crossplane-contrib/provider-keycloak v2.20.0

on GitHub

New Features

1. Workflow CRD

Manage Keycloak realm automation workflows (e.g., user onboarding, offboarding) declaratively.

apiVersion: workflow.keycloak.crossplane.io/v1alpha1
kind: Workflow
metadata:
  name: onboarding
spec:
  forProvider:
    enabled: true
    name: onboarding-new-users
    "on": user_created
    realmRef:
      name: my-realm
    step:
    - config:
        message: |
          <p>Dear ${user.firstName} ${user.lastName}, </p>
          <p>Welcome to ${realm.displayName}!</p>
          <p>Best regards,<br/>The Keycloak Team</p>
      uses: notify-user
    - after: "2592000000"
      config:
        action: UPDATE_PASSWORD
      uses: set-user-required-action
  providerConfigRef:
    name: keycloak-provider-config

2. SPIFFE Identity Provider CRD

Federate workload identity via SPIFFE trust domains.

apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1
kind: SpiffeIdentityProvider
metadata:
  name: my-spiffe-idp
spec:
  forProvider:
    alias: my-spiffe-idp
    bundleEndpoint: https://spiffe-bundle.example.com/bundle
    trustDomain: spiffe://my-trust-domain
    realmRef:
      name: my-realm
  providerConfigRef:
    name: keycloak-provider-config

3. OIDC OpenShift v4 Identity Provider CRD

Integrate Keycloak with OpenShift 4 clusters as an OIDC identity provider.

apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1
kind: OidcOpenShiftV4IdentityProvider
metadata:
  name: openshift-v4
spec:
  forProvider:
    baseUrl: https://openshift.example.com:8443
    clientId: my-openshift-client
    clientSecretSecretRef:
      key: client-secret
      name: openshift-credentials
      namespace: crossplane-system
    defaultScopes: user:full
    syncMode: IMPORT
    trustEmail: true
    realmRef:
      name: my-realm
  providerConfigRef:
    name: keycloak-provider-config

4. Client Regex Policy CRD

Define authorization policies based on regex patterns against token claims.

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientRegexPolicy
metadata:
  name: email-domain-policy
spec:
  forProvider:
    name: email-domain-policy
    decisionStrategy: UNANIMOUS
    logic: POSITIVE
    pattern: "^.+@example\\.com$"
    targetClaim: email
    realmIdRef:
      name: my-realm
    resourceServerIdRef:
      name: my-client
  providerConfigRef:
    name: keycloak-provider-config

Dependencies

• chore(deps): update zeebe-io/backport-action action to v4.5 by @renovate[bot] in #548
• chore(deps): update zeebe-io/backport-action digest to bf97bcf by @renovate[bot] in #549
• chore(deps): update zeebe-io/backport-action digest to 6606540 by @renovate[bot] in #551
• chore(deps): update github-actions by @renovate[bot] in #556
• chore(deps): update docker/setup-qemu-action digest to 0611638 by @renovate[bot] in #560
• chore(deps): update imjasonh/setup-crane action to v0.6 by @renovate[bot] in #562
• chore(deps): update gcr.io/distroless/static docker digest to 3592aa8 by @renovate[bot] in #453
• chore(deps): update dependency keycloak/terraform-provider-keycloak to v5.8.0 and align Go module dependency by @renovate[bot] in #570
• fix(deps): update github.com/keycloak/terraform-provider-keycloak dependencies to 209a0ab by @renovate[bot] in #523
• chore(deps): update github-actions to v7 by @renovate[bot] in #573
• chore(deps): update github-actions to df4cb1c by @renovate[bot] in #569
• chore(deps): update dependency python-keycloak to v7 by @renovate[bot] in #469

Other Changes

• Add automatic release automation for security patches by @Copilot in #552
• Add schema diff tooling to track provider schema changes between releases by @Copilot in #553
• fix: prevent concurrent map writes by separating MaxConcurrentReconciles from rate limit by @Copilot in #557
• Auto-recover from stale cross-resource references by @nicolamacoir in #561
• authenticationFlowBindingOverrides forProvider drift: implement Options A+C across all calculated IDs by @Copilot in #545
• Fix local-deploy CI failure by aligning Crossplane CLI install with official docs by @Copilot in #568
• fix: allow empty optionalScopes/defaultScopes arrays in scope resources by @Copilot in #567
• Add CRD coverage for new Keycloak provider resources by @Copilot in #572
• fix(e2e): add version-gated Keycloak e2e coverage by @Copilot in #565
• Fix weekly auto releases not publishing to Upbound marketplace by @Copilot in #580
• docs: add v2.20.0 release notes with new CRD examples by @Copilot in #581
• feat: cache Keycloak clients and logout password-grant sessions on shutdown by @Copilot in #577
• fix(e2e): add resolve: Always to ClientServiceAccountRole refs to prevent stale reference values by @Copilot in #583
• fix: stabilize config cache key, harden logout URL, reduce credential retention by @Copilot in #582

New Contributors

• @nicolamacoir made their first contribution in #561

Full Changelog: v2.19.0...v2.20.0