[keycloak-dev] [Keycloak Operator] Keycloak and KeycloakRealm CRDs

Pedro Igor Silva psilva at redhat.com
Mon Oct 7 08:48:01 EDT 2019 

This approach makes a lot of sense to me.

Just one comment about:

"It is perfectly fine to put everything in a single namespace (Keycloak
and KeycloakRealm CRs). This type of installation might be used by smaller
organizations."

Isn't this related to SaaS/namespace-based multi-tenancy in Kubernetes use
cases where each namespace is a tenant and may have its own Keycloak and
set of CRDs?

On Mon, Oct 7, 2019 at 8:10 AM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Yes, I'm very sorry... Gmail seems to ignore my pasted diagram. I'm not
> exactly sure why.
>
> On Mon, Oct 7, 2019 at 12:52 PM Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
> > Sebastian made a nice diagram, which may be helpful:
> >
> >
> >
> https://docs.google.com/document/d/18w9ZSOVN0C0KEqBICpvsKWFPzobQ9KUEcB18QE6eos0/edit?usp=sharing
> >
> >
> > On Mon, Oct 7, 2019 at 4:48 AM Sebastian Laskawiec <slaskawi at redhat.com>
> > wrote:
> > >
> > > Hey,
> > >
> > > Keycloak Operator in its initial approach will handle two types of
> > > resources - Keycloak and KeycloakRealm CRDs. The first one is
> responsible
> > > for spinning up a Keycloak instance, whereas the second one contains a
> > > Realm definition. There are many ways of combining all things together,
> > so
> > > we’d like to bring everyone on the same page with our latest proposal:
> > >
> > >
> > > The idea is for theKeycloak Operator to watch a single namespace for
> > > Keycloak CRs and multiple namespaces for KeycloakRealm CRs. Once a
> > Keycloak
> > > CR is created in the same namespace as the Operator, the Operator will
> > > create a Keycloak installation. At the same time, we’d like to let
> users
> > in
> > > different namespaces create Realms. This means, that a KeycloakRealm
> CRs
> > > need to point to a specific Keycloak CR. This mapping will be achieved
> by
> > > using Label Selectors: the Keycloak CR specifies one or more set based
> > > selectors  that allow to express which labels have to be present on a
> > > KeycloakRealm in order to be selected by the Operator. A simple example
> > > could look like this:
> > >
> > > *Keycloak CR:*
> > > realmLabelSelector:
> > >   matchLabels:
> > >     app: keycloak
> > >
> > > The Operator would then only import Keycloak Realms that have a label
> app
> > > with the value keycloak.
> > >
> > > This approach enables the following use cases:
> > > - Keycloak cluster administrators can be easily separated by Realm
> > > administrators using Namespaces. In our example, User 1 and 2 don’t
> have
> > > access to the Keycloak installation itself. The Operator creates Realms
> > on
> > > their behalf.
> > > - Users won’t be able to break other’s Realms. In our example, User 1
> > and 2
> > > don’t have access to Namespace “test2”, and therefore, can not break
> > Realm
> > > “test2”.
> > > - It is perfectly fine to put everything in a single namespace
> (Keycloak
> > > and KeycloakRealm CRs). This type of installation might be used by
> > smaller
> > > organizations.
> > > - We will allow only 1 Keycloak installation per Namespace. It is
> > possible
> > > to use multiple installations per Namespace but we couldn’t come up
> with
> > a
> > > logical use case for that. We decided to discourage users from this
> type
> > of
> > > installations and they might complicate things in the future.
> > > - Multiple keycloak operators could be running in a cluster. The
> > selectors
> > > on the KeycloakRealm determine which Keycloak instance the realm is
> > created
> > > in.
> > >
> > > Please do not hesitate to ask any questions and if you have any
> thoughts
> > in
> > > your mind, please let us know.
> > >
> > > Thanks,
> > > David, Peter, Bruno and Sebastian
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
> >
> > --
> > - abstractj
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list