{"id":35020387,"url":"https://github.com/vriesdemichael/keycloak-operator","last_synced_at":"2026-06-15T19:00:56.784Z","repository":{"id":317005777,"uuid":"1063923158","full_name":"vriesdemichael/keycloak-operator","owner":"vriesdemichael","description":"A keycloak operator that enables gitops deployment","archived":false,"fork":false,"pushed_at":"2026-06-11T04:45:31.000Z","size":76742,"stargazers_count":4,"open_issues_count":15,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-11T06:23:57.187Z","etag":null,"topics":["authorization","gitops","idp","keycloak","kopf","kubernetes","oauth2","operator","realm"],"latest_commit_sha":null,"homepage":"https://vriesdemichael.github.io/keycloak-operator/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vriesdemichael.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"docs/security/threat-model.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-09-25T09:50:09.000Z","updated_at":"2026-06-11T04:44:49.000Z","dependencies_parsed_at":"2026-05-04T07:02:19.696Z","dependency_job_id":null,"html_url":"https://github.com/vriesdemichael/keycloak-operator","commit_stats":null,"previous_names":["vriesdemichael/keycloak-operator"],"tags_count":376,"template":false,"template_full_name":null,"purl":"pkg:github/vriesdemichael/keycloak-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vriesdemichael%2Fkeycloak-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vriesdemichael%2Fkeycloak-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vriesdemichael%2Fkeycloak-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vriesdemichael%2Fkeycloak-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vriesdemichael","download_url":"https://codeload.github.com/vriesdemichael/keycloak-operator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vriesdemichael%2Fkeycloak-operator/sbom","scorecard":{"id":1239835,"data":{"date":"2025-11-18T11:09:28Z","repo":{"name":"github.com/vriesdemichael/keycloak-operator","commit":"85a46cce26775bc13ed809623d4ac998ce6b0152"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":4,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":4,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disable on branch 'main'","Warn: 'stale review dismissal' is disable on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disable on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"11 out of 11 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/27 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: script injection with untrusted input ' github.event.head_commit.message || '' ': .github/workflows/ci-cd-unified.yml:67"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci-cd-unified.yml:199"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: a command can only contain words and redirects; encountered (: images/operator/Dockerfile.test:73-77","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-rebase.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/auto-rebase.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-rebase.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/auto-rebase.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-rebase.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/auto-rebase.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:448: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:452: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:456: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:462: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:471: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:474: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:498: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:546: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:576: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:850: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:875: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:646: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1006: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1008: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1012: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1018: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1041: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1045: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:1049: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:337: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:341: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:347: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:350: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:355: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:359: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:371: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:388: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:395: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:404: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:411: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:418: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:427: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:750: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:753: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:756: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:771: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:787: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:803: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:810: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:818: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:940: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:948: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:969: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:212: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:215: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:229: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:250: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:254: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:262: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:272: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:292: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:294: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-cd-unified.yml:298: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/ci-cd-unified.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/keycloak-optimized.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/keycloak-optimized.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/keycloak-optimized.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/keycloak-optimized.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/keycloak-optimized.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/keycloak-optimized.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/keycloak-optimized.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/keycloak-optimized.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/keycloak-optimized.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/keycloak-optimized.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/keycloak-optimized.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/keycloak-optimized.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-dev.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-dev.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-dev.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-dev.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages-dev.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-dev.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages-dev.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-dev.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-dev.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-dev.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-dev.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-dev.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages-release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages-release.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-release.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages-release.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/pages-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/promote-operator.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/promote-operator.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-chart-image-tag.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/update-chart-image-tag.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-chart-image-tag.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/vriesdemichael/keycloak-operator/update-chart-image-tag.yml/main?enable=pin","Warn: containerImage not pinned by hash: images/keycloak-optimized/Dockerfile:10","Warn: containerImage not pinned by hash: images/keycloak-optimized/Dockerfile:37","Warn: containerImage not pinned by hash: images/operator/Dockerfile:4","Warn: containerImage not pinned by hash: images/operator/Dockerfile:37","Warn: containerImage not pinned by hash: images/operator/Dockerfile.test:6","Warn: containerImage not pinned by hash: images/operator/Dockerfile.test:36","Info:   0 out of  46 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  47 third-party GitHubAction dependencies pinned","Info:   0 out of   6 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 13 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci-cd-unified.yml:333","Info: jobLevel 'actions' permission set to 'read': .github/workflows/ci-cd-unified.yml:334","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci-cd-unified.yml:444","Info: jobLevel 'packages' permission set to 'read': .github/workflows/ci-cd-unified.yml:445","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci-cd-unified.yml:743","Info: jobLevel 'contents' permission set to 'read': .github/workflows/keycloak-optimized.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:20","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:21","Warn: topLevel 'contents' permission set to 'write': .github/workflows/auto-rebase.yml:13","Warn: no topLevel permission defined: .github/workflows/ci-cd-unified.yml:1","Warn: no topLevel permission defined: .github/workflows/keycloak-optimized.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/pages-dev.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/pages-release.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/promote-operator.yml:11","Warn: topLevel 'packages' permission set to 'write': .github/workflows/promote-operator.yml:12","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/promote-operator.yml:13","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-please.yml:11","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:11","Warn: topLevel 'contents' permission set to 'write': .github/workflows/update-chart-image-tag.yml:16","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-11-18T11:19:16.819Z","repository_id":317005777,"created_at":"2025-11-18T11:19:16.828Z","updated_at":"2025-11-18T11:19:16.828Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34376125,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-15T02:00:07.085Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","gitops","idp","keycloak","kopf","kubernetes","oauth2","operator","realm"],"created_at":"2025-12-27T05:49:15.907Z","updated_at":"2026-06-15T19:00:56.763Z","avatar_url":"https://github.com/vriesdemichael.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Keycloak Operator\n\n[![CI/CD Pipeline (Unified)](https://github.com/vriesdemichael/keycloak-operator/actions/workflows/ci-cd-unified.yml/badge.svg)](https://github.com/vriesdemichael/keycloak-operator/actions/workflows/ci-cd-unified.yml)\n[![codecov](https://codecov.io/gh/vriesdemichael/keycloak-operator/branch/main/graph/badge.svg)](https://codecov.io/gh/vriesdemichael/keycloak-operator)\n[![Helm Chart](https://img.shields.io/badge/dynamic/yaml?url=https://raw.githubusercontent.com/vriesdemichael/keycloak-operator/main/charts/keycloak-operator/Chart.yaml\u0026query=$.version\u0026label=chart\u0026color=blue)](https://github.com/vriesdemichael/keycloak-operator/pkgs/container/charts%2Fkeycloak-operator)\n[![License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n[![Python 3.14](https://img.shields.io/badge/python-3.14-blue.svg)](https://www.python.org/downloads/)\n\nA Kubernetes operator for managing Keycloak instances, realms, and OAuth2/OIDC clients declaratively with full GitOps compatibility.\n\n## 🚀 Quick Start\n\nGet a complete Keycloak setup running in under 10 minutes.\n\nHelm charts are the recommended deployment path. Direct CR manifests are supported for advanced/manual workflows where you want to manage RBAC, secret access, and lifecycle wiring yourself.\n\n```bash\n# 1. Install the operator and a managed Keycloak instance\n# Note: The chart creates the namespace by default, don't use --create-namespace\nhelm install keycloak-operator \\\n  oci://ghcr.io/vriesdemichael/charts/keycloak-operator \\\n  --namespace keycloak-system \\\n  --set keycloak.managed=true \\\n  --set keycloak.database.cnpg.enabled=true\n\n# Or install from local charts:\n# helm install keycloak-operator ./charts/keycloak-operator \\\n#   --namespace keycloak-system\n\n# 2. Create an identity realm\nhelm install my-app-realm \\\n  oci://ghcr.io/vriesdemichael/charts/keycloak-realm \\\n  --namespace my-app \\\n  --create-namespace \\\n  --set realmName=my-app \\\n  --set operatorRef.namespace=keycloak-system \\\n  --set 'clientAuthorizationGrants={my-app}'\n\n# 3. Create an OAuth2 client\nhelm install my-app-client \\\n  oci://ghcr.io/vriesdemichael/charts/keycloak-client \\\n  --namespace my-app \\\n  --set clientId=my-app \\\n  --set realmRef.name=my-app-realm \\\n  --set realmRef.namespace=my-app \\\n  --set 'redirectUris={https://my-app.example.com/callback}'\n```\n\n**📖 [Full Quick Start Guide →](https://vriesdemichael.github.io/keycloak-operator/latest/quickstart/)**\n\n**Advanced:** If you want to work directly with CR manifests instead of Helm releases, see [Helm vs Direct CR Deployments](https://vriesdemichael.github.io/keycloak-operator/latest/how-to/helm-vs-cr-deployments/).\n\n## ✨ Features\n\n- **Declarative Configuration** - Manage Keycloak entirely through Kubernetes resources\n- **Admission Webhooks** - Immediate validation feedback with clear error messages ([docs](https://vriesdemichael.github.io/keycloak-operator/latest/admission-webhooks/))\n- **GitOps Ready** - Full observability with status conditions and `observedGeneration` tracking\n- **Drift Detection** - Automatic detection of orphaned resources and configuration drift ([docs](https://vriesdemichael.github.io/keycloak-operator/latest/guides/drift-detection/))\n- **Cross-Namespace Support** - Secure delegation model for multi-tenant environments\n- **Production Ready** - Rate limiting, exponential backoff, and comprehensive monitoring\n- **Comprehensive Test Coverage** - Unit and integration tests with coverage tracking\n- **Resource Quotas** - Namespace-level limits on realms and clients via admission webhooks\n- **Rate Limiting** - Two-level throttling (global + per-namespace) protects Keycloak from overload\n- **High Availability** - Multi-replica Keycloak with PostgreSQL clustering via CloudNativePG\n- **OAuth2/OIDC Clients** - Automated client provisioning with credential management\n- **Service Accounts** - Declarative role assignment for machine-to-machine authentication\n- **OIDC Endpoint Discovery** - Automatic population of all OIDC/OAuth2 endpoints in realm status\n- **Multi-Version Support** - Supports Keycloak 24.x, 25.x, and 26.x via compatibility adapters\n\n## 📚 Documentation\n\n**🌐 [Full Documentation](https://vriesdemichael.github.io/keycloak-operator/)** - Versioned documentation with version selector\n\n### Quick Links\n\n- **[Quick Start Guide](https://vriesdemichael.github.io/keycloak-operator/latest/quickstart/)** - Get started in 10 minutes\n- **[Helm vs Direct CR Deployments](https://vriesdemichael.github.io/keycloak-operator/latest/how-to/helm-vs-cr-deployments/)** - Recommended workflow versus advanced manual path\n- **[Architecture](https://vriesdemichael.github.io/keycloak-operator/latest/concepts/architecture/)** - How the operator works\n- **[Admission Webhooks](https://vriesdemichael.github.io/keycloak-operator/latest/admission-webhooks/)** - Resource validation and quotas\n- **[Security Model](https://vriesdemichael.github.io/keycloak-operator/latest/concepts/security/)** - Secret-based authorization explained\n- **[Drift Detection](https://vriesdemichael.github.io/keycloak-operator/latest/guides/drift-detection/)** - Orphan detection and auto-remediation\n- **[Observability](https://vriesdemichael.github.io/keycloak-operator/latest/guides/observability/)** - Metrics, logs, and status conditions\n- **[Versioning](https://vriesdemichael.github.io/keycloak-operator/latest/versioning/)** - How to access older documentation and chart versions\n- **[Development Guide](https://vriesdemichael.github.io/keycloak-operator/latest/development/)** - Contributing to the project\n\n\u003e **Note: Version-Specific Documentation**\n\u003e Use the version selector in the documentation to view docs for your installed version.\n\u003e See the [Versioning Guide](https://vriesdemichael.github.io/keycloak-operator/latest/versioning/) for details.\n\n## 🏗️ Architecture\n\nThe operator manages three custom resources:\n\n```mermaid\nflowchart LR\n  kc[Keycloak\\nInstance]\n  realm[KeycloakRealm\\nIdentity Boundary]\n  client[KeycloakClient\\nOAuth2/OIDC Boundary]\n\n  kc --\u003e realm --\u003e client\n```\n\n- **Keycloak**: The identity server instance with database and networking\n- **KeycloakRealm**: Identity domain with users, roles, and authentication settings\n- **KeycloakClient**: OAuth2/OIDC applications with automated credential management\n\n## 🌐 External Keycloak Mode\n\nThe operator can manage resources (realms, clients) in an existing, external Keycloak instance instead of deploying its own.\n\n### Configuration\n\nIn your `values.yaml`:\n\n```yaml\nkeycloak:\n  managed: false\n  url: \"https://keycloak.example.com\"\n  adminUsername: \"admin\"\n  adminSecret: \"my-external-secret\"  # Secret in the operator namespace\n  adminPasswordKey: \"password\"\n```\n\nThis is the actual chart contract for external mode:\n\n- `keycloak.managed=false` disables templating of the managed `Keycloak` CR\n- `keycloak.url` tells the operator where the existing Keycloak instance lives\n- `keycloak.adminSecret` tells the operator which Secret to read for the admin password\n- `keycloak.adminPasswordKey` defaults to `password`, but can be overridden when your Secret uses a different key\n\nDo not confuse this with `keycloak.admin.existingSecret`, which is only used for managed mode when `keycloak.managed=true`.\n\n#### Creating the Admin Secret\n\nThe admin secret must exist in the operator's namespace. It only needs to contain the password value the operator will use together with `keycloak.adminUsername`.\n\n```bash\nkubectl create secret generic my-external-secret \\\n  --from-literal=password='your-admin-password' \\\n  --namespace keycloak-system\n```\n\n**Note:** In external mode, the operator connects directly to the existing Keycloak instance using `keycloak.url` and the configured admin Secret. You typically do not deploy a managed `Keycloak` CR from this chart in that setup.\n\n## 📊 Example\n\nCreate a complete OAuth2 setup:\n\n```yaml\n# yaml-language-server: $schema=https://vriesdemichael.github.io/keycloak-operator/schemas/v1/Keycloak.json\n# Keycloak instance with PostgreSQL database\napiVersion: vriesdemichael.github.io/v1\nkind: Keycloak\nmetadata:\n  name: keycloak\n  namespace: keycloak-system\nspec:\n  replicas: 3\n  image: quay.io/keycloak/keycloak:26.0.0\n  database:\n    type: postgresql\n    host: keycloak-postgres-rw\n    port: 5432\n    database: app\n    username: app\n    passwordSecret:\n      name: keycloak-postgres-app\n      key: password\n---\n# yaml-language-server: $schema=https://vriesdemichael.github.io/keycloak-operator/schemas/v1/KeycloakRealm.json\n# Identity realm with client authorization grants\napiVersion: vriesdemichael.github.io/v1\nkind: KeycloakRealm\nmetadata:\n  name: my-app-realm\n  namespace: my-app\nspec:\n  realmName: my-app\n  operatorRef:\n    namespace: keycloak-system\n  # Namespaces authorized to create clients in this realm\n  clientAuthorizationGrants:\n    - my-app\n---\n# yaml-language-server: $schema=https://vriesdemichael.github.io/keycloak-operator/schemas/v1/KeycloakClient.json\n# OAuth2 client (namespace must be in realm's clientAuthorizationGrants)\napiVersion: vriesdemichael.github.io/v1\nkind: KeycloakClient\nmetadata:\n  name: my-app-client\n  namespace: my-app\nspec:\n  clientId: my-app\n  realmRef:\n    name: my-app-realm\n    namespace: my-app\n  publicClient: false\n  redirectUris:\n    - \"https://my-app.example.com/callback\"\n```\n\nSee [examples/](examples/) for advanced raw-manifest examples. For normal installs, prefer the Helm charts and the quick start flow above.\n\n## 🎯 IDE Integration\n\nGet autocompletion, validation, and inline documentation in your IDE using published JSON schemas:\n\n```yaml\n# yaml-language-server: $schema=https://vriesdemichael.github.io/keycloak-operator/schemas/v1/KeycloakRealm.json\napiVersion: vriesdemichael.github.io/v1\nkind: KeycloakRealm\n# ... IDE will autocomplete fields with descriptions!\n```\n\n**Features:**\n- ✅ Autocomplete for all CRD fields\n- ✅ Inline validation with error messages\n- ✅ Field descriptions from CRD schema\n- ✅ Enum value suggestions\n\n**Supported IDEs:**\n- VS Code (with [YAML extension](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml))\n- IntelliJ IDEA / PyCharm (built-in)\n- Neovim (with yaml-language-server)\n\n**Available schemas:**\n- `https://vriesdemichael.github.io/keycloak-operator/schemas/v1/Keycloak.json`\n- `https://vriesdemichael.github.io/keycloak-operator/schemas/v1/KeycloakRealm.json`\n- `https://vriesdemichael.github.io/keycloak-operator/schemas/v1/KeycloakClient.json`\n\nAdd the schema annotation as the first line of your YAML files to enable IDE features.\n\n## 🔐 Security\n\nThe operator uses a **namespace grant authorization model** combining Kubernetes RBAC with declarative access control:\n\n- **Realm Creation**: Controlled by standard Kubernetes RBAC (who can create `KeycloakRealm` resources)\n- **Client Creation**: Controlled by realm's `clientAuthorizationGrants` list (which namespaces can create clients)\n- **Self-service**: Teams can create realms and clients without platform team intervention\n- **GitOps Native**: All authorization is declarative and stored in Git\n- **Auditability**: All access changes tracked in Git history and Kubernetes audit logs\n\nRead the [Security Model](https://vriesdemichael.github.io/keycloak-operator/latest/concepts/security/) documentation for detailed authorization architecture.\n\n## 📈 Monitoring\n\nThe operator exposes Prometheus metrics and includes a Grafana dashboard:\n\n```bash\n# Enable monitoring in Helm chart\nhelm install keycloak-operator ./charts/keycloak-operator \\\n  --set monitoring.enabled=true \\\n  --set monitoring.prometheusRules.enabled=true \\\n  --set monitoring.grafanaDashboard.enabled=true\n```\n\nKey metrics:\n- Reconciliation success/failure rates\n- Rate limiting wait times and timeouts\n- Reconciliation duration (p50/p95/p99)\n- Resource counts by phase\n\nSee [Observability](https://vriesdemichael.github.io/keycloak-operator/latest/guides/observability/) for full details.\n\n## 🚦 Rate Limiting\n\nThe operator implements two-level rate limiting to protect Keycloak from API overload:\n\n### Configuration\n\n```yaml\nenv:\n  # Global rate limit (all namespaces combined)\n  - name: KEYCLOAK_API_GLOBAL_RATE_LIMIT_TPS\n    value: \"50\"  # requests per second\n  - name: KEYCLOAK_API_GLOBAL_BURST\n    value: \"100\"  # burst capacity\n\n  # Per-namespace rate limit (fair sharing)\n  - name: KEYCLOAK_API_NAMESPACE_RATE_LIMIT_TPS\n    value: \"5\"  # requests per second\n  - name: KEYCLOAK_API_NAMESPACE_BURST\n    value: \"10\"  # burst capacity\n\n  # Jitter to prevent thundering herd\n  - name: RECONCILE_JITTER_MAX_SECONDS\n    value: \"5.0\"  # 0-5 second random delay\n```\n\n### Protection Scenarios\n\n| Scenario | Protection |\n|----------|-----------|\n| Spam 1000 realms in one namespace | Limited to 5 req/s = 200s minimum |\n| Multiple teams overwhelming Keycloak | Global 50 req/s enforced |\n| Operator restart (50+ resources) | Jitter + rate limiting prevents flood |\n\n### Monitoring\n\nPrometheus metrics available at `:8081/metrics`:\n- `keycloak_operator_api_rate_limit_wait_seconds` - Time waiting for tokens\n- `keycloak_operator_api_rate_limit_acquired_total` - Successful token acquisitions\n- `keycloak_operator_api_rate_limit_timeouts_total` - Rate limit timeout errors\n- `keycloak_operator_api_rate_limit_budget_available` - Current available tokens per namespace\n\n## 🤝 Contributing\n\nContributions welcome!\n\nTo set up a development environment:\n\n```bash\n# Clone the repository\ngit clone https://github.com/vriesdemichael/keycloak-operator.git\ncd keycloak-operator\n\n# Check required tools and install pre-commit hooks\ntask dev:setup\n\n# Run quality checks\ntask quality:check\n\n# Run unit tests\ntask test:unit\n```\n\nSee [Development Guide](https://vriesdemichael.github.io/keycloak-operator/latest/development/) and [AGENTS.md](AGENTS.md) for more details.\n\n## 📝 License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n## 🔗 Links\n\n- [GitHub Repository](https://github.com/vriesdemichael/keycloak-operator)\n- [Issue Tracker](https://github.com/vriesdemichael/keycloak-operator/issues)\n- [Documentation](https://vriesdemichael.github.io/keycloak-operator/latest/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvriesdemichael%2Fkeycloak-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvriesdemichael%2Fkeycloak-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvriesdemichael%2Fkeycloak-operator/lists"}