-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to set realm default roles #80
Comments
I ran into this just now, link to the findings. You can enable this but it will not help you to find the default realm role since you need to reference its external name by some random guid. |
Even when importing the client and the roles from their random guids in keycloak to crossplane I was unable to actually make a user an admin. I tried to grant the role directly but I couldn't find what resource to use for that but then I found group roles but that apparently doesn't do anything. Membership worked fine and my user becomes member of my "realm-admin" group but the group doesn't get the proper role eventhough the roleidref seems to work fine? Here is my entire attempt:
|
Hello , I had the same issue a while ago, I was able to make the default roles resource work by setting an appropriate ExternalNameConfig in config/external_name.go You would be able to set default realm roles using this resource eg https://github.com/crossplane-contrib/provider-keycloak/blob/main/examples-generated/defaults/v1alpha1/roles.yaml Problem with this resource is that you wouldnt be able to set default roles of a client because its not supported in upstream tf provider, Theres a pull request for it terraform-provider-keycloak repository thats waiting to be merged for a long time. Edit: updated pull request link thanks @Breee |
I did have an alternative for it, but it might not be the best. We already have ansible provider on our clusters. I simply used an AnsibleRun to configure default roles and it worked, The community general collection has module for keycloak API. This helped resolve my issue specifically https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_role_module.html#ansible-collections-community-general-keycloak-role-module. Obviously its way better to have it included in provider. |
mustafa means this PR keycloak/terraform-provider-keycloak#764 |
Alright guys, the default roles are kinda trashy and we have no choice than writing our own controller for that. I however found a good workaround for you which is in my opinion even better to manage. PR #86 adds
Full Example:
I hope that helps you out until the controller is ready to roll. You can test that out in version v0.18.0 https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v0.18.0 |
Hey @vladimirblahoz, (For a general documentation on how to make the function run, read the complete README) |
Hi!
Is there any example of how to set default roles for crossplane managed realm?
I have a keycloak v 24.0.2 deployed and a realm provisioned by keycloak-provider v 0.15.0. When this realm is created, it automatically creates a composite role named "default-roles-[realm-name]" into which I need to assign my default roles. Obviously the default-roles role is not managed by crossplane.
I assumed looking at its name that the resource defaults.keycloak.crossplane.io/v1alpha1/roles is meant for this.
Applying this manifest results in quite strange error event:
I also tried another approach based on Import Existing Resource documentation and importing the automatically created role with:
That fails on an attempt to newly create the existing role resulting in names conflict
I also tried just to test the importing works to add
managementPolicies: [ "Observe" ]
to the role manifest (being aware that with that I shouldn't be able to change the compositeRolesRefs) and that again fails on another errorThis makes me feel that keycloak provider does not support the managementPolicies. And I am kind of out of ideas.
Any help will be very appreciated.
The text was updated successfully, but these errors were encountered: