Deprecated: Keycloak Organization Adapter

This document has been superseded by Keycloak Kubernetes API Integration.


The Keycloak Organization Adapter maps the in-cluster resources to Keycloak groups and users.

  • Map Organization / OrganizationMembers resource to top level groups in Keycloak

    • Create group if Organization exits

    • Manage group members based on OrganizationMembers

    • Import existing groups as Organization/OrganizationMembers

  • Map Teams to sub-groups in Keycloak

    • Create sub-group if Team exits

    • Manage sub-group members based on Team

    • Import existing sub-groups as Team

  • Map User resources to users in Keycloak

    • Set preferences

    • Import existing Keycloak user as User

  • Operational management of Keycloak (for example to create and manage realms)


Option 1: Crossplane

Using the Crossplane ecosystem we can reuse a lot of existing resources.

The current OrganizationMembers, Team, and User CRDs are converted to XRDs. We write compositions for each of them to map them to Keycloak resources provided by a Crossplane provider. The Crossplane provider can be generated using Terrajet.

  • Reduce amount of custom code

  • Simplifies writing plugins as just a composition

  • Resource import needs to be handles separately

  • Introduces Crossplane as dependency and increases operational complexity

  • Less flexibility / potential unforeseen roadblock

Option 2: Custom Controller

We write a custom controller using kubebuilder. We can reuse a lot of insight from the group sync operator.

  • Very flexible

  • We have experience writing controllers against Keycloak

  • Good testability

  • Additional custom Go code and added code complexity

  • Big upfront investment to build new Organization Adapter


We decided to write a custom controller.


The Crossplane data model does just not quite fit our requirements. We would most likely need to write custom code for the resource import anyway, especially for User resources.