-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Keycloak integration as virtual resource (#163)
* Keycloak integration as virtual resource * Integrate new decision into control-api docs * Add zone groups sync decision
- Loading branch information
Showing
7 changed files
with
169 additions
and
11 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
...dules/ROOT/pages/explanation/decisions/keycloak-kubernetes-api-integration.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
= Keycloak Kubernetes API Integration | ||
|
||
== Problem | ||
|
||
In order to allow users to manage access to their organizations we need an adapter between Keycloak and the Kubernetes API to manage users, groups, and teams in Keycloak. | ||
|
||
The first user management implementation was done using a controller und custom resource definitions (CRDs). | ||
This implementation effectively had two sources of truth: Keycloak and the Kubernetes API; and tried to keep them in sync. | ||
Over time those two sources of truth diverged and we had to deal with more and more sync inconsistencies. | ||
|
||
We had users try to use the Kubernetes API as an interface to their user management needs, but this was abandoned due to various inconsistencies. | ||
|
||
We now want to revisit this problem and come up with a new solution without the need to keep two sources of truth in sync. | ||
|
||
.Goals | ||
|
||
* Map `Organization` / `OrganizationMembers` resource to groups in Keycloak | ||
* Map `Teams` to sub-groups in Keycloak | ||
* Map User resources (their preferences) to users in Keycloak | ||
|
||
.Non-Goals | ||
|
||
* Operational management of Keycloak (for example to create and manage realms) | ||
|
||
== Proposals | ||
|
||
=== Option 1: Create a virtual resource for OrganizationMembers, Team, and User | ||
|
||
We create a virtual resource for OrganizationMembers, Team, and User that is backed by Keycloak. | ||
|
||
.Pro | ||
|
||
* We can avoid the sync inconsistencies | ||
* We can use the Kubernetes API as an interface to manage users in Keycloak | ||
|
||
.Con | ||
|
||
* Upfront investment to create a new implementation | ||
* Potential performance issues | ||
* API is down when Keycloak is down | ||
|
||
=== Option 2: Keep and improve controller | ||
|
||
We keep the existing controller and improve it and resolve sync inconsistencies. | ||
|
||
.Pro | ||
|
||
* We already have a working implementation | ||
* Keycloak can be unavailable and we can still manage users in Kubernetes | ||
|
||
.Con | ||
|
||
* Doubtful we can ever solve the sync inconsistencies | ||
* We might never move away from the two sources of truth | ||
|
||
== Decision | ||
|
||
Create a virtual resource for OrganizationMembers, Team, and User. | ||
|
||
image::idp-integration.svg[VSHN IDP integration,400] | ||
|
||
== Rationale | ||
|
||
We want to avoid the sync inconsistencies and the need to keep two sources of truth in sync. | ||
We're doubtful we can ever solve the sync inconsistencies with a controller. |
63 changes: 63 additions & 0 deletions
63
docs/modules/ROOT/pages/explanation/decisions/keycloak-zone-group-sync.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
= Keycloak Zone Group sync | ||
|
||
== Problem | ||
|
||
Currently we use https://github.com/appuio/group-sync-operator[group-sync-operator] to sync groups from Keycloak to Kubernetes. | ||
We forked the upstream project to add support for nested groups. | ||
|
||
The controller is slow, not very reliable, and users often have to wait for the sync in the zone to complete. | ||
We have no way of showing the status of the sync to the user. | ||
Hidden wait times lead to user confusion and we had support cases because of that. | ||
|
||
.Goals | ||
|
||
* Instantly sync groups from Keycloak to the APPUiO zone | ||
* Provide a good initial experience for the user | ||
|
||
.Non-Goals | ||
|
||
* Provide additional OpenShift group management features | ||
|
||
== Proposals | ||
|
||
=== Option 1: Provide groups in OIDC token | ||
|
||
We build a custom Keycloak OIDC token mapper that adds the groups to the token. | ||
The mapper would join the groups with the selected separator, trim the "organization" root group, and add the groups to the token. | ||
|
||
.Pro | ||
|
||
* Every login sync the groups from Keycloak to the zone | ||
* The sync is in the request path and the user gets notified on errors | ||
|
||
.Con | ||
|
||
* User needs to re-login to sync the groups after they changed | ||
* Writing and managing a custom Keycloak OIDC token mapper | ||
|
||
=== Option 2: Agent on the zone watches control-api | ||
|
||
We build an agent that watches the control-api for changes and updates the groups in the zone. | ||
|
||
.Pro | ||
|
||
* Users do not have to re-login to sync the groups. | ||
* All boilerplate is done, we already implemented similar controllers in the zone agent. | ||
|
||
.Con | ||
|
||
* The errors do not happen in the request path and might be less visible to the user and us | ||
** Needs better instrumentation | ||
|
||
== Decision | ||
|
||
We add a controller to the agent on the zone to sync groups. | ||
|
||
== Rationale | ||
|
||
Requiring the user to re-login to sync the groups is not a good user experience. | ||
It is less work to implement and maintain than a custom Keycloak OIDC token mapper. | ||
|
||
== Resources | ||
|
||
- https://www.baeldung.com/keycloak-custom-protocol-mapper[Keycloak Custom Protocol Mapper] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters