keycloak-scim/server_installation/topics/operator/keycloak-user-cr.adoc

139 lines
3.5 KiB
Text

[[_user-cr]]
=== Creating a user custom resource
You can use the Operator to create users in {project_name} as defined by a custom resource. You define the properties of the user custom resource in a YAML file.
[NOTE]
====
You can update properties, except for the password, in the YAML file and changes appear in the {project_name} admin console, however changes to the admin console do not update the custom resource.
====
.Example YAML file for a user custom resource
```yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
name: example-user
spec:
user:
username: "realm_user"
firstName: "John"
lastName: "Doe"
email: "user@example.com"
enabled: True
emailVerified: False
credentials:
- type: "password"
value: "12345"
realmRoles:
- "offline_access"
clientRoles:
account:
- "manage-account"
realm-management:
- "manage-users"
realmSelector:
matchLabels:
ifeval::[{project_community}==true]
app: example-keycloak
endif::[]
ifeval::[{project_product}==true]
app: sso
endif::[]
```
.Prerequisites
* You have a YAML file for this custom resource.
* The `realmSelector` matches the labels of an existing realm custom resource.
* You have cluster-admin permission or an equivalent level of permissions granted by an administrator.
.Procedure
. Use this command on the YAML file that you created: `{create_cmd} -f <user_cr>.yaml`. For example:
+
[source,bash,subs=+attributes]
----
$ {create_cmd} -f initial_user.yaml
keycloak.keycloak.org/example-user created
----
. Log into the admin console for the related instance of {project_name}.
. Click Users.
. Search for the user that you defined in the YAML file.
+
You may need to switch to a different realm to find the user.
+
image:images/realm_user.png[]
.Results
After a user is created, the Operator creates a Secret using the
following naming pattern: `credential-<realm name>-<username>-<namespace>` , containing the username and, if it has been specified in the credentials attribute, the password.
Here's an example:
.`KeycloakUser` Secret
```yaml
kind: Secret
apiVersion: v1
data:
password: <base64 encoded password>
username: <base64 encoded username>
type: Opaque
```
Once the Operator processes the custom resource, view the status with this command:
[source,bash,subs=+attributes]
----
$ {create_cmd_brief} describe keycloak <CR-name>
----
.User custom resource Status
```yaml
Name: example-realm-user
Namespace: keycloak
ifeval::[{project_community}==true]
Labels: app=example-keycloak
endif::[]
ifeval::[{project_product}==true]
Labels: app=sso
endif::[]
API Version: keycloak.org/v1alpha1
Kind: KeycloakUser
Spec:
Realm Selector:
Match Labels:
ifeval::[{project_community}==true]
App: example-keycloak
endif::[]
ifeval::[{project_product}==true]
App: sso
endif::[]
User:
Email: realm_user@redhat.com
Credentials:
Type: password
Value: <user password>
Email Verified: false
Enabled: true
First Name: John
Last Name: Doe
Username: realm_user
Status:
Message:
Phase: reconciled
Events: <none>
```
.Additional resources
* If you have an external database, you can modify the Keycloak custom resource to support it. See xref:_external_database[Connecting to an external database].
* To back up your database using custom resources, see xref:_backup-cr[schedule database backups].