v2.17.0

New stuff

apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1
kind: KubernetesIdentityProvider
metadata:
  annotations:
    meta.upbound.io/example-id: identityprovider/v1alpha1/kubernetesidentityprovider
  labels:
    testing.upbound.io/example-name: kubernetes
  name: kubernetes
spec:
  forProvider:
    alias: my-k8s-idp
    issuer: https://example.com/issuer/
    realmSelector:
      matchLabels:
        testing.upbound.io/example-name: realm

What's Changed

• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to 6acfc17 by @renovate[bot] in #486
• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to 42ae5d8 by @renovate[bot] in #516
• chore(deps): update docker/login-action digest to 9fe7774 by @renovate[bot] in #513
• feat(idP): add k8s idp by @Breee in #518
• feat(setup): validation for url/base_url by @Breee in #521

Full Changelog: v2.16.1...v2.17.0

v2.16.1

What's Changed

• chore(deps): update docker/setup-buildx-action action to v4 by @renovate[bot] in #507
• fix: bump terraform provider package and include jwt token in client by @michvllni in #512

Full Changelog: v2.16.0...v2.16.1

v2.16.0

New Stuff

• bumped to tf provider schema 5.7.0
• you can now also pass the fields

	"jwt_signing_alg",
	"jwt_signing_key",
	"jwt_token",
	"jwt_token_file",`

to the provider config to align with https://registry.terraform.io/providers/keycloak/keycloak/latest/docs#authentication

What's Changed

• chore(deps): update docker/login-action digest to b45d80f by @renovate[bot] in #504
• chore(deps): update github-actions to v4 (major) by @renovate[bot] in #505
• chore(deps): update docker/login-action digest to e46b7e3 by @renovate[bot] in #506
• Improving summary of README by @denniskniep in #509
• chore(deps): update github-actions by @renovate[bot] in #508
• Feat/jwt auth + version bump by @Breee in #511

Full Changelog: v2.15.0...v2.16.0

v2.15.0

What's Changed

• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to fb9b309 by @renovate[bot] in #479
• chore(deps): update actions/cache digest to 8b402f5 by @renovate[bot] in #481
• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to a7ffad2 by @renovate[bot] in #484
• chore(deps): update github-actions by @renovate[bot] in #487
• chore(deps): update actions/cache digest to cdf6c1f by @renovate[bot] in #488
• fix argocd install with server side apply by @goran-rajta in #494
• fix(deps): update k8s.io dependencies to v0.35.1 by @renovate[bot] in #493
• chore(deps): update github-actions by @renovate[bot] in #489
• fix(deps): update module github.com/hashicorp/terraform-plugin-sdk/v2 to v2.38.2 by @renovate[bot] in #491
• feat: add keycloak_identity_provider_token_exchange_scope_permission by @goran-rajta in #485
• groups instead of role_list as default scope to fix tests by @consooo in #496
• chore(deps): update actions/setup-go digest to 4b73464 by @renovate[bot] in #500
• chore(deps): update actions/upload-artifact action to v7 by @renovate[bot] in #501
• fix(deps): update k8s.io dependencies to v0.35.2 by @renovate[bot] in #502
• fix(deps): update module github.com/hashicorp/terraform-plugin-sdk/v2 to v2.39.0 by @renovate[bot] in #503

New Contributors

• @goran-rajta made their first contribution in #494

Full Changelog: v2.14.0...v2.15.0

v2.14.0

Release Notes

What's New

🚀 Multi-Type References Support

• Protocol Mappers: Added samlClientIdRef/samlClientIdSelector and samlClientScopeIdRef/samlClientScopeIdSelector fields to reference SAML clients and client scopes alongside existing OIDC references (#468)
• Role Mappers: Added samlClientIdRef/samlClientIdSelector and samlClientScopeIdRef/samlClientScopeIdSelector fields to reference SAML clients and client scopes alongside existing OIDC references
• Client Policies: Added samlClients/samlClientsRefs/samlClientsSelector fields to reference SAML clients in authorization policies alongside OIDC clients (#468)
• Roles: Added samlClientIdRef/samlClientIdSelector fields to reference SAML clients alongside existing OIDC client references (#478)
• Authentication Execution: Fixed late initialization for parentFlowAlias field to prevent configuration drift (#468)
• Source: Commit 7ff121d

📦 Keycloak Terraform Provider Update

• Updated to terraform-provider-keycloak v5.6.0 (from commit 31116ff to a6bac02)
• Introduces new Keycloak features and API improvements
• Source: Commits 9274bab and e9fee1f
• Upstream Provider: keycloak/terraform-provider-keycloak v5.6.0

🔧 Autogenerated Schema updates

Cross-Resource References:

• Architecture Improvement: Refactored cross-resource reference system from automatic (via KnownReferencers()) to explicit per-resource configuration
• Removed generic handling for clientId, serviceAccountUserId, and resourceServerId in favor of explicit configuration
• Added explicit clientId references with UUID extractors to: OIDC Client (default_scopes, optional_scopes, permissions, service_account_realm_role), LDAP role mapper, OpenID group membership protocol mapper
• Added explicit serviceAccountUserId references to: OpenID client service account realm role
• Added explicit resourceServerId references to all 11 authorization resources (client_policy, group_policy, role_policy, user_policy, authorization_resource, authorization_permission, authorization_scope, aggregate_policy, js_policy, time_policy, authorization_client_scope_policy)
• Enhanced all client references with common.PathUUIDExtractor for proper UUID extraction from resource status
• Impact: More maintainable and type-safe cross-resource references across the provider

Realm Resources:

• Added maxTemporaryLockouts field for brute force protection configuration (2aba5a3)
• Added adminPermissionsEnabled flag for fine-grained permission control (2aba5a3)
• Added terraformDeletionProtection safety flag to prevent accidental deletions (2aba5a3)
• Added allowUtf8 flag for UTF-8 support in SMTP server configuration (2aba5a3)

LDAP User Federation:

• Added connectionPooling flag to enable LDAP connection pooling (2aba5a3)
• Added debug field to enable/disable Kerberos authentication logging (2aba5a3)
• Added krbPrincipalAttribute field to specify LDAP attribute for Kerberos principal lookup (2aba5a3)

OpenID Client Resources:

• Added requireDpopBoundTokens flag to enable Demonstrating Proof-of-Possession (DPoP) bound tokens support (2aba5a3)

Group Resources:

• Added description field for group descriptions
• Source: Auto-generated from upstream provider update (commit 2aba5a3)

SAML Client Resources:

• Added encryptionAlgorithm field to specify SAML assertion encryption algorithm (supports AES_256_GCM, AES_192_GCM, AES_128_GCM, AES_256_CBC, AES_192_CBC, AES_128_CBC)
• Source: Auto-generated from upstream provider update (commit 2aba5a3)

🔨 Development & Tooling

• Go Version: Updated from 1.24.0 to 1.25.4 (commit 66250e1)
• Linter: Upgraded golangci-lint to v2.7.2 (commit 3fd5675)
• Crossplane Runtime: Updated from v2.0.0 to v2.1.0 (#415, commit 03754d4)
• Improved CI/CD: Updated GitHub Actions (#450, commit ec8b291)
• Code Quality: Fixed multiple linter issues (QF1008, ST1019, QF1001) (commits bb62f55, 9245c82, bf6612f)

📚 Documentation

• Enhanced README with detailed regression testing instructions
• Added documentation for test rendering and chainsaw usage
• Improved local development setup guide with --deploy-local-provider and --use-local-provider flags

🧪 Testing

• Expanded test coverage with new SAML client test cases
• Updated demo manifests for both cluster and namespaced resources
• Added comprehensive examples for authorization resources and permissions

Infrastructure

• Updated CRD definitions
• Improved dependency management and version pinning
• Enhanced development environment setup scripts

---

Usage Examples

Multi-Type References for Protocol Mappers

Protocol mappers can now reference both OIDC and SAML clients/scopes using the new reference fields:

apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
  name: saml-protocol-mapper-example
spec:
  providerConfigRef:
    name: keycloak-provider-config
  forProvider:
    name: "user-roles"
    protocol: "saml"
    # Reference SAML client using new field
    samlClientIdRef:
      name: my-saml-client
      policy:
        resolve: Always
    realmIdRef:
      name: my-realm
    protocolMapper: "saml-role-list-mapper"
    config:
      attribute.name: "Role"

Multi-Type References for Roles

Roles can now reference both OIDC and SAML clients using the new reference fields:

apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
  name: saml-client-role
spec:
  providerConfigRef:
    name: keycloak-provider-config
  forProvider:
    name: "admin"
    # Reference SAML client using new field
    samlClientIdRef:
      name: my-saml-client
      policy:
        resolve: Always
    realmIdRef:
      name: my-realm

Alternatively, you can use the existing clientIdRef field to reference OIDC clients:

apiVersion: role.keycloak.crossplane.io/v1alpha1
kind: Role
metadata:
  name: oidc-client-role
spec:
  providerConfigRef:
    name: keycloak-provider-config
  forProvider:
    name: "user"
    # Reference OIDC client
    clientIdRef:
      name: my-oidc-client
      policy:
        resolve: Always
    realmIdRef:
      name: my-realm

New Realm Features

Brute Force Protection with Max Temporary Lockouts

apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
  name: secure-realm
spec:
  forProvider:
    realm: "secure-realm"
    enabled: true
    # New: Maximum number of temporary lockouts
    maxTemporaryLockouts: 3
    bruteForceProtected: true
    permanentLockout: true

Admin Permissions and Deletion Protection

apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
  name: protected-realm
spec:
  forProvider:
    realm: "protected-realm"
    enabled: true
    # New: Enable admin permissions for fine-grained control
    adminPermissionsEnabled: true
    # New: Prevent accidental deletion via Terraform
    terraformDeletionProtection: true

UTF-8 Username Support in Keystore

apiVersion: realm.keycloak.c...

v2.13.0-rc.1

Release Notes

What's New

🚀 Multi-Type References Support

• Protocol Mappers: Added samlClientIdRef/samlClientIdSelector and samlClientScopeIdRef/samlClientScopeIdSelector fields to reference SAML clients and client scopes alongside existing OIDC references (#468)
• Client Policies: Added samlClients/samlClientsRefs/samlClientsSelector fields to reference SAML clients in authorization policies alongside OIDC clients (#468)
• Authentication Execution: Fixed late initialization for parentFlowAlias field to prevent configuration drift (#468)
• Source: Commit 7ff121d

📦 Keycloak Terraform Provider Update

• Updated to terraform-provider-keycloak v5.6.0 (from commit 31116ff to a6bac02)
• Introduces new Keycloak features and API improvements
• Source: Commits 9274bab and e9fee1f
• Upstream Provider: keycloak/terraform-provider-keycloak v5.6.0

🔧 Autogenerated Schema updates

Realm Resources:

• Added maxTemporaryLockouts field for brute force protection configuration (2aba5a3)
• Added adminPermissionsEnabled flag for fine-grained permission control (2aba5a3)
• Added terraformDeletionProtection safety flag to prevent accidental deletions (2aba5a3)
• Added allowUtf8 flag for UTF-8 support in SMTP server configuration (2aba5a3)

LDAP User Federation:

• Added connectionPooling flag to enable LDAP connection pooling (2aba5a3)
• Added debug field to enable/disable Kerberos authentication logging (2aba5a3)
• Added krbPrincipalAttribute field to specify LDAP attribute for Kerberos principal lookup (2aba5a3)

OpenID Client Resources:

• Added requireDpopBoundTokens flag to enable Demonstrating Proof-of-Possession (DPoP) bound tokens support (2aba5a3)

Group Resources:

• Added description field for group descriptions
• Source: Auto-generated from upstream provider update (commit 2aba5a3)

SAML Client Resources:

• Added encryptionAlgorithm field to specify SAML assertion encryption algorithm (supports AES_256_GCM, AES_192_GCM, AES_128_GCM, AES_256_CBC, AES_192_CBC, AES_128_CBC)
• Source: Auto-generated from upstream provider update (commit 2aba5a3)

🔨 Development & Tooling

• Go Version: Updated from 1.24.0 to 1.25.4 (commit 66250e1)
• Linter: Upgraded golangci-lint to v2.7.2 (commit 3fd5675)
• Crossplane Runtime: Updated from v2.0.0 to v2.1.0 (#415, commit 03754d4)
• Improved CI/CD: Updated GitHub Actions (#450, commit ec8b291)
• Code Quality: Fixed multiple linter issues (QF1008, ST1019, QF1001) (commits bb62f55, 9245c82, bf6612f)

📚 Documentation

• Enhanced README with detailed regression testing instructions
• Added documentation for test rendering and chainsaw usage
• Improved local development setup guide with --deploy-local-provider and --use-local-provider flags

🧪 Testing

• Expanded test coverage with new SAML client test cases
• Updated demo manifests for both cluster and namespaced resources
• Added comprehensive examples for authorization resources and permissions

Infrastructure

• Updated CRD definitions with 136 files changed (+5,085 additions, -675 deletions)
• Improved dependency management and version pinning
• Enhanced development environment setup scripts

---

Usage Examples

Multi-Type References for Protocol Mappers

Protocol mappers can now reference both OIDC and SAML clients/scopes using the new reference fields:

apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
  name: saml-protocol-mapper-example
spec:
  providerConfigRef:
    name: keycloak-provider-config
  forProvider:
    name: "user-roles"
    protocol: "saml"
    # Reference SAML client using new field
    samlClientIdRef:
      name: my-saml-client
      policy:
        resolve: Always
    realmIdRef:
      name: my-realm
    protocolMapper: "saml-role-list-mapper"
    config:
      attribute.name: "Role"

New Realm Features

Brute Force Protection with Max Temporary Lockouts

apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
  name: secure-realm
spec:
  forProvider:
    realm: "secure-realm"
    enabled: true
    # New: Maximum number of temporary lockouts
    maxTemporaryLockouts: 3
    bruteForceProtected: true
    permanentLockout: true

Admin Permissions and Deletion Protection

apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
  name: protected-realm
spec:
  forProvider:
    realm: "protected-realm"
    enabled: true
    # New: Enable admin permissions for fine-grained control
    adminPermissionsEnabled: true
    # New: Prevent accidental deletion via Terraform
    terraformDeletionProtection: true

UTF-8 Username Support in Keystore

apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: KeystoreRsa
metadata:
  name: utf8-keystore
spec:
  forProvider:
    name: "my-rsa-key"
    active: true
    enabled: true
    # New: Allow UTF-8 characters in usernames
    allowUtf8: true
    algorithm: RS256
    priority: 100
    realmIdRef:
      name: my-realm

Enhanced Authorization Resources

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientAuthorizationResource
metadata:
  name: protected-api-resource
spec:
  forProvider:
    name: "api-resource"
    displayName: "Protected API Resource"
    type: "http://example.com/api"
    # Enhanced attributes support
    attributes:
      environment: "production"
      sensitivity: "high"
    uris:
      - "/api/v1/*"
    realmIdRef:
      name: my-realm
    resourceServerIdRef:
      name: my-client

Group Description Field

apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
  name: developers-group
spec:
  forProvider:
    name: "developers"
    # New: Add description to groups
    description: "Development team with access to staging environments"
    realmIdRef:
      name: my-realm

SAML Client Encryption Algorithm

apiVersion: samlclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
  name: saml-app
spec:
  forProvider:
    clientId: "saml-application"
    name: "SAML Application"
    encryptAssertions: true
    # New: Specify encryption algorithm for SAML assertions
    encryptionAlgorithm: "AES_256_GCM"
    realmIdRef:
      name: my-realm

DPoP Bound Tokens for OpenID Clients

apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
  name: secure-oidc-client
spec:
  forProvider:
    clientId: "secure-app"
    name: "Secure Application"
    # New: Enable Demonstrating Proof-of-Possession (DPoP) bound tokens
    requireDpopBoundTokens: true
    realmIdRef:
      name: my-realm

Full Changelog: v2.12.1...v2.13.0-rc.1

v2.12.1

What's Changed

• fix(logs): restoring controller-runtime logger to a no-op logger by default by @yoelpadronglez in #455

Full Changelog: v2.12.0...v2.12.1

v2.12.0

New Features

Executions

In Keycloak, authentication executions can be nested within subflows. However, the provider's Execution resource could only reference Flow resources, not Subflow resources before:

problem:

# This worked ✅
apiVersion: authenticationflow.keycloak.crossplane.io/v1alpha1
kind: Execution
spec:
  forProvider:
    parentFlowAliasRef:
      name: my-flow  # References a Flow

# This failed ❌
apiVersion: authenticationflow.keycloak.crossplane.io/v1alpha1
kind: Execution
spec:
  forProvider:
    parentFlowAliasRef:
      name: my-subflow  # References a Subflow - selector couldn't resolve

Now this works ✅:

apiVersion: authenticationflow.keycloak.crossplane.io/v1alpha1
kind: Execution
metadata:
  name: execution-in-subflow
spec:
  forProvider:
    authenticator: auth-username-password-form
    # NEW: Can now reference Subflow resources
    parentSubflowAliasRef:
      name: my-subflow
    priority: 10
    realmIdRef:
      name: my-realm
    requirement: REQUIRED
  providerConfigRef:
    name: keycloak-provider-config

Using selectors also works ✅:

apiVersion: authenticationflow.keycloak.crossplane.io/v1alpha1
kind: Execution
metadata:
  name: execution-with-selector
spec:
  forProvider:
    authenticator: auth-otp-form
    # NEW: Selector for Subflow resources
    parentSubflowAliasSelector:
      matchLabels:
        flow-type: authentication
    priority: 20
    realmIdRef:
      name: my-realm
    requirement: REQUIRED
  providerConfigRef:
    name: keycloak-provider-config

What's Changed

• fix(credentials): correct parsing of client_timeout and tls_insecure_… by @yoelpadronglez in #444
• feat(executions): Enable Execution resources to reference Subflow resources by @Breee in #448

New Contributors

• @yoelpadronglez made their first contribution in #444

Full Changelog: v2.11.0...v2.12.0

v2.11.0

What's Changed

• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to 959998a by @renovate[bot] in #422
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.4 by @renovate[bot] in #424
• chore(deps): update docker/setup-qemu-action digest to c7c5346 by @renovate[bot] in #427
• fix: remove unusable enum elements by @vlada-dudr in #429
• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to 2c7e679 by @renovate[bot] in #430
• fix(deps): update k8s.io dependencies to v0.34.2 by @renovate[bot] in #431
• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to 31116ff by @renovate[bot] in #432
• chore(deps): update actions/checkout digest to 93cb6ef by @renovate[bot] in #436
• chore(deps): update actions/checkout digest to 34e1148 by @renovate[bot] in #437
• Repair e2e tests & run in CICD by @denniskniep in #438
• chore(deps): update actions/checkout digest to 93cb6ef by @renovate[bot] in #440
• fix: client role import failure when using clientIdRef by @michvllni in #447

New Contributors

• @michvllni made their first contribution in #447

Full Changelog: v2.10.0...v2.11.0

v2.10.0

What's Changed

• fix(deps): update github.com/keycloak/terraform-provider-keycloak digest to 4a16ee7 by @renovate[bot] in #417
• feat: specify safe-start capability by @vlada-dudr in #421
• chore: update build submodule by @vlada-dudr in #420

Full Changelog: v2.9.0...v2.10.0