9fbaf4d99f
- Created eemoore user in Keycloak with admin privileges - Added to k8s-admins group for cluster admin access - Added to users group for basic access - User: eemoore@nge6.com (Eric Moore) User will have full access to all services via Pomerium authentication. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
208 lines
4.5 KiB
YAML
208 lines
4.5 KiB
YAML
# keycloak-resources.yaml
|
|
# Create Kubernetes realm
|
|
apiVersion: realm.keycloak.crossplane.io/v1alpha1
|
|
kind: Realm
|
|
metadata:
|
|
name: kubernetes-realm
|
|
spec:
|
|
forProvider:
|
|
realm: kubernetes-realm
|
|
enabled: true
|
|
displayName: "Kubernetes Realm"
|
|
registrationAllowed: false
|
|
resetPasswordAllowed: true
|
|
rememberMe: true
|
|
loginWithEmailAllowed: true
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create Pomerium client
|
|
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
|
|
kind: Client
|
|
metadata:
|
|
name: pomerium-client
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
clientId: pomerium
|
|
name: "Pomerium Identity-Aware Proxy"
|
|
description: "Client for Pomerium IAP"
|
|
enabled: true
|
|
accessType: CONFIDENTIAL
|
|
clientAuthenticatorType: client-secret
|
|
validRedirectUris:
|
|
- "https://authenticate.nge6.com/oauth2/callback"
|
|
standardFlowEnabled: true
|
|
directAccessGrantsEnabled: false
|
|
serviceAccountsEnabled: false
|
|
webOrigins:
|
|
- "+"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create user groups
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Group
|
|
metadata:
|
|
name: k8s-admins-group
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: k8s-admins
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Group
|
|
metadata:
|
|
name: developers-group
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: developers
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Group
|
|
metadata:
|
|
name: users-group
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: users
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create roles
|
|
apiVersion: role.keycloak.crossplane.io/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: k8s-admin-role
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: k8s-admin
|
|
description: "Kubernetes cluster administrator"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: role.keycloak.crossplane.io/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: developer-role
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: developer
|
|
description: "Developer access to specific namespaces"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: role.keycloak.crossplane.io/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: user-role
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: user
|
|
description: "Basic user access"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create admin user
|
|
apiVersion: user.keycloak.crossplane.io/v1alpha1
|
|
kind: User
|
|
metadata:
|
|
name: admin-user
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
username: admin
|
|
enabled: true
|
|
emailVerified: true
|
|
firstName: Admin
|
|
lastName: User
|
|
email: admin@nge6.com
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create eemoore user
|
|
apiVersion: user.keycloak.crossplane.io/v1alpha1
|
|
kind: User
|
|
metadata:
|
|
name: eemoore-user
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
username: eemoore
|
|
enabled: true
|
|
emailVerified: true
|
|
firstName: Eric
|
|
lastName: Moore
|
|
email: eemoore@nge6.com
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Group role assignments - assign roles to groups
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Roles
|
|
metadata:
|
|
name: k8s-admins-roles
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: k8s-admins
|
|
roleIds: ["k8s-admin"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Roles
|
|
metadata:
|
|
name: developers-roles
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: developers
|
|
roleIds: ["developer"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Roles
|
|
metadata:
|
|
name: users-roles
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: users
|
|
roleIds: ["user"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# User group memberships - add admin user to groups
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Memberships
|
|
metadata:
|
|
name: k8s-admins-members
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: k8s-admins
|
|
members: ["admin", "eemoore"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Memberships
|
|
metadata:
|
|
name: users-members
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: users
|
|
members: ["admin", "eemoore"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|