# keycloak-resources.yaml # Create Kubernetes realm apiVersion: realm.keycloak.crossplane.io/v1alpha1 kind: Realm metadata: name: kubernetes-realm spec: forProvider: realm: kubernetes-realm enabled: true displayName: "Kubernetes Realm" registrationAllowed: false resetPasswordAllowed: true rememberMe: true loginWithEmailAllowed: true providerConfigRef: name: keycloak-provider --- # Create Pomerium client apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: Client metadata: name: pomerium-client spec: forProvider: realmId: kubernetes-realm clientId: pomerium name: "Pomerium Identity-Aware Proxy" description: "Client for Pomerium IAP" enabled: true accessType: CONFIDENTIAL clientAuthenticatorType: client-secret validRedirectUris: - "https://authenticate.nge6.com/oauth2/callback" standardFlowEnabled: true directAccessGrantsEnabled: false serviceAccountsEnabled: false webOrigins: - "+" providerConfigRef: name: keycloak-provider --- # Create user groups apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Group metadata: name: k8s-admins-group spec: forProvider: realmId: kubernetes-realm name: k8s-admins providerConfigRef: name: keycloak-provider --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Group metadata: name: developers-group spec: forProvider: realmId: kubernetes-realm name: developers providerConfigRef: name: keycloak-provider --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Group metadata: name: users-group spec: forProvider: realmId: kubernetes-realm name: users providerConfigRef: name: keycloak-provider --- # Create roles apiVersion: role.keycloak.crossplane.io/v1alpha1 kind: Role metadata: name: k8s-admin-role spec: forProvider: realmId: kubernetes-realm name: k8s-admin description: "Kubernetes cluster administrator" providerConfigRef: name: keycloak-provider --- apiVersion: role.keycloak.crossplane.io/v1alpha1 kind: Role metadata: name: developer-role spec: forProvider: realmId: kubernetes-realm name: developer description: "Developer access to specific namespaces" providerConfigRef: name: keycloak-provider --- apiVersion: role.keycloak.crossplane.io/v1alpha1 kind: Role metadata: name: user-role spec: forProvider: realmId: kubernetes-realm name: user description: "Basic user access" providerConfigRef: name: keycloak-provider --- # Create admin user apiVersion: user.keycloak.crossplane.io/v1alpha1 kind: User metadata: name: admin-user spec: forProvider: realmId: kubernetes-realm username: admin enabled: true emailVerified: true firstName: Admin lastName: User email: admin@nge6.com providerConfigRef: name: keycloak-provider --- # Group role assignments - assign roles to groups apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Roles metadata: name: k8s-admins-roles spec: forProvider: realmId: kubernetes-realm groupId: k8s-admins roleIds: ["k8s-admin"] providerConfigRef: name: keycloak-provider --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Roles metadata: name: developers-roles spec: forProvider: realmId: kubernetes-realm groupId: developers roleIds: ["developer"] providerConfigRef: name: keycloak-provider --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Roles metadata: name: users-roles spec: forProvider: realmId: kubernetes-realm groupId: users roleIds: ["user"] providerConfigRef: name: keycloak-provider --- # User group memberships - add admin user to groups apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Memberships metadata: name: k8s-admins-members spec: forProvider: realmId: kubernetes-realm groupId: k8s-admins members: ["admin"] providerConfigRef: name: keycloak-provider --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Memberships metadata: name: users-members spec: forProvider: realmId: kubernetes-realm groupId: users members: ["admin"] providerConfigRef: name: keycloak-provider