | AdminEventsEnabled indicates whether to enable admin events. | false |
enabledEventTypes | []string | EnabledEventTypes is a list of event types to enable. | false |
eventsEnabled | boolean | EventsEnabled indicates whether to enable events. | false |
eventsExpiration | integer | EventsExpiration is the number of seconds after which events expire. | false |
eventsListeners | []string | EventsListeners is a list of event listeners to enable. | false |
ClusterKeycloakRealm.spec.themesβ
β© ParentThemes is a map of themes to apply to the realm.
Name | Type | Description | Required |
---|---|---|---|
accountTheme | string | AccountTheme specifies the account theme to use for the realm. | false |
adminConsoleTheme | string | AdminConsoleTheme specifies the admin console theme to use for the realm. | false |
emailTheme | string | EmailTheme specifies the email theme to use for the realm. | false |
loginTheme | string | LoginTheme specifies the login theme to use for the realm. | false |
ClusterKeycloakRealm.spec.tokenSettingsβ
β© ParentTokenSettings is the configuration for tokens in the realm.
Name | Type | Description | Required |
---|---|---|---|
accessCodeLifespan | integer | AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
This should normally be 1 minute. Default: 60 | false |
accessToken | integer | AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow. Default: 900 | false |
accessTokenLifespan | integer | AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
This value is recommended to be short relative to the SSO timeout. Default: 300 | false |
actionTokenGeneratedByAdminLifespan | integer | ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
The default timeout can be overridden immediately before issuing the token. Default: 43200 | false |
actionTokenGeneratedByUserLifespan | integer | AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
This value is recommended to be short because it's expected that the user would react to self-created action quickly. Default: 300 | false |
defaultSignatureAlgorithm | enum | DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm Enum: ES256, ES384, ES512, EdDSA, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512 | false |
refreshTokenMaxReuse | integer | RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
When a different token is used, revocation is immediate. Default: 0 | false |
revokeRefreshToken | boolean | RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
is revoked when a different token is used.
Otherwise, refresh tokens are not revoked when used and can be used multiple times. Default: false | false |
ClusterKeycloakRealm.statusβ
β© ParentClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
available | boolean | false | |
failureCount | integer | Format: int64 | false |
value | string | false |
ClusterKeycloakβ
β© ParentClusterKeycloak is the Schema for the clusterkeycloaks API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | ClusterKeycloak | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | ClusterKeycloakSpec defines the desired state of ClusterKeycloak. | false |
status | object | ClusterKeycloakStatus defines the observed state of ClusterKeycloak. Default: map[connected:false] | false |
ClusterKeycloak.specβ
β© ParentClusterKeycloakSpec defines the desired state of ClusterKeycloak.
Name | Type | Description | Required |
---|---|---|---|
secret | string | Secret is a secret name which contains admin credentials. | true |
url | string | URL of keycloak service. | true |
adminType | enum | AdminType can be user or serviceAccount, if serviceAccount was specified,
then client_credentials grant type should be used for getting admin realm token. Enum: serviceAccount, user | false |
caCert | object | CACert defines the root certificate authority
that api clients use when verifying server certificates.
Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env. | false |
insecureSkipVerify | boolean | InsecureSkipVerify controls whether api client verifies the server's
certificate chain and host name. If InsecureSkipVerify is true, api client
accepts any certificate presented by the server and any host name in that
certificate. | false |
ClusterKeycloak.spec.caCertβ
β© ParentCACert defines the root certificate authority that api clients use when verifying server certificates. Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.
Name | Type | Description | Required |
---|---|---|---|
configMapKeyRef | object | Selects a key of a ConfigMap. | false |
secretKeyRef | object | Selects a key of a secret. | false |
ClusterKeycloak.spec.caCert.configMapKeyRefβ
β© ParentSelects a key of a ConfigMap.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key to select. | true |
name | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid? | false |
ClusterKeycloak.spec.caCert.secretKeyRefβ
β© ParentSelects a key of a secret.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key of the secret to select from. | true |
name | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid? | false |
ClusterKeycloak.statusβ
β© ParentClusterKeycloakStatus defines the observed state of ClusterKeycloak.
Name | Type | Description | Required |
---|---|---|---|
connected | boolean | Connected shows if keycloak service is up and running. | true |
KeycloakAuthFlowβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakAuthFlow | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakAuthFlow.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for authentication flow | true |
builtIn | boolean | true | |
providerId | string | ProviderID for root auth flow and provider for child auth flows | true |
realm | string | Realm is name of keycloak realm | true |
topLevel | boolean | true | |
authenticationExecutions | []object | false | |
childType | string | ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow | false |
description | string | false | |
parentName | string | false |
KeycloakAuthFlow.spec.authenticationExecutions[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
alias | string | false | |
authenticator | string | false | |
authenticatorConfig | object | false | |
authenticatorFlow | boolean | false | |
priority | integer | false | |
requirement | string | false |
KeycloakAuthFlow.spec.authenticationExecutions[index].authenticatorConfigβ
β© ParentName | Type | Description | Required |
---|---|---|---|
alias | string | false | |
config | map[string]string | false |
KeycloakAuthFlow.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakClientβ
β© ParentKeycloakClient is the Schema for the keycloakclients API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakClient | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakClientSpec defines the desired state of KeycloakClient. | false |
status | object | KeycloakClientStatus defines the observed state of KeycloakClient. | false |
KeycloakClient.specβ
β© ParentKeycloakClientSpec defines the desired state of KeycloakClient.
Name | Type | Description | Required |
---|---|---|---|
clientId | string | ClientId is a unique keycloak client ID referenced in URI and tokens. | true |
advancedProtocolMappers | boolean | false | |
attributes | map[string]string | false | |
clientRoles | []string | false | |
defaultClientScopes | []string | A list of default client scopes for a keycloak client. | false |
directAccess | boolean | false | |
frontChannelLogout | boolean | false | |
protocol | string | false | |
protocolMappers | []object | false | |
public | boolean | false | |
realmRoles | []object | false | |
reconciliationStrategy | enum | Enum: full, addOnly | false |
secret | string | false | |
serviceAccount | object | false | |
targetRealm | string | false | |
webUrl | string | false |
KeycloakClient.spec.protocolMappers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
config | map[string]string | false | |
name | string | false | |
protocol | string | false | |
protocolMapper | string | false |
KeycloakClient.spec.realmRoles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
composite | string | true | |
name | string | false |
KeycloakClient.spec.serviceAccountβ
β© ParentName | Type | Description | Required |
---|---|---|---|
attributes | map[string]string | false | |
clientRoles | []object | false | |
enabled | boolean | false | |
realmRoles | []string | false |
KeycloakClient.spec.serviceAccount.clientRoles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
clientId | string | true | |
roles | []string | false |
KeycloakClient.statusβ
β© ParentKeycloakClientStatus defines the observed state of KeycloakClient.
Name | Type | Description | Required |
---|---|---|---|
clientId | string | false | |
clientSecretName | string | false | |
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakClientScopeβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakClientScope | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakClientScope.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name of keycloak client scope | true |
protocol | string | Protocol is SSO protocol configuration which is being supplied by this client scope | true |
realm | string | Realm is name of keycloak realm | true |
attributes | map[string]string | false | |
default | boolean | false | |
description | string | false | |
protocolMappers | []object | false |
KeycloakClientScope.spec.protocolMappers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
config | map[string]string | false | |
name | string | false | |
protocol | string | false | |
protocolMapper | string | false |
KeycloakClientScope.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
id | string | false | |
value | string | false |
KeycloakRealmComponentβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealmComponent | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakRealmComponent.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true | |
providerId | string | true | |
providerType | string | true | |
realm | string | true | |
config | map[string][]string | false |
KeycloakRealmComponent.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmGroupβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealmGroup | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakRealmGroup.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true | |
realm | string | true | |
access | map[string]boolean | false | |
attributes | map[string][]string | false | |
clientRoles | []object | false | |
path | string | false | |
realmRoles | []string | false | |
subGroups | []string | false |
KeycloakRealmGroup.spec.clientRoles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
clientId | string | true | |
roles | []string | false |
KeycloakRealmGroup.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
id | string | false | |
value | string | false |
KeycloakRealmIdentityProviderβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealmIdentityProvider | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakRealmIdentityProvider.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
alias | string | true | |
config | map[string]string | true | |
enabled | boolean | true | |
providerId | string | true | |
realm | string | true | |
addReadTokenRoleOnCreate | boolean | false | |
authenticateByDefault | boolean | false | |
displayName | string | false | |
firstBrokerLoginFlowAlias | string | false | |
linkOnly | boolean | false | |
mappers | []object | false | |
storeToken | boolean | false | |
trustEmail | boolean | false |
KeycloakRealmIdentityProvider.spec.mappers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
config | map[string]string | false | |
identityProviderAlias | string | false | |
identityProviderMapper | string | false | |
name | string | false |
KeycloakRealmIdentityProvider.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmRoleBatchβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealmRoleBatch | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakRealmRoleBatch.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
realm | string | true | |
roles | []object | true |
KeycloakRealmRoleBatch.spec.roles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true | |
attributes | map[string][]string | false | |
composite | boolean | false | |
composites | []object | false | |
description | string | false | |
isDefault | boolean | false |
KeycloakRealmRoleBatch.spec.roles[index].composites[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true |
KeycloakRealmRoleBatch.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmRoleβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealmRole | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakRealmRole.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true | |
realm | string | true | |
attributes | map[string][]string | false | |
composite | boolean | false | |
composites | []object | false | |
description | string | false | |
isDefault | boolean | false |
KeycloakRealmRole.spec.composites[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | true |
KeycloakRealmRole.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
id | string | false | |
value | string | false |
KeycloakRealmβ
β© ParentKeycloakRealm is the Schema for the keycloakrealms API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealm | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmSpec defines the desired state of KeycloakRealm. | false |
status | object | KeycloakRealmStatus defines the observed state of KeycloakRealm. | false |
KeycloakRealm.specβ
β© ParentKeycloakRealmSpec defines the desired state of KeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
realmName | string | true | |
browserFlow | string | false | |
browserSecurityHeaders | map[string]string | false | |
frontendUrl | string | FrontendURL Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm. | false |
id | string | false | |
keycloakOwner | string | false | |
passwordPolicy | []object | false | |
realmEventConfig | object | false | |
themes | object | false | |
users | []object | false |
KeycloakRealm.spec.passwordPolicy[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
type | string | Type of password policy. | true |
value | string | Value of password policy. | true |
KeycloakRealm.spec.realmEventConfigβ
β© ParentName | Type | Description | Required |
---|---|---|---|
adminEventsDetailsEnabled | boolean | AdminEventsDetailsEnabled indicates whether to enable detailed admin events. | false |
adminEventsEnabled | boolean | AdminEventsEnabled indicates whether to enable admin events. | false |
enabledEventTypes | []string | EnabledEventTypes is a list of event types to enable. | false |
eventsEnabled | boolean | EventsEnabled indicates whether to enable events. | false |
eventsExpiration | integer | EventsExpiration is the number of seconds after which events expire. | false |
eventsListeners | []string | EventsListeners is a list of event listeners to enable. | false |
KeycloakRealm.spec.themesβ
β© ParentName | Type | Description | Required |
---|---|---|---|
accountTheme | string | false | |
adminConsoleTheme | string | false | |
emailTheme | string | false | |
internationalizationEnabled | boolean | false | |
loginTheme | string | false |
KeycloakRealm.spec.users[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
username | string | Username of keycloak user | true |
realmRoles | []string | RealmRoles is a list of roles attached to keycloak user | false |
KeycloakRealm.statusβ
β© ParentKeycloakRealmStatus defines the observed state of KeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
available | boolean | false | |
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmUserβ
β© ParentName | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | KeycloakRealmUser | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | false | |
status | object | false |
KeycloakRealmUser.specβ
β© ParentName | Type | Description | Required |
---|---|---|---|
realm | string | true | |
username | string | true | |
attributes | map[string]string | false | |
string | false | ||
emailVerified | boolean | false | |
enabled | boolean | false | |
firstName | string | false | |
groups | []string | false | |
keepResource | boolean | false | |
lastName | string | false | |
password | string | false | |
reconciliationStrategy | string | false | |
requiredUserActions | []string | RequiredUserActions is required action when user log in, example: CONFIGURE_TOTP, UPDATE_PASSWORD, UPDATE_PROFILE, VERIFY_EMAIL | false |
roles | []string | false |
KeycloakRealmUser.statusβ
β© ParentName | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
Keycloakβ
β© ParentKeycloak is the Schema for the keycloaks API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | Keycloak | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakSpec defines the desired state of Keycloak. | false |
status | object | KeycloakStatus defines the observed state of Keycloak. | false |
Keycloak.specβ
β© ParentKeycloakSpec defines the desired state of Keycloak.
Name | Type | Description | Required |
---|---|---|---|
secret | string | Secret is the name of the k8s object Secret related to keycloak | true |
url | string | URL of keycloak service | true |
adminType | enum | AdminType can be user or serviceAccount, if serviceAccount was specified, then client_credentials grant type should be used for getting admin realm token Enum: serviceAccount, user | false |
installMainRealm | boolean | false | |
realmName | string | false | |
ssoRealmName | string | false | |
users | []object | Users is a list of keycloak users | false |
Keycloak.spec.users[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
username | string | Username of keycloak user | true |
realmRoles | []string | RealmRoles is a list of roles attached to keycloak user | false |
Keycloak.statusβ
β© ParentKeycloakStatus defines the observed state of Keycloak.
Name | Type | Description | Required |
---|---|---|---|
connected | boolean | true |
v1.edp.epam.com/v1
Resource Types:
KeycloakAuthFlowβ
β© ParentKeycloakAuthFlow is the Schema for the keycloak authentication flow API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakAuthFlow | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow. | false |
status | object | KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow. | false |
KeycloakAuthFlow.specβ
β© ParentKeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for authentication flow. | true |
builtIn | boolean | BuiltIn is true if this is built-in auth flow. | true |
providerId | string | ProviderID for root auth flow and provider for child auth flows. | true |
topLevel | boolean | TopLevel is true if this is root auth flow. | true |
authenticationExecutions | []object | AuthenticationExecutions is list of authentication executions for this auth flow. | false |
childType | string | ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow | false |
description | string | Description is description for authentication flow. | false |
parentName | string | ParentName is name of parent auth flow. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
KeycloakAuthFlow.spec.authenticationExecutions[index]β
β© ParentAuthenticationExecution defines keycloak authentication execution.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for this execution. | false |
authenticator | string | Authenticator is name of authenticator. | false |
authenticatorConfig | object | AuthenticatorConfig is configuration for authenticator. | false |
authenticatorFlow | boolean | AuthenticatorFlow is true if this is auth flow. | false |
priority | integer | Priority is priority for this execution. Lower values have higher priority. | false |
requirement | string | Requirement is requirement for this execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL. | false |
KeycloakAuthFlow.spec.authenticationExecutions[index].authenticatorConfigβ
β© ParentAuthenticatorConfig is configuration for authenticator.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for authenticator config. | false |
config | map[string]string | Config is configuration for authenticator. | false |
KeycloakAuthFlow.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakAuthFlow.statusβ
β© ParentKeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakClientβ
β© ParentKeycloakClient is the Schema for the keycloak clients API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakClient | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakClientSpec defines the desired state of KeycloakClient. | false |
status | object | KeycloakClientStatus defines the observed state of KeycloakClient. | false |
KeycloakClient.specβ
β© ParentKeycloakClientSpec defines the desired state of KeycloakClient.
Name | Type | Description | Required |
---|---|---|---|
clientId | string | ClientId is a unique keycloak client ID referenced in URI and tokens. | true |
advancedProtocolMappers | boolean | AdvancedProtocolMappers is a flag to enable advanced protocol mappers. | false |
attributes | map[string]string | Attributes is a map of client attributes. Default: map[post.logout.redirect.uris:+] | false |
authorization | object | Authorization is a client authorization configuration. | false |
authorizationServicesEnabled | boolean | ServiceAccountsEnabled enable/disable fine-grained authorization support for a client. | false |
bearerOnly | boolean | BearerOnly is a flag to enable bearer-only. | false |
clientAuthenticatorType | string | ClientAuthenticatorType is a client authenticator type. Default: client-secret | false |
clientRoles | []string | ClientRoles is a list of client roles names assigned to client. | false |
consentRequired | boolean | ConsentRequired is a flag to enable consent. | false |
defaultClientScopes | []string | DefaultClientScopes is a list of default client scopes assigned to client. | false |
description | string | Description is a client description. | false |
directAccess | boolean | DirectAccess is a flag to set client as direct access. | false |
enabled | boolean | Enabled is a flag to enable client. Default: true | false |
frontChannelLogout | boolean | FrontChannelLogout is a flag to enable front channel logout. | false |
fullScopeAllowed | boolean | FullScopeAllowed is a flag to enable full scope. Default: true | false |
implicitFlowEnabled | boolean | ImplicitFlowEnabled is a flag to enable support for OpenID Connect redirect based authentication without authorization code. | false |
name | string | Name is a client name. | false |
protocol | string | Protocol is a client protocol. | false |
protocolMappers | []object | ProtocolMappers is a list of protocol mappers assigned to client. | false |
public | boolean | Public is a flag to set client as public. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
realmRoles | []object | RealmRoles is a list of realm roles assigned to client. | false |
reconciliationStrategy | enum | ReconciliationStrategy is a strategy to reconcile client. Enum: full, addOnly | false |
redirectUris | []string | RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login.
Simple wildcards are allowed such as 'https://example.com/'.
Relative path can be specified too, such as /my/relative/path/. Relative paths are relative to the client root URL.
If not specified, spec.webUrl + "/*" will be used. | false |
secret | string | Secret is kubernetes secret name where the client's secret will be stored.
Secret should have the following format: $secretName:secretKey.
If not specified, a client secret will be generated and stored in a secret with the name keycloak-client--secret.
If keycloak client is public, secret property will be ignored. | false |
serviceAccount | object | ServiceAccount is a service account configuration. | false |
standardFlowEnabled | boolean | StandardFlowEnabled is a flag to enable standard flow. Default: true | false |
surrogateAuthRequired | boolean | SurrogateAuthRequired is a flag to enable surrogate auth. | false |
targetRealm | string | Deprecated: use RealmRef instead.
TargetRealm is a realm name where client will be created.
It has higher priority than RealmRef for backward compatibility.
If both TargetRealm and RealmRef are specified, TargetRealm will be used for client creation. | false |
webOrigins | []string | WebOrigins is a list of allowed CORS origins.
To permit all origins of Valid Redirect URIs, add '+'. This does not include the '' wildcard though.
To permit all origins, explicitly add ''.
If not specified, the value from | false |
webUrl | string | WebUrl is a client web url. | false |
KeycloakClient.spec.authorizationβ
β© ParentAuthorization is a client authorization configuration.
Name | Type | Description | Required |
---|---|---|---|
permissions | []object | false | |
policies | []object | false | |
scopes | []string | false |
KeycloakClient.spec.authorization.permissions[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name is a permission name. | true |
type | enum | Type is a permission type. Enum: resource, scope | true |
decisionStrategy | enum | DecisionStrategy is a permission decision strategy. Enum: UNANIMOUS, AFFIRMATIVE, CONSENSUS | false |
description | string | Description is a permission description. | false |
logic | enum | Logic is a permission logic. Enum: POSITIVE, NEGATIVE | false |
policies | []string | Policies is a list of policies names.
Specifies all the policies that must be applied to the scopes defined by this policy or permission. | false |
resources | []string | Resources is a list of resources names.
Specifies that this permission must be applied to all resource instances of a given type. | false |
scopes | []string | Scopes is a list of authorization scopes names.
Specifies that this permission must be applied to one or more scopes. | false |
KeycloakClient.spec.authorization.policies[index]β
β© ParentPolicy represents a client authorization policy.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a policy name. | true |
type | enum | Type is a policy type. Enum: aggregate, client, group, role, time, user | true |
aggregatedPolicy | object | AggregatedPolicy is an aggregated policy settings. | false |
clientPolicy | object | ClientPolicy is a client policy settings. | false |
decisionStrategy | enum | DecisionStrategy is a policy decision strategy. Enum: UNANIMOUS, AFFIRMATIVE, CONSENSUS | false |
description | string | Description is a policy description. | false |
groupPolicy | object | GroupPolicy is a group policy settings. | false |
logic | enum | Logic is a policy logic. Enum: POSITIVE, NEGATIVE | false |
rolePolicy | object | RolePolicy is a role policy settings. | false |
timePolicy | object | ScopePolicy is a scope policy settings. | false |
userPolicy | object | UserPolicy is a user policy settings. | false |
KeycloakClient.spec.authorization.policies[index].aggregatedPolicyβ
β© ParentAggregatedPolicy is an aggregated policy settings.
Name | Type | Description | Required |
---|---|---|---|
policies | []string | Policies is a list of aggregated policies names.
Specifies all the policies that must be applied to the scopes defined by this policy or permission. | true |
KeycloakClient.spec.authorization.policies[index].clientPolicyβ
β© ParentClientPolicy is a client policy settings.
Name | Type | Description | Required |
---|---|---|---|
clients | []string | Clients is a list of client names. Specifies which client(s) are allowed by this policy. | true |
KeycloakClient.spec.authorization.policies[index].groupPolicyβ
β© ParentGroupPolicy is a group policy settings.
Name | Type | Description | Required |
---|---|---|---|
groups | []object | Groups is a list of group names. Specifies which group(s) are allowed by this policy. | false |
groupsClaim | string | GroupsClaim is a group claim.
If defined, the policy will fetch user's groups from the given claim
within an access token or ID token representing the identity asking permissions.
If not defined, user's groups are obtained from your realm configuration. | false |
KeycloakClient.spec.authorization.policies[index].groupPolicy.groups[index]β
β© ParentGroupDefinition represents a group in a GroupPolicyData.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a group name. | true |
extendChildren | boolean | ExtendChildren is a flag that specifies whether to extend children. | false |
KeycloakClient.spec.authorization.policies[index].rolePolicyβ
β© ParentRolePolicy is a role policy settings.
Name | Type | Description | Required |
---|---|---|---|
roles | []object | Roles is a list of role. | true |
KeycloakClient.spec.authorization.policies[index].rolePolicy.roles[index]β
β© ParentRoleDefinition represents a role in a RolePolicyData.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a role name. | true |
required | boolean | Required is a flag that specifies whether the role is required. | false |
KeycloakClient.spec.authorization.policies[index].timePolicyβ
β© ParentScopePolicy is a scope policy settings.
Name | Type | Description | Required |
---|---|---|---|
notBefore | string | NotBefore defines the time before which the policy MUST NOT be granted.
Only granted if current date/time is after or equal to this value. | true |
notOnOrAfter | string | NotOnOrAfter defines the time after which the policy MUST NOT be granted.
Only granted if current date/time is before or equal to this value. | true |
dayMonth | string | Day defines the month which the policy MUST be granted.
You can also provide a range by filling the dayMonthEnd field.
In this case, permission is granted only if current month is between or equal to the two values you provided. | false |
dayMonthEnd | string | false | |
hour | string | Hour defines the hour when the policy MUST be granted.
You can also provide a range by filling the hourEnd.
In this case, permission is granted only if current hour is between or equal to the two values you provided. | false |
hourEnd | string | false | |
minute | string | Minute defines the minute when the policy MUST be granted.
You can also provide a range by filling the minuteEnd field.
In this case, permission is granted only if current minute is between or equal to the two values you provided. | false |
minuteEnd | string | false | |
month | string | Month defines the month which the policy MUST be granted.
You can also provide a range by filling the monthEnd.
In this case, permission is granted only if current month is between or equal to the two values you provided. | false |
monthEnd | string | false |
KeycloakClient.spec.authorization.policies[index].userPolicyβ
β© ParentUserPolicy is a user policy settings.
Name | Type | Description | Required |
---|---|---|---|
users | []string | Users is a list of usernames. Specifies which user(s) are allowed by this policy. | true |
KeycloakClient.spec.protocolMappers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
config | map[string]string | Config is a map of protocol mapper configuration. | false |
name | string | Name is a protocol mapper name. | false |
protocol | string | Protocol is a protocol name. | false |
protocolMapper | string | ProtocolMapper is a protocol mapper name. | false |
KeycloakClient.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakClient.spec.realmRoles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
composite | string | Composite is a realm composite role name. | true |
name | string | Name is a realm role name. | false |
KeycloakClient.spec.serviceAccountβ
β© ParentServiceAccount is a service account configuration.
Name | Type | Description | Required |
---|---|---|---|
attributes | map[string]string | Attributes is a map of service account attributes. | false |
clientRoles | []object | ClientRoles is a list of client roles assigned to service account. | false |
enabled | boolean | Enabled is a flag to enable service account. | false |
realmRoles | []string | RealmRoles is a list of realm roles assigned to service account. | false |
KeycloakClient.spec.serviceAccount.clientRoles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
clientId | string | ClientID is a client ID. | true |
roles | []string | Roles is a list of client roles names assigned to service account. | false |
KeycloakClient.statusβ
β© ParentKeycloakClientStatus defines the observed state of KeycloakClient.
Name | Type | Description | Required |
---|---|---|---|
clientId | string | false | |
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakClientScopeβ
β© ParentKeycloakClientScope is the Schema for the keycloakclientscopes API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakClientScope | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakClientScopeSpec defines the desired state of KeycloakClientScope. | false |
status | object | KeycloakClientScopeStatus defines the observed state of KeycloakClientScope. | false |
KeycloakClientScope.specβ
β© ParentKeycloakClientScopeSpec defines the desired state of KeycloakClientScope.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of keycloak client scope. | true |
protocol | string | Protocol is SSO protocol configuration which is being supplied by this client scope. | true |
attributes | map[string]string | Attributes is a map of client scope attributes. | false |
default | boolean | Default is a flag to set client scope as default. | false |
description | string | Description is a description of client scope. | false |
protocolMappers | []object | ProtocolMappers is a list of protocol mappers assigned to client scope. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
KeycloakClientScope.spec.protocolMappers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
config | map[string]string | Config is a map of protocol mapper configuration. | false |
name | string | Name is a protocol mapper name. | false |
protocol | string | Protocol is a protocol name. | false |
protocolMapper | string | ProtocolMapper is a protocol mapper name. | false |
KeycloakClientScope.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakClientScope.statusβ
β© ParentKeycloakClientScopeStatus defines the observed state of KeycloakClientScope.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
id | string | false | |
value | string | false |
KeycloakRealmComponentβ
β© ParentKeycloakRealmComponent is the Schema for the keycloak component API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealmComponent | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakComponentSpec defines the desired state of KeycloakRealmComponent. | false |
status | object | KeycloakComponentStatus defines the observed state of KeycloakRealmComponent. | false |
KeycloakRealmComponent.specβ
β© ParentKeycloakComponentSpec defines the desired state of KeycloakRealmComponent.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of keycloak component. | true |
providerId | string | ProviderID is a provider ID of component. | true |
providerType | string | ProviderType is a provider type of component. | true |
config | map[string][]string | Config is a map of component configuration.
Map key is a name of configuration property, map value is an array value of configuration properties.
Any configuration property can be a reference to k8s secret, in this case the property should be in format $secretName:secretKey. | false |
parentRef | object | ParentRef specifies a parent resource.
If not specified, then parent is realm specified in realm field. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
KeycloakRealmComponent.spec.parentRefβ
β© ParentParentRef specifies a parent resource. If not specified, then parent is realm specified in realm field.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a name of parent component custom resource.
For example, if Kind is KeycloakRealm, then Name is name of KeycloakRealm custom resource. | true |
kind | enum | Kind is a kind of parent component. By default, it is KeycloakRealm. Enum: KeycloakRealm, KeycloakRealmComponent | false |
KeycloakRealmComponent.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealmComponent.statusβ
β© ParentKeycloakComponentStatus defines the observed state of KeycloakRealmComponent.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmGroupβ
β© ParentKeycloakRealmGroup is the Schema for the keycloak group API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealmGroup | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup. | false |
status | object | KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup. | false |
KeycloakRealmGroup.specβ
β© ParentKeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of keycloak group. | true |
access | map[string]boolean | Access is a map of group access. | false |
attributes | map[string][]string | Attributes is a map of group attributes. | false |
clientRoles | []object | ClientRoles is a list of client roles assigned to group. | false |
path | string | Path is a group path. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
realmRoles | []string | RealmRoles is a list of realm roles assigned to group. | false |
subGroups | []string | SubGroups is a list of subgroups assigned to group. | false |
KeycloakRealmGroup.spec.clientRoles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
clientId | string | ClientID is a client ID. | true |
roles | []string | Roles is a list of client roles names assigned to service account. | false |
KeycloakRealmGroup.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealmGroup.statusβ
β© ParentKeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
id | string | ID is a group ID. | false |
value | string | false |
KeycloakRealmIdentityProviderβ
β© ParentKeycloakRealmIdentityProvider is the Schema for the keycloak realm identity provider API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealmIdentityProvider | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmIdentityProviderSpec defines the desired state of KeycloakRealmIdentityProvider. | false |
status | object | KeycloakRealmIdentityProviderStatus defines the observed state of KeycloakRealmIdentityProvider. | false |
KeycloakRealmIdentityProvider.specβ
β© ParentKeycloakRealmIdentityProviderSpec defines the desired state of KeycloakRealmIdentityProvider.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is a alias of identity provider. | true |
config | map[string]string | Config is a map of identity provider configuration.
Map key is a name of configuration property, map value is a value of configuration property.
Any value can be a reference to k8s secret, in this case value should be in format $secretName:secretKey. | true |
enabled | boolean | Enabled is a flag to enable/disable identity provider. | true |
providerId | string | ProviderID is a provider ID of identity provider. | true |
addReadTokenRoleOnCreate | boolean | AddReadTokenRoleOnCreate is a flag to add read token role on create. | false |
authenticateByDefault | boolean | AuthenticateByDefault is a flag to authenticate by default. | false |
displayName | string | DisplayName is a display name of identity provider. | false |
firstBrokerLoginFlowAlias | string | FirstBrokerLoginFlowAlias is a first broker login flow alias. | false |
linkOnly | boolean | LinkOnly is a flag to link only. | false |
mappers | []object | Mappers is a list of identity provider mappers. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
storeToken | boolean | StoreToken is a flag to store token. | false |
trustEmail | boolean | TrustEmail is a flag to trust email. | false |
KeycloakRealmIdentityProvider.spec.mappers[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
config | map[string]string | Config is a map of identity provider mapper configuration. | false |
identityProviderAlias | string | IdentityProviderAlias is a identity provider alias. | false |
identityProviderMapper | string | IdentityProviderMapper is a identity provider mapper. | false |
name | string | Name is a name of identity provider mapper. | false |
KeycloakRealmIdentityProvider.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealmIdentityProvider.statusβ
β© ParentKeycloakRealmIdentityProviderStatus defines the observed state of KeycloakRealmIdentityProvider.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmRoleBatchβ
β© ParentKeycloakRealmRoleBatch is the Schema for the keycloak roles API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealmRoleBatch | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch. | false |
status | object | KeycloakRealmRoleBatchStatus defines the observed state of KeycloakRealmRoleBatch. | false |
KeycloakRealmRoleBatch.specβ
β© ParentKeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch.
Name | Type | Description | Required |
---|---|---|---|
roles | []object | Roles is a list of roles to be created. | true |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
KeycloakRealmRoleBatch.spec.roles[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name of keycloak role. | true |
attributes | map[string][]string | Attributes is a map of role attributes. | false |
composite | boolean | Composite is a flag if role is composite. | false |
composites | []object | Composites is a list of composites roles assigned to role. | false |
description | string | Description is a role description. | false |
isDefault | boolean | IsDefault is a flag if role is default. | false |
KeycloakRealmRoleBatch.spec.roles[index].composites[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name is a name of composite role. | true |
KeycloakRealmRoleBatch.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealmRoleBatch.statusβ
β© ParentKeycloakRealmRoleBatchStatus defines the observed state of KeycloakRealmRoleBatch.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmRoleβ
β© ParentKeycloakRealmRole is the Schema for the keycloak group API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealmRole | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole. | false |
status | object | KeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole. | false |
KeycloakRealmRole.specβ
β© ParentKeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name of keycloak role. | true |
attributes | map[string][]string | Attributes is a map of role attributes. | false |
composite | boolean | Composite is a flag if role is composite. | false |
composites | []object | Composites is a list of composites roles assigned to role. | false |
compositesClientRoles | map[string][]object | CompositesClientRoles is a map of composites client roles assigned to role. | false |
description | string | Description is a role description. | false |
isDefault | boolean | IsDefault is a flag if role is default. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
KeycloakRealmRole.spec.composites[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name is a name of composite role. | true |
KeycloakRealmRole.spec.compositesClientRoles[key][index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name is a name of composite role. | true |
KeycloakRealmRole.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealmRole.statusβ
β© ParentKeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
id | string | ID is a role ID. | false |
value | string | false |
KeycloakRealmβ
β© ParentKeycloakRealm is the Schema for the keycloak realms API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealm | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmSpec defines the desired state of KeycloakRealm. | false |
status | object | KeycloakRealmStatus defines the observed state of KeycloakRealm. | false |
KeycloakRealm.specβ
β© ParentKeycloakRealmSpec defines the desired state of KeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
realmName | string | RealmName specifies the name of the realm. | true |
browserFlow | string | BrowserFlow specifies the authentication flow to use for the realm's browser clients. | false |
browserSecurityHeaders | map[string]string | BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients. | false |
frontendUrl | string | FrontendURL Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm. | false |
id | string | ID is the ID of the realm. | false |
keycloakOwner | string | Deprecated: use KeycloakRef instead.
KeycloakOwner specifies the name of the Keycloak instance that owns the realm. | false |
keycloakRef | object | KeycloakRef is reference to Keycloak custom resource. | false |
passwordPolicy | []object | PasswordPolicies is a list of password policies to apply to the realm. | false |
realmEventConfig | object | RealmEventConfig is the configuration for events in the realm. | false |
themes | object | Themes is a map of themes to apply to the realm. | false |
tokenSettings | object | TokenSettings is the configuration for tokens in the realm. | false |
users | []object | Users is a list of users to create in the realm. | false |
KeycloakRealm.spec.keycloakRefβ
β© ParentKeycloakRef is reference to Keycloak custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: Keycloak, ClusterKeycloak | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealm.spec.passwordPolicy[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
type | string | Type of password policy. | true |
value | string | Value of password policy. | true |
KeycloakRealm.spec.realmEventConfigβ
β© ParentRealmEventConfig is the configuration for events in the realm.
Name | Type | Description | Required |
---|---|---|---|
adminEventsDetailsEnabled | boolean | AdminEventsDetailsEnabled indicates whether to enable detailed admin events. | false |
adminEventsEnabled | boolean | AdminEventsEnabled indicates whether to enable admin events. | false |
enabledEventTypes | []string | EnabledEventTypes is a list of event types to enable. | false |
eventsEnabled | boolean | EventsEnabled indicates whether to enable events. | false |
eventsExpiration | integer | EventsExpiration is the number of seconds after which events expire. | false |
eventsListeners | []string | EventsListeners is a list of event listeners to enable. | false |
KeycloakRealm.spec.themesβ
β© ParentThemes is a map of themes to apply to the realm.
Name | Type | Description | Required |
---|---|---|---|
accountTheme | string | AccountTheme specifies the account theme to use for the realm. | false |
adminConsoleTheme | string | AdminConsoleTheme specifies the admin console theme to use for the realm. | false |
emailTheme | string | EmailTheme specifies the email theme to use for the realm. | false |
internationalizationEnabled | boolean | InternationalizationEnabled indicates whether to enable internationalization. | false |
loginTheme | string | LoginTheme specifies the login theme to use for the realm. | false |
KeycloakRealm.spec.tokenSettingsβ
β© ParentTokenSettings is the configuration for tokens in the realm.
Name | Type | Description | Required |
---|---|---|---|
accessCodeLifespan | integer | AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
This should normally be 1 minute. Default: 60 | false |
accessToken | integer | AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow. Default: 900 | false |
accessTokenLifespan | integer | AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
This value is recommended to be short relative to the SSO timeout. Default: 300 | false |
actionTokenGeneratedByAdminLifespan | integer | ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
The default timeout can be overridden immediately before issuing the token. Default: 43200 | false |
actionTokenGeneratedByUserLifespan | integer | AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
This value is recommended to be short because it's expected that the user would react to self-created action quickly. Default: 300 | false |
defaultSignatureAlgorithm | enum | DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm Enum: ES256, ES384, ES512, EdDSA, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512 | false |
refreshTokenMaxReuse | integer | RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
When a different token is used, revocation is immediate. Default: 0 | false |
revokeRefreshToken | boolean | RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
is revoked when a different token is used.
Otherwise, refresh tokens are not revoked when used and can be used multiple times. Default: false | false |
KeycloakRealm.spec.users[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
username | string | Username of keycloak user. | true |
realmRoles | []string | RealmRoles is a list of roles attached to keycloak user. | false |
KeycloakRealm.statusβ
β© ParentKeycloakRealmStatus defines the observed state of KeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
available | boolean | false | |
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakRealmUserβ
β© ParentKeycloakRealmUser is the Schema for the keycloak user API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakRealmUser | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakRealmUserSpec defines the desired state of KeycloakRealmUser. | false |
status | object | KeycloakRealmUserStatus defines the observed state of KeycloakRealmUser. | false |
KeycloakRealmUser.specβ
β© ParentKeycloakRealmUserSpec defines the desired state of KeycloakRealmUser.
Name | Type | Description | Required |
---|---|---|---|
username | string | Username is a username in keycloak. | true |
attributes | map[string]string | Attributes is a map of user attributes. | false |
string | Email is a user email. | false | |
emailVerified | boolean | EmailVerified is a user email verified flag. | false |
enabled | boolean | Enabled is a user enabled flag. | false |
firstName | string | FirstName is a user first name. | false |
groups | []string | Groups is a list of groups assigned to user. | false |
keepResource | boolean | KeepResource, when set to false, results in the deletion of the KeycloakRealmUser Custom Resource (CR)
from the cluster after the corresponding user is created in Keycloak. The user will continue to exist in Keycloak.
When set to true, the CR will not be deleted after processing. Default: true | false |
lastName | string | LastName is a user last name. | false |
password | string | Password is a user password. Allows to keep user password within Custom Resource. For security concerns, it is recommended to use PasswordSecret instead. | false |
passwordSecret | object | PasswordSecret defines Kubernetes secret Name and Key, which holds User secret. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
reconciliationStrategy | string | ReconciliationStrategy is a strategy for reconciliation. Possible values: full, create-only.
Default value: full. If set to create-only, user will be created only if it does not exist. If user exists, it will not be updated.
If set to full, user will be created if it does not exist, or updated if it exists. | false |
requiredUserActions | []string | RequiredUserActions is required action when user log in, example: CONFIGURE_TOTP, UPDATE_PASSWORD, UPDATE_PROFILE, VERIFY_EMAIL. | false |
roles | []string | Roles is a list of roles assigned to user. | false |
KeycloakRealmUser.spec.passwordSecretβ
β© ParentPasswordSecret defines Kubernetes secret Name and Key, which holds User secret.
Name | Type | Description | Required |
---|---|---|---|
key | string | Key is the key in the secret. | true |
name | string | Name is the name of the secret. | true |
KeycloakRealmUser.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakRealmUser.statusβ
β© ParentKeycloakRealmUserStatus defines the observed state of KeycloakRealmUser.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
Keycloakβ
β© ParentKeycloak is the Schema for the keycloaks API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | Keycloak | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakSpec defines the desired state of Keycloak. | false |
status | object | KeycloakStatus defines the observed state of Keycloak. Default: map[connected:false] | false |
Keycloak.specβ
β© ParentKeycloakSpec defines the desired state of Keycloak.
Name | Type | Description | Required |
---|---|---|---|
secret | string | Secret is a secret name which contains admin credentials. | true |
url | string | URL of keycloak service. | true |
adminType | enum | AdminType can be user or serviceAccount, if serviceAccount was specified, then client_credentials grant type should be used for getting admin realm token. Enum: serviceAccount, user | false |
caCert | object | CACert defines the root certificate authority
that api client use when verifying server certificates. | false |
insecureSkipVerify | boolean | InsecureSkipVerify controls whether api client verifies the server's
certificate chain and host name. If InsecureSkipVerify is true, api client
accepts any certificate presented by the server and any host name in that
certificate. | false |
Keycloak.spec.caCertβ
β© ParentCACert defines the root certificate authority that api client use when verifying server certificates.
Name | Type | Description | Required |
---|---|---|---|
configMapKeyRef | object | Selects a key of a ConfigMap. | false |
secretKeyRef | object | Selects a key of a secret. | false |
Keycloak.spec.caCert.configMapKeyRefβ
β© ParentSelects a key of a ConfigMap.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key to select. | true |
name | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid? | false |
Keycloak.spec.caCert.secretKeyRefβ
β© ParentSelects a key of a secret.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key of the secret to select from. | true |
name | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid? | false |
Keycloak.statusβ
β© ParentKeycloakStatus defines the observed state of Keycloak.
Name | Type | Description | Required |
---|---|---|---|
connected | boolean | Connected shows if keycloak service is up and running. | true |