KEYCLOAK-17607

Faisal Masood · slaskawi · commit 170bc301829b · 2021-04-30T11:01:47.000+02:00
diff --git a/deploy/crds/keycloak.org_keycloakrealms_crd.yaml b/deploy/crds/keycloak.org_keycloakrealms_crd.yaml
@@ -77,17 +77,14 @@ spec:
             realm:
               description: Keycloak Realm REST object.
               properties:
-                accessTokenLifespanForImplicitFlow:
-                  description: 'Max time before an access token issued during OpenID Connect Implicit Flow is expired. 
-                     This value is recommended to be shorter than SSO timeout. 
-                     There is no possibility to refresh token during implicit flow, 
-                     thats why there is a separate timeout different to Access Token Lifespan.'
-                  type: integer
-                  format: int32
                 accessTokenLifespan:
-                  description: 'Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.'
+                  description: Access Token Lifespan
+                  format: int32
                   type: integer
+                accessTokenLifespanForImplicitFlow:
+                  description: Access Token Lifespan For Implicit Flow
                   format: int32
+                  type: integer
                 accountTheme:
                   description: Account Theme
                   type: string
@@ -826,7 +823,7 @@ spec:
                   description: Realm display name.
                   type: string
                 displayNameHtml:
-                  description: Realm display name in HTML.
+                  description: Realm HTML display name.
                   type: string
                 duplicateEmailsAllowed:
                   description: Duplicate emails
@@ -921,6 +918,9 @@ spec:
                   description: Minimum Quick Login Wait
                   format: int32
                   type: integer
+                passwordPolicy:
+                  description: Realm Password Policy
+                  type: string
                 permanentLockout:
                   description: Permanent Lockout
                   type: boolean
diff --git a/deploy/examples/realm/basic_realm_with_password_policy.yaml b/deploy/examples/realm/basic_realm_with_password_policy.yaml
@@ -0,0 +1,16 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakRealm
+metadata:
+  name: example-keycloakrealm
+  labels:
+    app: sso
+spec:
+  realm:
+    id: "basic"
+    realm: "basic"
+    enabled: True
+    displayName: "Basic Realm"
+    passwordPolicy: "lowerCase(1)"
+  instanceSelector:
+    matchLabels:
+      app: sso
diff --git a/pkg/apis/keycloak/v1alpha1/keycloakrealm_types.go b/pkg/apis/keycloak/v1alpha1/keycloakrealm_types.go
@@ -38,6 +38,9 @@ type KeycloakAPIRealm struct {
 	// Realm HTML display name.
 	// +optional
 	DisplayNameHTML string `json:"displayNameHtml,omitempty"`
+	// Realm Password Policy
+	// +optional
+	PasswordPolicy string `json:"passwordPolicy,omitempty"`
 	// A set of Keycloak Users.
 	// +optional
 	Users []*KeycloakAPIUser `json:"users,omitempty"`
diff --git a/pkg/apis/keycloak/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/keycloak/v1alpha1/zz_generated.deepcopy.go
diff --git a/test/e2e/keycloak_realm_test.go b/test/e2e/keycloak_realm_test.go
@@ -63,6 +63,7 @@ func getKeycloakRealmCR(namespace string) *keycloakv1alpha1.KeycloakRealm {
 				Enabled:                            true,
 				DisplayName:                        "Operator Testing Realm",
 				DisplayNameHTML:                    "<div class='kc-logo-text'><span>Operator Testing Realm</span></div>",
+				PasswordPolicy:                     "lowerCase(1)",
 				BruteForceProtected:                &[]bool{true}[0],
 				PermanentLockout:                   &[]bool{false}[0],
 				FailureFactor:                      &[]int32{30}[0],
