Skip to main content
Version: 3.10

Keycloak Operator API

Packages:

v1.edp.epam.com/v1alpha1

Resource Types:

ClusterKeycloakRealm​

↩ Parent

ClusterKeycloakRealm is the Schema for the clusterkeycloakrealms API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1alpha1true
kindstringClusterKeycloakRealmtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.

false
statusobject

ClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm.

false

ClusterKeycloakRealm.spec​

↩ Parent

ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.

NameTypeDescriptionRequired
clusterKeycloakRefstring

ClusterKeycloakRef is a name of the ClusterKeycloak instance that owns the realm.

true
realmNamestring

RealmName specifies the name of the realm.

true
authenticationFlowsobject

AuthenticationFlow is the configuration for authentication flows in the realm.

false
browserSecurityHeadersmap[string]string

BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients.

false
frontendUrlstring

FrontendURL Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.

false
localizationobject

Localization is the configuration for localization in the realm.

false
passwordPolicy[]object

PasswordPolicies is a list of password policies to apply to the realm.

false
realmEventConfigobject

RealmEventConfig is the configuration for events in the realm.

false
themesobject

Themes is a map of themes to apply to the realm.

false
tokenSettingsobject

TokenSettings is the configuration for tokens in the realm.

false

ClusterKeycloakRealm.spec.authenticationFlows​

↩ Parent

AuthenticationFlow is the configuration for authentication flows in the realm.

NameTypeDescriptionRequired
browserFlowstring

BrowserFlow specifies the authentication flow to use for the realm's browser clients.

false

ClusterKeycloakRealm.spec.localization​

↩ Parent

Localization is the configuration for localization in the realm.

NameTypeDescriptionRequired
internationalizationEnabledboolean

InternationalizationEnabled indicates whether to enable internationalization.

false

ClusterKeycloakRealm.spec.passwordPolicy[index]​

↩ Parent
NameTypeDescriptionRequired
typestring

Type of password policy.

true
valuestring

Value of password policy.

true

ClusterKeycloakRealm.spec.realmEventConfig​

↩ Parent

RealmEventConfig is the configuration for events in the realm.

NameTypeDescriptionRequired
adminEventsDetailsEnabledboolean

AdminEventsDetailsEnabled indicates whether to enable detailed admin events.

false
adminEventsEnabledboolean

AdminEventsEnabled indicates whether to enable admin events.

false
enabledEventTypes[]string

EnabledEventTypes is a list of event types to enable.

false
eventsEnabledboolean

EventsEnabled indicates whether to enable events.

false
eventsExpirationinteger

EventsExpiration is the number of seconds after which events expire.

false
eventsListeners[]string

EventsListeners is a list of event listeners to enable.

false

ClusterKeycloakRealm.spec.themes​

↩ Parent

Themes is a map of themes to apply to the realm.

NameTypeDescriptionRequired
accountThemestring

AccountTheme specifies the account theme to use for the realm.

false
adminConsoleThemestring

AdminConsoleTheme specifies the admin console theme to use for the realm.

false
emailThemestring

EmailTheme specifies the email theme to use for the realm.

false
loginThemestring

LoginTheme specifies the login theme to use for the realm.

false

ClusterKeycloakRealm.spec.tokenSettings​

↩ Parent

TokenSettings is the configuration for tokens in the realm.

NameTypeDescriptionRequired
accessCodeLifespaninteger

AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol. This should normally be 1 minute.


Default: 60

false
accessTokeninteger

AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow.


Default: 900

false
accessTokenLifespaninteger

AccessTokenLifespan specifies max time(in seconds) before an access token is expired. This value is recommended to be short relative to the SSO timeout.


Default: 300

false
actionTokenGeneratedByAdminLifespaninteger

ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.


Default: 43200

false
actionTokenGeneratedByUserLifespaninteger

AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly.


Default: 300

false
defaultSignatureAlgorithmenum

DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm


Enum: ES256, ES384, ES512, EdDSA, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512
Default: RS256

false
refreshTokenMaxReuseinteger

RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.


Default: 0

false
revokeRefreshTokenboolean

RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and is revoked when a different token is used. Otherwise, refresh tokens are not revoked when used and can be used multiple times.


Default: false

false

ClusterKeycloakRealm.status​

↩ Parent

ClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm.

NameTypeDescriptionRequired
availableboolean
false
failureCountinteger

Format: int64

false
valuestring
false

ClusterKeycloak​

↩ Parent

ClusterKeycloak is the Schema for the clusterkeycloaks API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1alpha1true
kindstringClusterKeycloaktrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

ClusterKeycloakSpec defines the desired state of ClusterKeycloak.

false
statusobject

ClusterKeycloakStatus defines the observed state of ClusterKeycloak.


Default: map[connected:false]

false

ClusterKeycloak.spec​

↩ Parent

ClusterKeycloakSpec defines the desired state of ClusterKeycloak.

NameTypeDescriptionRequired
secretstring

Secret is a secret name which contains admin credentials.

true
urlstring

URL of keycloak service.

true
adminTypeenum

AdminType can be user or serviceAccount, if serviceAccount was specified, then client_credentials grant type should be used for getting admin realm token.


Enum: serviceAccount, user
Default: user

false
caCertobject

CACert defines the root certificate authority that api clients use when verifying server certificates. Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.

false
insecureSkipVerifyboolean

InsecureSkipVerify controls whether api client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, api client accepts any certificate presented by the server and any host name in that certificate.

false

ClusterKeycloak.spec.caCert​

↩ Parent

CACert defines the root certificate authority that api clients use when verifying server certificates. Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
secretKeyRefobject

Selects a key of a secret.

false

ClusterKeycloak.spec.caCert.configMapKeyRef​

↩ Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

false

ClusterKeycloak.spec.caCert.secretKeyRef​

↩ Parent

Selects a key of a secret.

NameTypeDescriptionRequired
keystring

The key of the secret to select from.

true
namestring

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

false

ClusterKeycloak.status​

↩ Parent

ClusterKeycloakStatus defines the observed state of ClusterKeycloak.

NameTypeDescriptionRequired
connectedboolean

Connected shows if keycloak service is up and running.

true

v1.edp.epam.com/v1

Resource Types:

KeycloakAuthFlow​

↩ Parent

KeycloakAuthFlow is the Schema for the keycloak authentication flow API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakAuthFlowtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.

false
statusobject

KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.

false

KeycloakAuthFlow.spec​

↩ Parent

KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.

NameTypeDescriptionRequired
aliasstring

Alias is display name for authentication flow.

true
builtInboolean

BuiltIn is true if this is built-in auth flow.

true
providerIdstring

ProviderID for root auth flow and provider for child auth flows.

true
topLevelboolean

TopLevel is true if this is root auth flow.

true
authenticationExecutions[]object

AuthenticationExecutions is list of authentication executions for this auth flow.

false
childTypestring

ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow

false
descriptionstring

Description is description for authentication flow.

false
parentNamestring

ParentName is name of parent auth flow.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false

KeycloakAuthFlow.spec.authenticationExecutions[index]​

↩ Parent

AuthenticationExecution defines keycloak authentication execution.

NameTypeDescriptionRequired
aliasstring

Alias is display name for this execution.

false
authenticatorstring

Authenticator is name of authenticator.

false
authenticatorConfigobject

AuthenticatorConfig is configuration for authenticator.

false
authenticatorFlowboolean

AuthenticatorFlow is true if this is auth flow.

false
priorityinteger

Priority is priority for this execution. Lower values have higher priority.

false
requirementstring

Requirement is requirement for this execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL.

false

KeycloakAuthFlow.spec.authenticationExecutions[index].authenticatorConfig​

↩ Parent

AuthenticatorConfig is configuration for authenticator.

NameTypeDescriptionRequired
aliasstring

Alias is display name for authenticator config.

false
configmap[string]string

Config is configuration for authenticator.

false

KeycloakAuthFlow.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakAuthFlow.status​

↩ Parent

KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
valuestring
false

KeycloakClient​

↩ Parent

KeycloakClient is the Schema for the keycloak clients API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakClienttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakClientSpec defines the desired state of KeycloakClient.

false
statusobject

KeycloakClientStatus defines the observed state of KeycloakClient.

false

KeycloakClient.spec​

↩ Parent

KeycloakClientSpec defines the desired state of KeycloakClient.

NameTypeDescriptionRequired
clientIdstring

ClientId is a unique keycloak client ID referenced in URI and tokens.

true
advancedProtocolMappersboolean

AdvancedProtocolMappers is a flag to enable advanced protocol mappers.

false
attributesmap[string]string

Attributes is a map of client attributes.


Default: map[post.logout.redirect.uris:+]

false
authorizationobject

Authorization is a client authorization configuration.

false
authorizationServicesEnabledboolean

ServiceAccountsEnabled enable/disable fine-grained authorization support for a client.

false
bearerOnlyboolean

BearerOnly is a flag to enable bearer-only.

false
clientAuthenticatorTypestring

ClientAuthenticatorType is a client authenticator type.


Default: client-secret

false
clientRoles[]string

ClientRoles is a list of client roles names assigned to client.

false
consentRequiredboolean

ConsentRequired is a flag to enable consent.

false
defaultClientScopes[]string

DefaultClientScopes is a list of default client scopes assigned to client.

false
descriptionstring

Description is a client description.

false
directAccessboolean

DirectAccess is a flag to set client as direct access.

false
enabledboolean

Enabled is a flag to enable client.


Default: true

false
frontChannelLogoutboolean

FrontChannelLogout is a flag to enable front channel logout.

false
fullScopeAllowedboolean

FullScopeAllowed is a flag to enable full scope.


Default: true

false
implicitFlowEnabledboolean

ImplicitFlowEnabled is a flag to enable support for OpenID Connect redirect based authentication without authorization code.

false
namestring

Name is a client name.

false
protocolstring

Protocol is a client protocol.

false
protocolMappers[]object

ProtocolMappers is a list of protocol mappers assigned to client.

false
publicboolean

Public is a flag to set client as public.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false
realmRoles[]object

RealmRoles is a list of realm roles assigned to client.

false
reconciliationStrategyenum

ReconciliationStrategy is a strategy to reconcile client.


Enum: full, addOnly

false
redirectUris[]string

RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'https://example.com/'. Relative path can be specified too, such as /my/relative/path/. Relative paths are relative to the client root URL. If not specified, spec.webUrl + "/*" will be used.

false
secretstring

Secret is kubernetes secret name where the client's secret will be stored. Secret should have the following format: $secretName:secretKey. If not specified, a client secret will be generated and stored in a secret with the name keycloak-client--secret. If keycloak client is public, secret property will be ignored.

false
serviceAccountobject

ServiceAccount is a service account configuration.

false
standardFlowEnabledboolean

StandardFlowEnabled is a flag to enable standard flow.


Default: true

false
surrogateAuthRequiredboolean

SurrogateAuthRequired is a flag to enable surrogate auth.

false
targetRealmstring

Deprecated: use RealmRef instead. TargetRealm is a realm name where client will be created. It has higher priority than RealmRef for backward compatibility. If both TargetRealm and RealmRef are specified, TargetRealm will be used for client creation.

false
webOrigins[]string

WebOrigins is a list of allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '' wildcard though. To permit all origins, explicitly add ''. If not specified, the value from WebUrl is used

false
webUrlstring

WebUrl is a client web url.

false

KeycloakClient.spec.authorization​

↩ Parent

Authorization is a client authorization configuration.

NameTypeDescriptionRequired
permissions[]object
false
policies[]object
false
scopes[]string
false

KeycloakClient.spec.authorization.permissions[index]​

↩ Parent
NameTypeDescriptionRequired
namestring

Name is a permission name.

true
typeenum

Type is a permission type.


Enum: resource, scope

true
decisionStrategyenum

DecisionStrategy is a permission decision strategy.


Enum: UNANIMOUS, AFFIRMATIVE, CONSENSUS
Default: UNANIMOUS

false
descriptionstring

Description is a permission description.

false
logicenum

Logic is a permission logic.


Enum: POSITIVE, NEGATIVE
Default: POSITIVE

false
policies[]string

Policies is a list of policies names. Specifies all the policies that must be applied to the scopes defined by this policy or permission.

false
resources[]string

Resources is a list of resources names. Specifies that this permission must be applied to all resource instances of a given type.

false
scopes[]string

Scopes is a list of authorization scopes names. Specifies that this permission must be applied to one or more scopes.

false

KeycloakClient.spec.authorization.policies[index]​

↩ Parent

Policy represents a client authorization policy.

NameTypeDescriptionRequired
namestring

Name is a policy name.

true
typeenum

Type is a policy type.


Enum: aggregate, client, group, role, time, user

true
aggregatedPolicyobject

AggregatedPolicy is an aggregated policy settings.

false
clientPolicyobject

ClientPolicy is a client policy settings.

false
decisionStrategyenum

DecisionStrategy is a policy decision strategy.


Enum: UNANIMOUS, AFFIRMATIVE, CONSENSUS
Default: UNANIMOUS

false
descriptionstring

Description is a policy description.

false
groupPolicyobject

GroupPolicy is a group policy settings.

false
logicenum

Logic is a policy logic.


Enum: POSITIVE, NEGATIVE
Default: POSITIVE

false
rolePolicyobject

RolePolicy is a role policy settings.

false
timePolicyobject

ScopePolicy is a scope policy settings.

false
userPolicyobject

UserPolicy is a user policy settings.

false

KeycloakClient.spec.authorization.policies[index].aggregatedPolicy​

↩ Parent

AggregatedPolicy is an aggregated policy settings.

NameTypeDescriptionRequired
policies[]string

Policies is a list of aggregated policies names. Specifies all the policies that must be applied to the scopes defined by this policy or permission.

true

KeycloakClient.spec.authorization.policies[index].clientPolicy​

↩ Parent

ClientPolicy is a client policy settings.

NameTypeDescriptionRequired
clients[]string

Clients is a list of client names. Specifies which client(s) are allowed by this policy.

true

KeycloakClient.spec.authorization.policies[index].groupPolicy​

↩ Parent

GroupPolicy is a group policy settings.

NameTypeDescriptionRequired
groups[]object

Groups is a list of group names. Specifies which group(s) are allowed by this policy.

false
groupsClaimstring

GroupsClaim is a group claim. If defined, the policy will fetch user's groups from the given claim within an access token or ID token representing the identity asking permissions. If not defined, user's groups are obtained from your realm configuration.

false

KeycloakClient.spec.authorization.policies[index].groupPolicy.groups[index]​

↩ Parent

GroupDefinition represents a group in a GroupPolicyData.

NameTypeDescriptionRequired
namestring

Name is a group name.

true
extendChildrenboolean

ExtendChildren is a flag that specifies whether to extend children.

false

KeycloakClient.spec.authorization.policies[index].rolePolicy​

↩ Parent

RolePolicy is a role policy settings.

NameTypeDescriptionRequired
roles[]object

Roles is a list of role.

true

KeycloakClient.spec.authorization.policies[index].rolePolicy.roles[index]​

↩ Parent

RoleDefinition represents a role in a RolePolicyData.

NameTypeDescriptionRequired
namestring

Name is a role name.

true
requiredboolean

Required is a flag that specifies whether the role is required.

false

KeycloakClient.spec.authorization.policies[index].timePolicy​

↩ Parent

ScopePolicy is a scope policy settings.

NameTypeDescriptionRequired
notBeforestring

NotBefore defines the time before which the policy MUST NOT be granted. Only granted if current date/time is after or equal to this value.

true
notOnOrAfterstring

NotOnOrAfter defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value.

true
dayMonthstring

Day defines the month which the policy MUST be granted. You can also provide a range by filling the dayMonthEnd field. In this case, permission is granted only if current month is between or equal to the two values you provided.

false
dayMonthEndstring
false
hourstring

Hour defines the hour when the policy MUST be granted. You can also provide a range by filling the hourEnd. In this case, permission is granted only if current hour is between or equal to the two values you provided.

false
hourEndstring
false
minutestring

Minute defines the minute when the policy MUST be granted. You can also provide a range by filling the minuteEnd field. In this case, permission is granted only if current minute is between or equal to the two values you provided.

false
minuteEndstring
false
monthstring

Month defines the month which the policy MUST be granted. You can also provide a range by filling the monthEnd. In this case, permission is granted only if current month is between or equal to the two values you provided.

false
monthEndstring
false

KeycloakClient.spec.authorization.policies[index].userPolicy​

↩ Parent

UserPolicy is a user policy settings.

NameTypeDescriptionRequired
users[]string

Users is a list of usernames. Specifies which user(s) are allowed by this policy.

true

KeycloakClient.spec.protocolMappers[index]​

↩ Parent
NameTypeDescriptionRequired
configmap[string]string

Config is a map of protocol mapper configuration.

false
namestring

Name is a protocol mapper name.

false
protocolstring

Protocol is a protocol name.

false
protocolMapperstring

ProtocolMapper is a protocol mapper name.

false

KeycloakClient.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakClient.spec.realmRoles[index]​

↩ Parent
NameTypeDescriptionRequired
compositestring

Composite is a realm composite role name.

true
namestring

Name is a realm role name.

false

KeycloakClient.spec.serviceAccount​

↩ Parent

ServiceAccount is a service account configuration.

NameTypeDescriptionRequired
attributesmap[string]string

Attributes is a map of service account attributes.

false
clientRoles[]object

ClientRoles is a list of client roles assigned to service account.

false
enabledboolean

Enabled is a flag to enable service account.

false
realmRoles[]string

RealmRoles is a list of realm roles assigned to service account.

false

KeycloakClient.spec.serviceAccount.clientRoles[index]​

↩ Parent
NameTypeDescriptionRequired
clientIdstring

ClientID is a client ID.

true
roles[]string

Roles is a list of client roles names assigned to service account.

false

KeycloakClient.status​

↩ Parent

KeycloakClientStatus defines the observed state of KeycloakClient.

NameTypeDescriptionRequired
clientIdstring
false
failureCountinteger

Format: int64

false
valuestring
false

KeycloakClientScope​

↩ Parent

KeycloakClientScope is the Schema for the keycloakclientscopes API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakClientScopetrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakClientScopeSpec defines the desired state of KeycloakClientScope.

false
statusobject

KeycloakClientScopeStatus defines the observed state of KeycloakClientScope.

false

KeycloakClientScope.spec​

↩ Parent

KeycloakClientScopeSpec defines the desired state of KeycloakClientScope.

NameTypeDescriptionRequired
namestring

Name of keycloak client scope.

true
protocolstring

Protocol is SSO protocol configuration which is being supplied by this client scope.

true
attributesmap[string]string

Attributes is a map of client scope attributes.

false
defaultboolean

Default is a flag to set client scope as default.

false
descriptionstring

Description is a description of client scope.

false
protocolMappers[]object

ProtocolMappers is a list of protocol mappers assigned to client scope.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false

KeycloakClientScope.spec.protocolMappers[index]​

↩ Parent
NameTypeDescriptionRequired
configmap[string]string

Config is a map of protocol mapper configuration.

false
namestring

Name is a protocol mapper name.

false
protocolstring

Protocol is a protocol name.

false
protocolMapperstring

ProtocolMapper is a protocol mapper name.

false

KeycloakClientScope.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakClientScope.status​

↩ Parent

KeycloakClientScopeStatus defines the observed state of KeycloakClientScope.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
idstring
false
valuestring
false

KeycloakRealmComponent​

↩ Parent

KeycloakRealmComponent is the Schema for the keycloak component API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmComponenttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakComponentSpec defines the desired state of KeycloakRealmComponent.

false
statusobject

KeycloakComponentStatus defines the observed state of KeycloakRealmComponent.

false

KeycloakRealmComponent.spec​

↩ Parent

KeycloakComponentSpec defines the desired state of KeycloakRealmComponent.

NameTypeDescriptionRequired
namestring

Name of keycloak component.

true
providerIdstring

ProviderID is a provider ID of component.

true
providerTypestring

ProviderType is a provider type of component.

true
configmap[string][]string

Config is a map of component configuration. Map key is a name of configuration property, map value is an array value of configuration properties. Any configuration property can be a reference to k8s secret, in this case the property should be in format $secretName:secretKey.

false
parentRefobject

ParentRef specifies a parent resource. If not specified, then parent is realm specified in realm field.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false

KeycloakRealmComponent.spec.parentRef​

↩ Parent

ParentRef specifies a parent resource. If not specified, then parent is realm specified in realm field.

NameTypeDescriptionRequired
namestring

Name is a name of parent component custom resource. For example, if Kind is KeycloakRealm, then Name is name of KeycloakRealm custom resource.

true
kindenum

Kind is a kind of parent component. By default, it is KeycloakRealm.


Enum: KeycloakRealm, KeycloakRealmComponent
Default: KeycloakRealm

false

KeycloakRealmComponent.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealmComponent.status​

↩ Parent

KeycloakComponentStatus defines the observed state of KeycloakRealmComponent.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
valuestring
false

KeycloakRealmGroup​

↩ Parent

KeycloakRealmGroup is the Schema for the keycloak group API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup.

false
statusobject

KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.

false

KeycloakRealmGroup.spec​

↩ Parent

KeycloakRealmGroupSpec defines the desired state of KeycloakRealmGroup.

NameTypeDescriptionRequired
namestring

Name of keycloak group.

true
accessmap[string]boolean

Access is a map of group access.

false
attributesmap[string][]string

Attributes is a map of group attributes.

false
clientRoles[]object

ClientRoles is a list of client roles assigned to group.

false
pathstring

Path is a group path.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false
realmRoles[]string

RealmRoles is a list of realm roles assigned to group.

false
subGroups[]string

SubGroups is a list of subgroups assigned to group.

false

KeycloakRealmGroup.spec.clientRoles[index]​

↩ Parent
NameTypeDescriptionRequired
clientIdstring

ClientID is a client ID.

true
roles[]string

Roles is a list of client roles names assigned to service account.

false

KeycloakRealmGroup.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealmGroup.status​

↩ Parent

KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
idstring

ID is a group ID.

false
valuestring
false

KeycloakRealmIdentityProvider​

↩ Parent

KeycloakRealmIdentityProvider is the Schema for the keycloak realm identity provider API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmIdentityProvidertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakRealmIdentityProviderSpec defines the desired state of KeycloakRealmIdentityProvider.

false
statusobject

KeycloakRealmIdentityProviderStatus defines the observed state of KeycloakRealmIdentityProvider.

false

KeycloakRealmIdentityProvider.spec​

↩ Parent

KeycloakRealmIdentityProviderSpec defines the desired state of KeycloakRealmIdentityProvider.

NameTypeDescriptionRequired
aliasstring

Alias is a alias of identity provider.

true
configmap[string]string

Config is a map of identity provider configuration. Map key is a name of configuration property, map value is a value of configuration property. Any value can be a reference to k8s secret, in this case value should be in format $secretName:secretKey.

true
enabledboolean

Enabled is a flag to enable/disable identity provider.

true
providerIdstring

ProviderID is a provider ID of identity provider.

true
addReadTokenRoleOnCreateboolean

AddReadTokenRoleOnCreate is a flag to add read token role on create.

false
authenticateByDefaultboolean

AuthenticateByDefault is a flag to authenticate by default.

false
displayNamestring

DisplayName is a display name of identity provider.

false
firstBrokerLoginFlowAliasstring

FirstBrokerLoginFlowAlias is a first broker login flow alias.

false
linkOnlyboolean

LinkOnly is a flag to link only.

false
mappers[]object

Mappers is a list of identity provider mappers.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false
storeTokenboolean

StoreToken is a flag to store token.

false
trustEmailboolean

TrustEmail is a flag to trust email.

false

KeycloakRealmIdentityProvider.spec.mappers[index]​

↩ Parent
NameTypeDescriptionRequired
configmap[string]string

Config is a map of identity provider mapper configuration.

false
identityProviderAliasstring

IdentityProviderAlias is a identity provider alias.

false
identityProviderMapperstring

IdentityProviderMapper is a identity provider mapper.

false
namestring

Name is a name of identity provider mapper.

false

KeycloakRealmIdentityProvider.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealmIdentityProvider.status​

↩ Parent

KeycloakRealmIdentityProviderStatus defines the observed state of KeycloakRealmIdentityProvider.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
valuestring
false

KeycloakRealmRoleBatch​

↩ Parent

KeycloakRealmRoleBatch is the Schema for the keycloak roles API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmRoleBatchtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch.

false
statusobject

KeycloakRealmRoleBatchStatus defines the observed state of KeycloakRealmRoleBatch.

false

KeycloakRealmRoleBatch.spec​

↩ Parent

KeycloakRealmRoleBatchSpec defines the desired state of KeycloakRealmRoleBatch.

NameTypeDescriptionRequired
roles[]object

Roles is a list of roles to be created.

true
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false

KeycloakRealmRoleBatch.spec.roles[index]​

↩ Parent
NameTypeDescriptionRequired
namestring

Name of keycloak role.

true
attributesmap[string][]string

Attributes is a map of role attributes.

false
compositeboolean

Composite is a flag if role is composite.

false
composites[]object

Composites is a list of composites roles assigned to role.

false
descriptionstring

Description is a role description.

false
isDefaultboolean

IsDefault is a flag if role is default.

false

KeycloakRealmRoleBatch.spec.roles[index].composites[index]​

↩ Parent
NameTypeDescriptionRequired
namestring

Name is a name of composite role.

true

KeycloakRealmRoleBatch.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealmRoleBatch.status​

↩ Parent

KeycloakRealmRoleBatchStatus defines the observed state of KeycloakRealmRoleBatch.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
valuestring
false

KeycloakRealmRole​

↩ Parent

KeycloakRealmRole is the Schema for the keycloak group API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmRoletrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole.

false
statusobject

KeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole.

false

KeycloakRealmRole.spec​

↩ Parent

KeycloakRealmRoleSpec defines the desired state of KeycloakRealmRole.

NameTypeDescriptionRequired
namestring

Name of keycloak role.

true
attributesmap[string][]string

Attributes is a map of role attributes.

false
compositeboolean

Composite is a flag if role is composite.

false
composites[]object

Composites is a list of composites roles assigned to role.

false
compositesClientRolesmap[string][]object

CompositesClientRoles is a map of composites client roles assigned to role.

false
descriptionstring

Description is a role description.

false
isDefaultboolean

IsDefault is a flag if role is default.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false

KeycloakRealmRole.spec.composites[index]​

↩ Parent
NameTypeDescriptionRequired
namestring

Name is a name of composite role.

true

KeycloakRealmRole.spec.compositesClientRoles[key][index]​

↩ Parent
NameTypeDescriptionRequired
namestring

Name is a name of composite role.

true

KeycloakRealmRole.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealmRole.status​

↩ Parent

KeycloakRealmRoleStatus defines the observed state of KeycloakRealmRole.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
idstring

ID is a role ID.

false
valuestring
false

KeycloakRealm​

↩ Parent

KeycloakRealm is the Schema for the keycloak realms API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakRealmSpec defines the desired state of KeycloakRealm.

false
statusobject

KeycloakRealmStatus defines the observed state of KeycloakRealm.

false

KeycloakRealm.spec​

↩ Parent

KeycloakRealmSpec defines the desired state of KeycloakRealm.

NameTypeDescriptionRequired
realmNamestring

RealmName specifies the name of the realm.

true
browserFlowstring

BrowserFlow specifies the authentication flow to use for the realm's browser clients.

false
browserSecurityHeadersmap[string]string

BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients.

false
displayHtmlNamestring

DisplayHTMLName name to render in the UI

false
frontendUrlstring

FrontendURL Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.

false
idstring

ID is the ID of the realm.

false
keycloakOwnerstring

Deprecated: use KeycloakRef instead. KeycloakOwner specifies the name of the Keycloak instance that owns the realm.

false
keycloakRefobject

KeycloakRef is reference to Keycloak custom resource.

false
passwordPolicy[]object

PasswordPolicies is a list of password policies to apply to the realm.

false
realmEventConfigobject

RealmEventConfig is the configuration for events in the realm.

false
themesobject

Themes is a map of themes to apply to the realm.

false
tokenSettingsobject

TokenSettings is the configuration for tokens in the realm.

false
users[]object

Users is a list of users to create in the realm.

false

KeycloakRealm.spec.keycloakRef​

↩ Parent

KeycloakRef is reference to Keycloak custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: Keycloak, ClusterKeycloak

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealm.spec.passwordPolicy[index]​

↩ Parent
NameTypeDescriptionRequired
typestring

Type of password policy.

true
valuestring

Value of password policy.

true

KeycloakRealm.spec.realmEventConfig​

↩ Parent

RealmEventConfig is the configuration for events in the realm.

NameTypeDescriptionRequired
adminEventsDetailsEnabledboolean

AdminEventsDetailsEnabled indicates whether to enable detailed admin events.

false
adminEventsEnabledboolean

AdminEventsEnabled indicates whether to enable admin events.

false
enabledEventTypes[]string

EnabledEventTypes is a list of event types to enable.

false
eventsEnabledboolean

EventsEnabled indicates whether to enable events.

false
eventsExpirationinteger

EventsExpiration is the number of seconds after which events expire.

false
eventsListeners[]string

EventsListeners is a list of event listeners to enable.

false

KeycloakRealm.spec.themes​

↩ Parent

Themes is a map of themes to apply to the realm.

NameTypeDescriptionRequired
accountThemestring

AccountTheme specifies the account theme to use for the realm.

false
adminConsoleThemestring

AdminConsoleTheme specifies the admin console theme to use for the realm.

false
emailThemestring

EmailTheme specifies the email theme to use for the realm.

false
internationalizationEnabledboolean

InternationalizationEnabled indicates whether to enable internationalization.

false
loginThemestring

LoginTheme specifies the login theme to use for the realm.

false

KeycloakRealm.spec.tokenSettings​

↩ Parent

TokenSettings is the configuration for tokens in the realm.

NameTypeDescriptionRequired
accessCodeLifespaninteger

AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol. This should normally be 1 minute.


Default: 60

false
accessTokeninteger

AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow.


Default: 900

false
accessTokenLifespaninteger

AccessTokenLifespan specifies max time(in seconds) before an access token is expired. This value is recommended to be short relative to the SSO timeout.


Default: 300

false
actionTokenGeneratedByAdminLifespaninteger

ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.


Default: 43200

false
actionTokenGeneratedByUserLifespaninteger

AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly.


Default: 300

false
defaultSignatureAlgorithmenum

DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm


Enum: ES256, ES384, ES512, EdDSA, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512
Default: RS256

false
refreshTokenMaxReuseinteger

RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.


Default: 0

false
revokeRefreshTokenboolean

RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and is revoked when a different token is used. Otherwise, refresh tokens are not revoked when used and can be used multiple times.


Default: false

false

KeycloakRealm.spec.users[index]​

↩ Parent
NameTypeDescriptionRequired
usernamestring

Username of keycloak user.

true
realmRoles[]string

RealmRoles is a list of roles attached to keycloak user.

false

KeycloakRealm.status​

↩ Parent

KeycloakRealmStatus defines the observed state of KeycloakRealm.

NameTypeDescriptionRequired
availableboolean
false
failureCountinteger

Format: int64

false
valuestring
false

KeycloakRealmUser​

↩ Parent

KeycloakRealmUser is the Schema for the keycloak user API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloakRealmUsertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakRealmUserSpec defines the desired state of KeycloakRealmUser.

false
statusobject

KeycloakRealmUserStatus defines the observed state of KeycloakRealmUser.

false

KeycloakRealmUser.spec​

↩ Parent

KeycloakRealmUserSpec defines the desired state of KeycloakRealmUser.

NameTypeDescriptionRequired
usernamestring

Username is a username in keycloak.

true
attributesmap[string]string

Attributes is a map of user attributes.

false
emailstring

Email is a user email.

false
emailVerifiedboolean

EmailVerified is a user email verified flag.

false
enabledboolean

Enabled is a user enabled flag.

false
firstNamestring

FirstName is a user first name.

false
groups[]string

Groups is a list of groups assigned to user.

false
keepResourceboolean

KeepResource, when set to false, results in the deletion of the KeycloakRealmUser Custom Resource (CR) from the cluster after the corresponding user is created in Keycloak. The user will continue to exist in Keycloak. When set to true, the CR will not be deleted after processing.


Default: true

false
lastNamestring

LastName is a user last name.

false
passwordstring

Password is a user password. Allows to keep user password within Custom Resource. For security concerns, it is recommended to use PasswordSecret instead.

false
passwordSecretobject

PasswordSecret defines Kubernetes secret Name and Key, which holds User secret.

false
realmstring

Deprecated: use RealmRef instead. Realm is name of KeycloakRealm custom resource.

false
realmRefobject

RealmRef is reference to Realm custom resource.

false
reconciliationStrategystring

ReconciliationStrategy is a strategy for reconciliation. Possible values: full, create-only. Default value: full. If set to create-only, user will be created only if it does not exist. If user exists, it will not be updated. If set to full, user will be created if it does not exist, or updated if it exists.

false
requiredUserActions[]string

RequiredUserActions is required action when user log in, example: CONFIGURE_TOTP, UPDATE_PASSWORD, UPDATE_PROFILE, VERIFY_EMAIL.

false
roles[]string

Roles is a list of roles assigned to user.

false

KeycloakRealmUser.spec.passwordSecret​

↩ Parent

PasswordSecret defines Kubernetes secret Name and Key, which holds User secret.

NameTypeDescriptionRequired
keystring

Key is the key in the secret.

true
namestring

Name is the name of the secret.

true

KeycloakRealmUser.spec.realmRef​

↩ Parent

RealmRef is reference to Realm custom resource.

NameTypeDescriptionRequired
kindenum

Kind specifies the kind of the Keycloak resource.


Enum: KeycloakRealm, ClusterKeycloakRealm

false
namestring

Name specifies the name of the Keycloak resource.

false

KeycloakRealmUser.status​

↩ Parent

KeycloakRealmUserStatus defines the observed state of KeycloakRealmUser.

NameTypeDescriptionRequired
failureCountinteger

Format: int64

false
valuestring
false

Keycloak​

↩ Parent

Keycloak is the Schema for the keycloaks API.

NameTypeDescriptionRequired
apiVersionstringv1.edp.epam.com/v1true
kindstringKeycloaktrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

KeycloakSpec defines the desired state of Keycloak.

false
statusobject

KeycloakStatus defines the observed state of Keycloak.


Default: map[connected:false]

false

Keycloak.spec​

↩ Parent

KeycloakSpec defines the desired state of Keycloak.

NameTypeDescriptionRequired
secretstring

Secret is a secret name which contains admin credentials.

true
urlstring

URL of keycloak service.

true
adminTypeenum

AdminType can be user or serviceAccount, if serviceAccount was specified, then client_credentials grant type should be used for getting admin realm token.


Enum: serviceAccount, user

false
caCertobject

CACert defines the root certificate authority that api client use when verifying server certificates.

false
insecureSkipVerifyboolean

InsecureSkipVerify controls whether api client verifies the server's certificate chain and host name. If InsecureSkipVerify is true, api client accepts any certificate presented by the server and any host name in that certificate.

false

Keycloak.spec.caCert​

↩ Parent

CACert defines the root certificate authority that api client use when verifying server certificates.

NameTypeDescriptionRequired
configMapKeyRefobject

Selects a key of a ConfigMap.

false
secretKeyRefobject

Selects a key of a secret.

false

Keycloak.spec.caCert.configMapKeyRef​

↩ Parent

Selects a key of a ConfigMap.

NameTypeDescriptionRequired
keystring

The key to select.

true
namestring

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

false

Keycloak.spec.caCert.secretKeyRef​

↩ Parent

Selects a key of a secret.

NameTypeDescriptionRequired
keystring

The key of the secret to select from.

true
namestring

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

false

Keycloak.status​

↩ Parent

KeycloakStatus defines the observed state of Keycloak.

NameTypeDescriptionRequired
connectedboolean

Connected shows if keycloak service is up and running.

true