Release Notes
What's New
๐ Multi-Type References Support
- Protocol Mappers: Added
samlClientIdRef/samlClientIdSelectorandsamlClientScopeIdRef/samlClientScopeIdSelectorfields to reference SAML clients and client scopes alongside existing OIDC references (#468) - Client Policies: Added
samlClients/samlClientsRefs/samlClientsSelectorfields to reference SAML clients in authorization policies alongside OIDC clients (#468) - Authentication Execution: Fixed late initialization for
parentFlowAliasfield to prevent configuration drift (#468) - Source: Commit 7ff121d
๐ฆ Keycloak Terraform Provider Update
- Updated to
terraform-provider-keycloakv5.6.0 (from commit 31116ff to a6bac02) - Introduces new Keycloak features and API improvements
- Source: Commits 9274bab and e9fee1f
- Upstream Provider: keycloak/terraform-provider-keycloak v5.6.0
๐ง Autogenerated Schema updates
Realm Resources:
- Added
maxTemporaryLockoutsfield for brute force protection configuration (2aba5a3) - Added
adminPermissionsEnabledflag for fine-grained permission control (2aba5a3) - Added
terraformDeletionProtectionsafety flag to prevent accidental deletions (2aba5a3) - Added
allowUtf8flag for UTF-8 support in SMTP server configuration (2aba5a3)
LDAP User Federation:
- Added
connectionPoolingflag to enable LDAP connection pooling (2aba5a3) - Added
debugfield to enable/disable Kerberos authentication logging (2aba5a3) - Added
krbPrincipalAttributefield to specify LDAP attribute for Kerberos principal lookup (2aba5a3)
OpenID Client Resources:
- Added
requireDpopBoundTokensflag to enable Demonstrating Proof-of-Possession (DPoP) bound tokens support (2aba5a3)
Group Resources:
- Added
descriptionfield for group descriptions - Source: Auto-generated from upstream provider update (commit 2aba5a3)
SAML Client Resources:
- Added
encryptionAlgorithmfield to specify SAML assertion encryption algorithm (supports AES_256_GCM, AES_192_GCM, AES_128_GCM, AES_256_CBC, AES_192_CBC, AES_128_CBC) - Source: Auto-generated from upstream provider update (commit 2aba5a3)
๐จ Development & Tooling
- Go Version: Updated from 1.24.0 to 1.25.4 (commit 66250e1)
- Linter: Upgraded golangci-lint to v2.7.2 (commit 3fd5675)
- Crossplane Runtime: Updated from v2.0.0 to v2.1.0 (#415, commit 03754d4)
- Improved CI/CD: Updated GitHub Actions (#450, commit ec8b291)
- Code Quality: Fixed multiple linter issues (QF1008, ST1019, QF1001) (commits bb62f55, 9245c82, bf6612f)
๐ Documentation
- Enhanced README with detailed regression testing instructions
- Added documentation for test rendering and chainsaw usage
- Improved local development setup guide with
--deploy-local-providerand--use-local-providerflags
๐งช Testing
- Expanded test coverage with new SAML client test cases
- Updated demo manifests for both cluster and namespaced resources
- Added comprehensive examples for authorization resources and permissions
Infrastructure
- Updated CRD definitions with 136 files changed (+5,085 additions, -675 deletions)
- Improved dependency management and version pinning
- Enhanced development environment setup scripts
Usage Examples
Multi-Type References for Protocol Mappers
Protocol mappers can now reference both OIDC and SAML clients/scopes using the new reference fields:
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: saml-protocol-mapper-example
spec:
providerConfigRef:
name: keycloak-provider-config
forProvider:
name: "user-roles"
protocol: "saml"
# Reference SAML client using new field
samlClientIdRef:
name: my-saml-client
policy:
resolve: Always
realmIdRef:
name: my-realm
protocolMapper: "saml-role-list-mapper"
config:
attribute.name: "Role"New Realm Features
Brute Force Protection with Max Temporary Lockouts
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
name: secure-realm
spec:
forProvider:
realm: "secure-realm"
enabled: true
# New: Maximum number of temporary lockouts
maxTemporaryLockouts: 3
bruteForceProtected: true
permanentLockout: trueAdmin Permissions and Deletion Protection
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
name: protected-realm
spec:
forProvider:
realm: "protected-realm"
enabled: true
# New: Enable admin permissions for fine-grained control
adminPermissionsEnabled: true
# New: Prevent accidental deletion via Terraform
terraformDeletionProtection: trueUTF-8 Username Support in Keystore
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: KeystoreRsa
metadata:
name: utf8-keystore
spec:
forProvider:
name: "my-rsa-key"
active: true
enabled: true
# New: Allow UTF-8 characters in usernames
allowUtf8: true
algorithm: RS256
priority: 100
realmIdRef:
name: my-realmEnhanced Authorization Resources
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientAuthorizationResource
metadata:
name: protected-api-resource
spec:
forProvider:
name: "api-resource"
displayName: "Protected API Resource"
type: "http://example.com/api"
# Enhanced attributes support
attributes:
environment: "production"
sensitivity: "high"
uris:
- "/api/v1/*"
realmIdRef:
name: my-realm
resourceServerIdRef:
name: my-clientGroup Description Field
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
name: developers-group
spec:
forProvider:
name: "developers"
# New: Add description to groups
description: "Development team with access to staging environments"
realmIdRef:
name: my-realmSAML Client Encryption Algorithm
apiVersion: samlclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: saml-app
spec:
forProvider:
clientId: "saml-application"
name: "SAML Application"
encryptAssertions: true
# New: Specify encryption algorithm for SAML assertions
encryptionAlgorithm: "AES_256_GCM"
realmIdRef:
name: my-realmDPoP Bound Tokens for OpenID Clients
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: secure-oidc-client
spec:
forProvider:
clientId: "secure-app"
name: "Secure Application"
# New: Enable Demonstrating Proof-of-Possession (DPoP) bound tokens
requireDpopBoundTokens: true
realmIdRef:
name: my-realmFull Changelog: v2.12.1...v2.13.0-rc.1