# keycloak-resources.yaml
# Create Kubernetes realm
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
  name: kubernetes-realm
spec:
  forProvider:
    realm: kubernetes-realm
    enabled: true
    displayName: "Kubernetes Realm"
    registrationAllowed: false
    resetPasswordAllowed: true
    rememberMe: true
    loginWithEmailAllowed: true
  providerConfigRef:
    name: keycloak-provider
---
# Create Pomerium client
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
  name: pomerium-client
spec:
  forProvider:
    realmId: kubernetes-realm
    clientId: pomerium
    name: "Pomerium Identity-Aware Proxy"
    description: "Client for Pomerium IAP"
    enabled: true
    accessType: CONFIDENTIAL
    clientAuthenticatorType: client-secret
    validRedirectUris:
      - "https://authenticate.nge6.com/oauth2/callback"
    standardFlowEnabled: true
    directAccessGrantsEnabled: false
    serviceAccountsEnabled: false
    webOrigins:
      - "+"
  providerConfigRef:
    name: keycloak-provider
---
# Vaultwarden OIDC Client
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
  name: vaultwarden-client
spec:
  forProvider:
    realmId: kubernetes-realm
    clientId: vaultwarden
    name: "Vaultwarden Password Manager"
    description: "Client for Vaultwarden OIDC authentication"
    enabled: true
    accessType: CONFIDENTIAL
    clientAuthenticatorType: client-secret
    validRedirectUris:
      - "https://vault.nge6.com/identity/connect/oidc-signin"
      - "https://vault.nge6.com/sso-connector/oidc/callback"
    standardFlowEnabled: true
    directAccessGrantsEnabled: false
    serviceAccountsEnabled: false
    webOrigins:
      - "https://vault.nge6.com"
  providerConfigRef:
    name: keycloak-provider
---
# Create user groups
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
  name: k8s-admins-group
spec:
  forProvider:
    realmId: kubernetes-realm
    name: k8s-admins
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
  name: developers-group
spec:
  forProvider:
    realmId: kubernetes-realm
    name: developers
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
  name: users-group
spec:
  forProvider:
    realmId: kubernetes-realm
    name: users
  providerConfigRef:
    name: keycloak-provider
---
# Create roles
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
  name: k8s-admin-role
spec:
  forProvider:
    realmId: kubernetes-realm
    name: k8s-admin
    description: "Kubernetes cluster administrator"
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
  name: developer-role
spec:
  forProvider:
    realmId: kubernetes-realm
    name: developer
    description: "Developer access to specific namespaces"
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
  name: user-role
spec:
  forProvider:
    realmId: kubernetes-realm
    name: user
    description: "Basic user access"
  providerConfigRef:
    name: keycloak-provider
---
# Create admin user
apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
metadata:
  name: admin-user
spec:
  forProvider:
    realmId: kubernetes-realm
    username: admin
    enabled: true
    emailVerified: true
    firstName: Admin
    lastName: User
    email: admin@nge6.com
  providerConfigRef:
    name: keycloak-provider
---
# Create eemoore user
apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
metadata:
  name: eemoore-user
spec:
  forProvider:
    realmId: kubernetes-realm
    username: eemoore
    enabled: true
    emailVerified: true
    firstName: Eric
    lastName: Moore
    email: eemoore@nge6.com
  providerConfigRef:
    name: keycloak-provider
---
# Group role assignments - assign roles to groups
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Roles
metadata:
  name: k8s-admins-roles
spec:
  forProvider:
    realmId: kubernetes-realm
    groupId: k8s-admins
    roleIds: ["k8s-admin"]
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Roles
metadata:
  name: developers-roles
spec:
  forProvider:
    realmId: kubernetes-realm
    groupId: developers
    roleIds: ["developer"]
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Roles
metadata:
  name: users-roles
spec:
  forProvider:
    realmId: kubernetes-realm
    groupId: users
    roleIds: ["user"]
  providerConfigRef:
    name: keycloak-provider
---
# User group memberships - add admin user to groups
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Memberships
metadata:
  name: k8s-admins-members
spec:
  forProvider:
    realmId: kubernetes-realm
    groupId: 98e13ab3-0001-4646-b097-ed52ee5baff4
    members: ["admin", "eemoore"]
  providerConfigRef:
    name: keycloak-provider
---
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Memberships
metadata:
  name: users-members
spec:
  forProvider:
    realmId: kubernetes-realm
    groupId: f87d1c8e-32ee-4f63-9584-7fce67313137
    members: ["admin", "eemoore"]
  providerConfigRef:
    name: keycloak-provider