Alauda Build of Keycloak
  • Русский

    • KeycloakRealmImport

    The KeycloakRealmImport Custom Resource enables declarative, GitOps-friendly management of Keycloak Realm configurations. When this resource is created or updated, the Operator triggers an import Job that loads the Realm configuration into the target Keycloak instance.

    Содержание

    Resource InformationExampleSpec Fieldsspec.keycloakCRNamespec.placeholdersspec.realmCore Realm SettingsToken Lifespan SettingsSecurity SettingsClientsRolesGroupsUsersIdentity ProvidersAuthentication FlowsStatus Conditions

    Resource Information

    PropertyValue
    API Groupk8s.keycloak.org
    API Versionv2alpha1
    KindKeycloakRealmImport
    Pluralkeycloakrealmimports
    ScopeNamespaced

    Example

    apiVersion: k8s.keycloak.org/v2alpha1
kind: KeycloakRealmImport
metadata:
  name: my-realm-import
  namespace: keycloak
spec:
  keycloakCRName: example-kc
  placeholders:
    CLIENT_SECRET:
      secret:
        name: my-client-secret
        key: client-secret
  realm:
    realm: my-realm
    enabled: true
    displayName: "My Application Realm"
    registrationAllowed: false
    loginWithEmailAllowed: true
    duplicateEmailsAllowed: false
    sslRequired: external
    accessTokenLifespan: 300
    clients:
      - clientId: my-app
        enabled: true
        publicClient: true
        redirectUris:
          - "https://my-app.example.com/*"
        webOrigins:
          - "https://my-app.example.com"
        secret: $(CLIENT_SECRET)

    Spec Fields

    spec.keycloakCRName

    PropertyValue
    Typestring
    RequiredYes

    The name of the Keycloak CR in the same namespace that this Realm will be imported into.

    spec.placeholders

    PropertyValue
    Typemap[string]SecretKeySelector
    RequiredNo

    A map of placeholder names to Secret references. Placeholders allow injecting Secret values into the Realm configuration at import time. In the spec.realm body, reference a placeholder using the syntax $(PLACEHOLDER_NAME).

    placeholders:
  CLIENT_SECRET:
    secret:
      name: my-client-secret
      key: client-secret
  SMTP_PASSWORD:
    secret:
      name: smtp-credentials
      key: password

    Each placeholder value is a SecretKeySelector:

    FieldTypeDescription
    secret.namestringName of the Kubernetes Secret.
    secret.keystringKey within the Secret.
    secret.optionalbooleanWhether the Secret must exist.

    spec.realm

    PropertyValue
    TypeRealmRepresentation
    RequiredYes

    The full Realm configuration to import. This corresponds to the Keycloak RealmRepresentation JSON structure. The following table describes the most commonly used fields.

    Core Realm Settings

    FieldTypeDescription
    realmstringThe unique Realm identifier (used in URLs). Cannot be changed after creation.
    enabledbooleanWhether the Realm is active. Disabled Realms reject all authentication requests.
    displayNamestringHuman-readable name shown on the login page.
    sslRequiredstringWhen HTTPS is required. Values: none, external (recommended for production), all.
    registrationAllowedbooleanAllows users to self-register.
    loginWithEmailAllowedbooleanAllows users to log in using their email address instead of username.
    duplicateEmailsAllowedbooleanAllows multiple users to share the same email address. Not recommended.

    Token Lifespan Settings

    FieldTypeDescription
    accessTokenLifespanintegerAccess token validity in seconds. Default: 300.
    accessTokenLifespanForImplicitFlowintegerAccess token lifespan for the implicit flow.
    ssoSessionIdleTimeoutintegerSSO session idle timeout in seconds.
    ssoSessionMaxLifespanintegerMaximum SSO session duration in seconds.
    offlineSessionIdleTimeoutintegerOffline session idle timeout in seconds.
    accessCodeLifespanintegerAuthorization code lifespan in seconds.

    Security Settings

    FieldTypeDescription
    bruteForceProtectedbooleanEnables brute force protection to lock accounts after repeated failed login attempts.
    bruteForceStrategystringStrategy for brute force detection. Values: LINEAR, MULTIPLE.
    permanentLockoutbooleanPermanently locks accounts after exceeding the failure threshold (requires manual admin unlock).
    maxFailureWaitSecondsintegerMaximum wait time between login attempts after failures.
    minimumQuickLoginWaitSecondsintegerMinimum wait time for quick consecutive login attempts.

    Clients

    The clients array defines OIDC/SAML clients registered in the Realm.

    FieldTypeDescription
    clientIdstringUnique client identifier within the Realm.
    enabledbooleanWhether the client is active.
    publicClientbooleanIf true, the client does not require a client secret (for SPAs and mobile apps).
    standardFlowEnabledbooleanEnables the Authorization Code flow.
    implicitFlowEnabledbooleanEnables the Implicit flow (not recommended for new applications).
    directAccessGrantsEnabledbooleanEnables the Resource Owner Password Credentials flow.
    serviceAccountsEnabledbooleanEnables the Client Credentials flow for service accounts.
    redirectUris[]stringAllowed redirect URIs after authentication. Use * as a wildcard (not recommended in production).
    webOrigins[]stringAllowed CORS origins. Set to + to allow all origins in redirectUris.
    secretstringClient secret. Use $(PLACEHOLDER_NAME) to inject from a Kubernetes Secret.
    protocolstringClient protocol. Values: openid-connect, saml.
    attributesmap[string]stringAdditional client attributes (for example, PKCE settings, token signing algorithms).
    protocolMappers[]ProtocolMapperCustom protocol mappers to add claims to tokens.

    Roles

    FieldTypeDescription
    roles.realm[]RoleArray of Realm-level roles.
    roles.clientmap[string][]RoleMap of client ID to array of client-level roles.

    Each Role object:

    FieldTypeDescription
    namestringRole name.
    descriptionstringRole description.
    compositebooleanWhether this role includes other roles.
    compositesCompositesChild roles when composite is true.

    Groups

    FieldTypeDescription
    groups[]GroupRepresentationArray of groups to create in the Realm.

    Each group object supports name, path, realmRoles, clientRoles, subGroups, and attributes.

    Users

    FieldTypeDescription
    users[]UserRepresentationArray of users to import.

    Each user object supports username, email, firstName, lastName, enabled, emailVerified, credentials, realmRoles, clientRoles, and groups.

    Identity Providers

    FieldTypeDescription
    identityProviders[]IdentityProviderRepresentationExternal identity provider configurations (OIDC, SAML, social providers).

    Authentication Flows

    FieldTypeDescription
    authenticationFlows[]AuthenticationFlowRepresentationCustom authentication flow definitions.
    browserFlowstringAlias of the flow to use for browser-based authentication.
    directGrantFlowstringAlias of the flow for direct grant (password) authentication.
    clientAuthenticationFlowstringAlias of the flow for client authentication.

    Status Conditions

    Condition TypeDescription
    DoneTrue when the Realm import Job has completed successfully.
    StartedTrue when the import Job has been created and started.
    HasErrorsTrue when the import Job encountered an error.

    Check the import status:

    kubectl get keycloakrealmimport <name> -n <namespace> -o yaml

    A successful import shows:

    status:
  conditions:
    - type: Done
      status: "True"
    - type: Started
      status: "True"
    - type: HasErrors
      status: "False"