134 lines
3.3 KiB
Text
134 lines
3.3 KiB
Text
|
|
[[_user-cr]]
|
|
=== Creating a user custom resource
|
|
|
|
You can use the Operator to create users in {project_name} as defined by a custom resource. You define the properties of the user custom resource in a YAML file.
|
|
|
|
[NOTE]
|
|
====
|
|
You can update properties, except for the password, in the YAML file and changes appear in the {project_name} admin console, however changes to the admin console do not update the custom resource.
|
|
====
|
|
|
|
.Example YAML file for a user custom resource
|
|
```yaml
|
|
apiVersion: keycloak.org/v1alpha1
|
|
kind: KeycloakUser
|
|
metadata:
|
|
name: example-user
|
|
spec:
|
|
user:
|
|
username: "realm_user"
|
|
firstName: "John"
|
|
lastName: "Doe"
|
|
email: "user@example.com"
|
|
enabled: True
|
|
emailVerified: False
|
|
realmRoles:
|
|
- "offline_access"
|
|
clientRoles:
|
|
account:
|
|
- "manage-account"
|
|
realm-management:
|
|
- "manage-users"
|
|
realmSelector:
|
|
matchLabels:
|
|
ifeval::[{project_community}==true]
|
|
app: example-keycloak
|
|
endif::[]
|
|
ifeval::[{project_product}==true]
|
|
app: sso
|
|
endif::[]
|
|
```
|
|
|
|
.Prerequisites
|
|
|
|
* You have a YAML file for this custom resource.
|
|
|
|
* The `realmSelector` matches the labels of an existing realm custom resource.
|
|
|
|
* You have cluster-admin permission or an equivalent level of permissions granted by an administrator.
|
|
|
|
.Procedure
|
|
|
|
. Use this command on the YAML file that you created: `{create_cmd} -f <user_cr>.yaml`. For example:
|
|
+
|
|
[source,bash,subs=+attributes]
|
|
----
|
|
$ {create_cmd} -f initial_user.yaml
|
|
keycloak.keycloak.org/example-user created
|
|
----
|
|
|
|
. Log into the admin console for the related instance of {project_name}.
|
|
|
|
. Click Users.
|
|
|
|
. Search for the user that you defined in the YAML file.
|
|
+
|
|
The user is in the list.
|
|
+
|
|
image:images/user_list.png[]
|
|
|
|
.Results
|
|
|
|
After a user is created, the Operator creates a Secret containing the both username and password using the
|
|
following naming pattern: `credential-<realm name>-<username>-<namespace>`. Here's an example:
|
|
|
|
.`KeycloakUser` Secret
|
|
```yaml
|
|
kind: Secret
|
|
apiVersion: v1
|
|
data:
|
|
password: <base64 encoded password>
|
|
username: <base64 encoded username>
|
|
type: Opaque
|
|
```
|
|
|
|
Once the Operator processes the custom resource, view the status with this command:
|
|
|
|
[source,bash,subs=+attributes]
|
|
----
|
|
$ {create_cmd_brief} describe keycloak <CR-name>
|
|
----
|
|
|
|
.User custom resource Status
|
|
```yaml
|
|
Name: example-realm-user
|
|
Namespace: keycloak
|
|
ifeval::[{project_community}==true]
|
|
Labels: app=example-keycloak
|
|
endif::[]
|
|
ifeval::[{project_product}==true]
|
|
Labels: app=sso
|
|
endif::[]
|
|
API Version: keycloak.org/v1alpha1
|
|
Kind: KeycloakUser
|
|
Spec:
|
|
Realm Selector:
|
|
Match Labels:
|
|
ifeval::[{project_community}==true]
|
|
App: example-keycloak
|
|
endif::[]
|
|
ifeval::[{project_product}==true]
|
|
App: sso
|
|
endif::[]
|
|
User:
|
|
Email: realm_user@redhat.com
|
|
Credentials:
|
|
Type: password
|
|
Value: <user password>
|
|
Email Verified: false
|
|
Enabled: true
|
|
First Name: John
|
|
Last Name: Doe
|
|
Username: realm_user
|
|
Status:
|
|
Message:
|
|
Phase: reconciled
|
|
Events: <none>
|
|
```
|
|
|
|
.Additional resources
|
|
|
|
* If you have an external database, you can modify the Keycloak custom resource to support it. See xref:_external_database[Connecting to an external database].
|
|
|
|
* To back up your database using custom resources, see xref:_backup-cr[schedule database backups].
|