Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/vshn/appuio-keycloak-adapter
Organization Adapter for APPUiO Cloud
https://github.com/vshn/appuio-keycloak-adapter
vshn-project-apub
Last synced: about 1 month ago
JSON representation
Organization Adapter for APPUiO Cloud
- Host: GitHub
- URL: https://github.com/vshn/appuio-keycloak-adapter
- Owner: vshn
- License: bsd-3-clause
- Created: 2022-02-01T15:03:42.000Z (almost 3 years ago)
- Default Branch: master
- Last Pushed: 2024-11-17T15:41:31.000Z (about 2 months ago)
- Last Synced: 2024-11-17T16:37:50.807Z (about 2 months ago)
- Topics: vshn-project-apub
- Language: Go
- Homepage:
- Size: 667 KB
- Stars: 0
- Watchers: 4
- Forks: 0
- Open Issues: 12
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Keycloak Adapter for APPUiO Cloud
[][build]
[][releases]
[][codeclimate]
[][codeclimate]
[][releases]
[build]: https://github.com/vshn/appuio-keycloak-adapter/actions?query=workflow%3ATest
[releases]: https://github.com/vshn/appuio-keycloak-adapter/releases
[codeclimate]: https://codeclimate.com/github/vshn/appuio-keycloak-adapter
The [APPUiO Control API](https://github.com/appuio/control-api) enables self-service for [APPUiO Cloud](https://appuio.cloud).
One key part of this is to allow users to manage organizations and teams themselves.
However the APPUiO Control API does not require a specific identity provider (IdP), but has a plugin-like architecture and relies on Kubernetes controllers to interface with an IdP.
This project is such a controller that interfaces with Keycloak, the default IdP for APPUiO Cloud.
## Usage
```
Usage of ./appuio-keycloak-adapter:
-keycloak-password string
The password to log in to the Keycloak server.
-keycloak-realm string
The realm to sync the groups to.
-keycloak-url https://keycloak.example.com
The address of the Keycloak server (E.g. https://keycloak.example.com).
-keycloak-username string
The username to log in to the Keycloak server.
-sync-schedule string
A cron style schedule for the organization synchronization interval. (default "@every 5m")
-sync-timeout duration
The timeout for a single synchronization run. (default 10s)
-sync-roles string
A comma separated list of cluster roles to bind to users when importing a new organization.
```
### Authenticating to Keycloak
A user with permissions to query for Keycloak groups as well as query and manage users must be available.
The following permissions must be associated to the user:
* Password must be set (Temporary option unselected) on the _Credentials_ tab
* On the _Role Mappings_ tab, select _realm-management_ next to the _Client Roles_ dropdown and then select **query-users**, **manage-users**, and **query-groups**.
### Organization Import
In addition to mirroring changes on `Organization` resources to Keycloak, this component will also periodically import any top-level Keycloak group as `Organizations`
It will however only create `Organization` resources and will never update them.
This import schedule is configured through the `sync-schedule` flag and the `ClusterRoles` specified in the `sync-roles` flag will be bound to every member of the Keycloak group at the time of the initial import.
## Development
### Run Locally
1. Start the local Control API: https://github.com/appuio/control-api/tree/master/local-env
1. Build controller `make build`
1. Setup Keycloak management user
1. Run controller against the local Control API.
**Make sure to connect to the local cluster.
If not configured otherwise the controller will connect to cluster defined in your current kubeconfig.**
```
./appuio-keycloak-adapter \
--keycloak-url https://id.dev.appuio.cloud/ --keycloak-realm \
--keycloak-username --keycloak-password
```