[keycloak-dev] [Keycloak Operator] Keycloak and KeycloakRealm CRDs

Sebastian Laskawiec slaskawi at redhat.com
Mon Oct 7 03:48:09 EDT 2019


Hey,

Keycloak Operator in its initial approach will handle two types of
resources - Keycloak and KeycloakRealm CRDs. The first one is responsible
for spinning up a Keycloak instance, whereas the second one contains a
Realm definition. There are many ways of combining all things together, so
we’d like to bring everyone on the same page with our latest proposal:


The idea is for theKeycloak Operator to watch a single namespace for
Keycloak CRs and multiple namespaces for KeycloakRealm CRs. Once a Keycloak
CR is created in the same namespace as the Operator, the Operator will
create a Keycloak installation. At the same time, we’d like to let users in
different namespaces create Realms. This means, that a KeycloakRealm CRs
need to point to a specific Keycloak CR. This mapping will be achieved by
using Label Selectors: the Keycloak CR specifies one or more set based
selectors  that allow to express which labels have to be present on a
KeycloakRealm in order to be selected by the Operator. A simple example
could look like this:

*Keycloak CR:*
realmLabelSelector:
  matchLabels:
    app: keycloak

The Operator would then only import Keycloak Realms that have a label app
with the value keycloak.

This approach enables the following use cases:
- Keycloak cluster administrators can be easily separated by Realm
administrators using Namespaces. In our example, User 1 and 2 don’t have
access to the Keycloak installation itself. The Operator creates Realms on
their behalf.
- Users won’t be able to break other’s Realms. In our example, User 1 and 2
don’t have access to Namespace “test2”, and therefore, can not break Realm
“test2”.
- It is perfectly fine to put everything in a single namespace (Keycloak
and KeycloakRealm CRs). This type of installation might be used by smaller
organizations.
- We will allow only 1 Keycloak installation per Namespace. It is possible
to use multiple installations per Namespace but we couldn’t come up with a
logical use case for that. We decided to discourage users from this type of
installations and they might complicate things in the future.
- Multiple keycloak operators could be running in a cluster. The selectors
on the KeycloakRealm determine which Keycloak instance the realm is created
in.

Please do not hesitate to ask any questions and if you have any thoughts in
your mind, please let us know.

Thanks,
David, Peter, Bruno and Sebastian


More information about the keycloak-dev mailing list