Unable to reference built-in objects #74
Comments
|
Hmmm, in the current terraform provider not i guess. i think you could import the or with Then you can just reference it by k8s object |
|
Are there any examples of importing a resource? Not sure I am tracking how to accomplish that. I think the feature I am looking for is the equivalent of data sources in terraform. For my example, I would want to be able to use a role data source to find the role by name and retrieve the id for use with other resources. https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/data-sources/role |
|
Yeah here: https://docs.crossplane.io/knowledge-base/guides/import-existing-resources/ |
|
In addition: there is also this open issue for crossplane which might be the feature you're asking for: crossplane/crossplane#4141 |
|
Thanks for the quick replies! I'll play around with importing resources and see if that gets me where I need to be. Assuming I find a solution, I'll write back with an example solution in case someone else is wanting to do the same. |
|
So in order to import a client role, I must first know the client id. Unfortunately, I can't import built-in clients as to do so also requires the client id. For example, if I attempt to import the apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
annotations:
crossplane.io/external-name: test-realm/realm-management
name: realm-management
spec:
forProvider: {}
providerConfigRef:
name: "non-default-config"
managementPolicies: ["Observe"]Results in the following status: status:
atProvider: {}
conditions:
- lastTransitionTime: "2024-03-11T17:18:19Z"
message: "observe failed: cannot run import: \e[0m\e[1mkeycloak_openid_client.realm-management:
Importing from ID \"test-realm/realm-management\"...\e[0m\n\e[31m\e[31m╷\e[0m\e[0m\n\e[31m│\e[0m
\e[0m\e[1m\e[31mError: \e[0m\e[0m\e[1merror sending GET request to REDACTED/REDACTED/realms/test-realm/clients/realm-management:
404 Not Found. Response body: {\"error\":\"Could not find client\"}\e[0m\n\e[31m│\e[0m
\e[0m\n\e[31m│\e[0m \e[0m\e[0m\n\e[31m╵\e[0m\e[0m\n\e[0m\e[0m\n: import failed"
reason: ReconcileError
status: "False"
type: Synced However, If I provide the client id in the import, it works as expected: apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
annotations:
crossplane.io/external-name: test-realm/75291e36-a704-49a7-b471-a211cf8c2adf
name: realm-management
spec:
forProvider: {}
providerConfigRef:
name: "non-default-provider"
managementPolicies: ["Observe"]resulting in: status:
atProvider:
accessTokenLifespan: ""
accessType: BEARER-ONLY
adminUrl: ""
backchannelLogoutRevokeOfflineSessions: false
backchannelLogoutSessionRequired: false
backchannelLogoutUrl: ""
baseUrl: ""
clientAuthenticatorType: client-secret
clientId: realm-management
clientOfflineSessionIdleTimeout: ""
clientOfflineSessionMaxLifespan: ""
clientSessionIdleTimeout: ""
clientSessionMaxLifespan: ""
consentRequired: false
consentScreenText: ""
description: ""
directAccessGrantsEnabled: false
displayOnConsentScreen: false
enabled: true
frontchannelLogoutEnabled: false
frontchannelLogoutUrl: ""
fullScopeAllowed: false
id: 75291e36-a704-49a7-b471-a211cf8c2adf
implicitFlowEnabled: false
import: false
loginTheme: ""
name: ${client_realm-management}
oauth2DeviceAuthorizationGrantEnabled: false
oauth2DeviceCodeLifespan: ""
oauth2DevicePollingInterval: ""
realmId: test-realm
rootUrl: ""
serviceAccountUserId: ""
serviceAccountsEnabled: false
standardFlowEnabled: true
useRefreshTokens: false
useRefreshTokensClientCredentials: false
conditions:
- lastTransitionTime: "2024-03-11T17:25:03Z"
reason: ReconcileSuccess
status: "True"
type: Synced
- lastTransitionTime: "2024-03-11T17:25:04Z"
reason: Available
status: "True"
type: Ready |
|
Hm i guess you need the client-id. You can extract that when you open your client in keycloak copy it from the URL. where Can you check if it works for you with the client-id? Sadly that's how keycloak does it. sometimes you reference things by name / sometime you reference it by a uuid. example
---
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
annotations:
crossplane.io/external-name: "master/152d4b09-aaf8-414a-8649-63976cc01af2"
name: admin-cli
spec:
forProvider: {}
providerConfigRef:
name: "keycloak-provider-config"
managementPolicies: ["Observe"] |
|
If a wrapper seems feasible, that would be awesome. There are two alternatives I can think of that go outside of provider-keycloak:
|
I tried to create a client with observe managementpolicies but I get this error. I am running crossplane 1.15.1 with provider-keycloak v1.15.0. What did I miss when installing crossplane?
Here is my realm and client by the way, I am trying to create a realm with a default user that is realm admin so that when someone asks for a new realm they can logon once as this user and then let them selves in with federation or something. Realm shows up and works great, any user I create works too but I can't add realm-admin to them. |
|
To answer my own question, this provider doesn't allow observe by default: provider-keycloak/cmd/provider/main.go Line 51 in 7d1abb9 I could enable it by setting this envvar, for example by using a controllerconfig ref in the provider.
|
In release v0.16.0 management policies are now enabled by default - i think this makes sense for this provider |
|
Right now I am trying to attempt the exactly same thing - assign realm-management client roles to my service account. And if I understood correctly to achieve that I need:
Meaning the chicken-egg problem is real. I am really in a need to be able to automate everything, so looking up the built-in client's ID through the keycloak UI is a no-go and this starts to be quite problematic for me. |
|
I agree, how the keycloak API / backend currently works is problematic for our usecases.
@smoehrle do we have something ready to test this using composition functions? |
|
Ok guys, i made a poc: https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients which calls a composition function: https://gitlab.com/corewire/images/crossplane/function-keycloak-builtin-clients/-/blob/main/function/fn.py?ref_type=heads#L40
That generates me the clients: Obviously this is not Production ready, as i for simplicity just passed in everything the function needs to talk to keycloak Would something like that be okay for you to use? lmk and i'll provide something |
|
I will give this a try as soon as I can take the time. Very nice from the look of it. |
|
@Breee Not sure how to interpret the docs in the poc on gitlab but my guess is this is what I should run to be able to give it a try? Or should I just deploy 1-4 in the examples and swap out the credentials? What would we then do to make this work with the crossplane keycloak provider so that we don't have to supply credentials at all? |
|
So I kind of get it to work but only for the master realm and only if I provide the root admin username and password.
|
You just apply examples 1-4 in that order. Just as a reminder, all of this can be also just automated with a really simple Script, e.g. In python. |
|
So far it just creates the clients, but we would also need to get the client roles so that they can be assigned to users which this doesn't appear to do. The way to use it though is exactly what I had in mind at least, not sure about you @daniel-palmer-gu ? But of course instead of using username and password and url we would use an existing providerconfig. I'd be happy to help develop / test / document this stuff into a prod ready feature of this provider. |
|
Sure - this was just a poc as I said - if this is useable for you guys we should raise a new feature request issue and define what builtin stuff we want to be able to import using the methodology i used. You can formulate that if you want - else I will do that later today |
|
As someone operating a keycloak instance, I want to be able to import the default client roles which are created as part of the realm creation into crossplane, so that I can assign "realm-admin" to a user I create with composite resource defintion. Let me know if you want a mock up of a claim of such an XRD. |
|
For selfish reasons, I would prefer a fix within the provider. However, a way to accomplish this is better than none, so I would accept a function to meet the need. |
|
|
|
Having issue with tls_insecure_skip_verify not being respected in my keycloak credentials. works well for creating realms but not for the built in objects function. I am running on a dev cluster where the istio ingress gateway run with a self signed cert for *.platform.local and I changed the dns in kubernetes so that kc.platform.local points to it directly without going out and back in because the dns name is not on my network just in my hosts file. Should I set up keycloak some other way to not run into this problem with ssl from the function?
|
|
That's definitely my fault and I probably don't even handle that yet, i'll
look into it asap. I got some time right now
…On Sun, Jun 9, 2024, 14:19 David Söderlund ***@***.***> wrote:
Having issue with *tls_insecure_skip_verify* not being respected in my
keycloak credentials. works well for creating realms but not for the built
in objects function. I am running on a dev cluster where the istio ingress
gateway run with a self signed cert for *.platform.local and I changed the
dns in kubernetes so that kc.platform.local points to it directly without
going out and back in because the dns name is not on my network just in my
hosts file.
Should I set up keycloak some other way to not run into this problem with
ssl from the function?
apiVersion: keycloak.crossplane.io/v1alpha1
kind: XBuiltinObjects
metadata:
annotations:
argocd.argoproj.io/tracking-id: crossplane-keycloak-provider:keycloak.crossplane.io/XBuiltinObjects:crossplane-system/keycloak-builtin-objects-master
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"keycloak.crossplane.io/v1alpha1","kind":"XBuiltinObjects","metadata":{"annotations":{"argocd.argoproj.io/tracking-id":"crossplane-keycloak-provider:keycloak.crossplane.io/XBuiltinObjects:crossplane-system/keycloak-builtin-objects-master"},"name":"keycloak-builtin-objects-master"},"spec":{"builtinClients":["account","account-console","admin-cli","broker","master-realm","security-admin-console"],"builtinRealmRoles":["offline_access","uma_authorization","admin","create-realm"],"providerConfigName":"keycloak-provider-config","providerSecretName":"keycloak-credentials","realm":"master"}}
creationTimestamp: "2024-06-09T11:55:10Z"
finalizers:
- composite.apiextensions.crossplane.io
generation: 3
labels:
crossplane.io/composite: keycloak-builtin-objects-master
name: keycloak-builtin-objects-master
resourceVersion: "13686"
uid: e6e666d7-233d-4447-81ce-930b9d6b3d39
spec:
builtinClients:
- account
- account-console
- admin-cli
- broker
- master-realm
- security-admin-console
builtinRealmRoles:
- offline_access
- uma_authorization
- admin
- create-realm
compositionRef:
name: keycloak-builtin-objects
compositionRevisionRef:
name: keycloak-builtin-objects-c000411
compositionUpdatePolicy: Automatic
providerConfigName: keycloak-provider-config
providerSecretName: keycloak-credentials
realm: master
status:
conditions:
- lastTransitionTime: "2024-06-09T11:56:35Z"
message: 'cannot compose resources: cannot run Composition pipeline step "keycloak-builtin-objects":
cannot run Function "function-keycloak-builtin-objects": rpc error: code = Unknown
desc = Unexpected <class ''keycloak.exceptions.KeycloakConnectionError''>: Can''t
connect to server (HTTPSConnectionPool(host=''kc.platform.local'', port=443):
Max retries exceeded with url: /realms/master/protocol/openid-connect/token
(Caused by SSLError(SSLCertVerificationError(1, ''[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:992)''))))'
reason: ReconcileError
status: "False"
type: Synced
image.png (view on web)
<https://github.com/crossplane-contrib/provider-keycloak/assets/8070109/ccba222b-9222-4a5a-a459-5d56243db0e5>
—
Reply to this email directly, view it on GitHub
<#74 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AC3JPMOT4PAK6FNFPFKAP2DZGRB5BAVCNFSM6AAAAABENKKAMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJWGUYDSOJRGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thanks, looking forward to it. If I had a cloud cluster with a real domain I could try it out but for developers this would be required anyway so that they don't have to run a bunch of advanced PKI. I will try and register a copy of the credentials that try to connect to keycloak on the internal svc name but if I recall correctly that needs some work inside keycloak as well to allow the connection on http and on a different url. |
|
No actually that did it. Finally. Thanks so much @Breee . Here is my example highlighting the commit that made it work: QuadmanSWE/ds-ref-platform@0525b79 |
It should not, as i just commited a fix and started building v0.8.0. Releasing right now with this pipeline. In your commit you use http not https. Anyway - good that you solved the issue |
Changing it from https to http and going on the internal url from the function worked, I now have two sets of credential secrets. one that uses https and the external istio gateway name and one that uses http and the internal keycloak service name. Works like a charm, but I will try it out with just one set of credentials / urls / protocols just to make sure. This brings me tremendous joy (role naming scheme will take some time getting used to though 😄 ) : |
|
should be fixed with #83 |
Is there a way to reference built-in objects other than through a id? It does not appear provider-keycloak provides a good way to reference built-in objects.
For example, if I want to give a user admin permissions to a realm via a client role on the
realm-managementclient, there is no good way of referencing that role. Technically, provider-keycloak can reference it if you go to Keycloak and find the role id. However, that is inconvenient and prevents automating this type of action.It would be nice if provider-keycloak could be given the role/client role name within Keycloak as a reference. This would be convenient for other built-in objects as well.
It looks like this is something #71 is trying to accomplish as well.
The text was updated successfully, but these errors were encountered: