Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to update one default UserAttributeMapper of a new UserFederation? #201

Open
joneshf opened this issue Dec 29, 2024 · 1 comment
Open

Comments

@joneshf
Copy link

joneshf commented Dec 29, 2024

I'd like to create a new UserFederation and alter one of the default UserAttributeMappers that gets created. I'm having a tough time figuring out how to do that without making every default mapper with the configuration I want. In particular, I'd like to change the default UserAttributeMapper for firstName to use givenname as the ldapAttribute instead of the default cn.

For example, if I've got a setup like this:

---
apiVersion: ldap.keycloak.crossplane.io/v1alpha1
kind: UserAttributeMapper
metadata:
  name: first-name
spec:
  forProvider:
    alwaysReadValueFromLdap: true
    isMandatoryInLdap: true
    # The `ldapAttribute` defaults to `cn`.
    # This `UserAttributeMapper` changes that to `givenname`.
    ldapAttribute: givenname
    ldapUserFederationIdRef:
      name: lldap
    name: first name
    readOnly: true
    realmIdRef:
      name: my-realm
    userModelAttribute: firstName
  providerConfigRef:
    name: my-provider

---
apiVersion: ldap.keycloak.crossplane.io/v1alpha1
kind: UserFederation
metadata:
  name: lldap
spec:
  forProvider:
    
  providerConfigRef:
    name: my-provider

What ends up happening is that it creates an additional UserAttributeMapper with all the right configuration on the newly created UserFederation, instead of updating the UserAttributeMapper with the name first name. That makes sense, because these resources are effectively saying, "I want to add a new UserAttributeMapper." But that's not what I actually want.

One workaround is to use deleteDefaultMappers: true on the UserFederation, and create all of the (default) mappers with the configuration I want. I'm doing this in the short-term so I can have something working. But is there a different way to achieve the same goal of altering one field on a single mapper that doesn't involve recreating everything?

@joneshf
Copy link
Author

joneshf commented Dec 29, 2024

Seems like it's related to this upstream issue: keycloak/terraform-provider-keycloak#268. So yeah the deleteDefaultMappers: true sounds it's the way to go for now.

I don't know enough about Crossplane (only just found out about it the other day), but is it not possible to solve this by doing something in a Composition? pipeline like:

  1. Make a UserFederation that creates a new external resource in Keycloak.
  2. Find the external name of the created UserAttributeMapper for first name.
  3. Modify the ldapAttribute of the UserAttributeMapper.

Or is that not really how it works? It sounds like there's a ton of stuff you can do to orchestrate these resources, like this section of the Function Patch and Transform guide in the Crossplane docs. But it's a little too confusing for me to know how to use it to solve my problem (or if it even can).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant