Adding a mapper to an existing client scope

[greyarch]

Hey guys, great work so far!

I have the following problem:

I want to add a mapper to an existing client scope, namely the "profile" client scope.

This works fine if I use the clientScopeId, but this is not really a solution since the scope id is random uuid.

Furthermore, I cannot match by label (using clientScopeIdSelector) since I am not creating the client scope, and there is no kuberentes/crossplane resource that corresponds to the scope.

I expected to be able to use clientScopeIdRef.name but this also seems to refer to the name of a kubernetes object and not the name of the client scope in keycloak.

I tried to create a ClientScope resource, that will not create the scope but will just reference it. This is, however, not possible - te provider tries to always create objects and if they already exist, it gives 409.

So... how should I do that?

Cheers!

[Breee]

Greetings,

You should be able to create the Ressource you want to reference in "Observe Only" Mode, for that lookup Management policies.

If you have more questions or Problems let me know

https://docs.crossplane.io/latest/guides/import-existing-resources/

[greyarch]

Hey @Breee, thanks for the swift response!

Unfortunately, I still cannot make it work. I have this object now:

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
  name: my-scope
spec:
  managementPolicies: ["Observe"]
  forProvider:
    realmId: "existing-realm"
    name: "profile"
  providerConfigRef:
    name: "dev" 

and I get:

Warning CannotObserveExternalResource 1s (x2 over 10s) managed/openidclient.keycloak.crossplane.io/v1alpha1, kind=clientscope external resource does not exist

The realm exists and there is a client scope called "profile", created by default (not by me, this is a built-in scope) when the realm is created.
What am I missing?

[greyarch]

Any development/news/comment here?

[Breee]

Sorry for the late reply,
you are most likely missing the external name. ( As written in the crossplane docs)

metadata:
  annotations:
    crossplane.io/external-name: <UUID OR EXTERNAL_NAME>

should we add importing of existing scopes to https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects @b509 ?

[greyarch]

Hey @Breee, unfortunately adding this annotation does not work either.

I tried both:

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
  name: my-scope
  annotations:
    crossplane.io/external-name: profile
spec:
  managementPolicies: ["Observe"]
  forProvider:
    realmId: "existing-realm"
    name: "profile"
  providerConfigRef:
    name: "dev" 

and (without the forProvider.name):

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
  name: my-scope
  annotations:
    crossplane.io/external-name: profile
spec:
  managementPolicies: ["Observe"]
  forProvider:
    realmId: "existing-realm"
  providerConfigRef:
    name: "dev" 

Both result in external resource does not exist.

However, when I use the scope ID in the annotation, like:

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
  name: my-scope
  annotations:
    crossplane.io/external-name: "20bb8d4a-e8e6-4e6e-8688-b2eb48c208bc"
spec:
  managementPolicies: ["Observe"]
  forProvider:
    realmId: "existing-realm"
  providerConfigRef:
    name: "dev" 

the ClientScope is found. Furthermore, its atProvider.name is indeed profile.

I vote "YES" on your question to @b509 :)

[Breee]

That's a keycloak thing to resolve objects with these UUIDs.
I did not yet have an idea on how to manage that without uuids.
If it helps you we can implement the import of existing ClientScopes using the composition function we provide