Skip to content
This repository was archived by the owner on Nov 26, 2025. It is now read-only.

feat: make Keycloak demo users configurable via createDemoUsers setting #100

Open
michaelstingl wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: make Keycloak demo users configurable via createDemoUsers setting #100

michaelstingl wants to merge 3 commits into from

Conversation

@michaelstingl
Copy link
Contributor

@michaelstingl michaelstingl commented Jul 22, 2025
edited
Loading

Summary

This PR makes the Keycloak demo users configurable through the opencloud.demoUsers.enabled setting, providing consistency across the stack and alignment with the opencloud-compose approach.

Changes

  • Modified charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl to conditionally include demo users
  • Updated README.md to clarify that demoUsers.enabled affects both OpenCloud and Keycloak users
  • BREAKING CHANGE: Renamed opencloud.createDemoUsers to opencloud.demoUsers.enabled for consistency with other enable/disable patterns

Details

Current behavior

Demo users (alan, dennis, lynn, margaret, mary) are always created in Keycloak, regardless of the OpenCloud setting.

New behavior

  • When opencloud.demoUsers.enabled: false (default): No demo users in Keycloak
  • When opencloud.demoUsers.enabled: true: Demo users are created in Keycloak

This aligns the Keycloak behavior with the OpenCloud setting for consistency.

Configuration Change

The configuration has been renamed for better consistency:

# Old (removed)
opencloud:
  createDemoUsers: false

# New
opencloud:
  demoUsers:
    enabled: false

Alignment with opencloud-compose

The opencloud-compose repository already provides this flexibility through separate realm files:

  • opencloud-realm.dist.json - Production realm without demo users
  • opencloud-realm-autoprovisioning.dist.json - Development realm with demo users

This PR brings the same capability to the Helm chart, but using a single template file with conditional logic instead of maintaining two separate files. This approach:

  • Reduces maintenance overhead (single source of truth)
  • Uses a consistent naming pattern for configuration
  • Follows Helm best practices for configuration management

Testing

Tested locally with helm template:

# No demo users with default setting
helm template charts/opencloud | grep -c "[email protected]"
# Output: 0

# Demo users included when enabled
helm template charts/opencloud --set opencloud.demoUsers.enabled=true | grep -c "[email protected]"  
# Output: 1

# Helm lint passes for both configurations
helm lint charts/opencloud --set opencloud.demoUsers.enabled=false
helm lint charts/opencloud --set opencloud.demoUsers.enabled=true

Related Issues

Discovered during Rackspace deployment where demo users were unexpectedly present in production setup.

Breaking Change Notice

This PR includes a breaking change: opencloud.createDemoUsers has been renamed to opencloud.demoUsers.enabled. Since we're in 0.x.x version, breaking changes are acceptable per semver conventions.

Checklist

  • Tested with helm lint
  • Updated documentation
  • Verified both configurations work as expected
  • Aligned with opencloud-compose approach
  • Renamed configuration for consistency

@michaelstingl
feat: make Keycloak demo users configurable via createDemoUsers setting
c286ddd 
- Demo users (alan, dennis, lynn, margaret, mary) are now only created when opencloud.createDemoUsers=true
- This aligns with the OpenCloud createDemoUsers setting for consistency
- Updated README to clarify that the setting affects both OpenCloud and Keycloak users
- Default is false, so demo users are not created by default
@michaelstingl michaelstingl requested a review from Copilot July 22, 2025 07:36
Copilot AI reviewed Jul 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR makes Keycloak demo user creation configurable through the existing opencloud.createDemoUsers setting, ensuring consistent behavior between OpenCloud and Keycloak components. Previously, demo users were always created in Keycloak regardless of this setting.

  • Adds conditional template logic to control demo user creation in Keycloak realm configuration
  • Updates documentation to clarify that the setting affects both OpenCloud and Keycloak users
  • Aligns Helm chart behavior with the opencloud-compose approach for consistency

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
charts/opencloud/files/keycloak/opencloud-realm.json.gotmpl Added conditional templating to include/exclude demo users based on createDemoUsers setting
charts/opencloud/README.md Updated parameter description to clarify scope includes both OpenCloud and Keycloak users

@michaelstingl
docs: add user management section and security warnings
c8d7349 
- Added detailed instructions for creating production users in Keycloak
- Listed available OpenCloud roles and their purposes
- Added security warning about demo users with hardcoded passwords
- Clarified that demo users should never be used in production
@michaelstingl michaelstingl added Priority:p2-high High priority Type:Security and removed Priority:p3-medium Normal priority labels Jul 22, 2025
@michaelstingl
Copy link
Contributor Author

michaelstingl commented Jul 22, 2025

Thanks for the review @copilot!

The current implementation is intentional and produces valid JSON in both cases:

  • When createDemoUsers: true → Array with demo users
  • When createDemoUsers: false → Empty array []

The "admin" user here is not the Keycloak system admin (which is in the master realm), but a demo user in the openCloud realm. As documented in the updated README, this demo user has a hardcoded password and should not be used in production.

For production use, administrators should:

  1. Set createDemoUsers: false (default)
  2. Create real users manually in Keycloak with secure passwords
  3. Assign appropriate roles (opencloudAdmin, opencloudUser, etc.)

This aligns with the opencloud-compose approach where the production realm has an empty users array.

@michaelstingl michaelstingl requested review from butonic and wrenix July 22, 2025 07:54
@michaelstingl
refactor: rename createDemoUsers to demoUsers.enabled for consistency
3f4ad22 
- Changed opencloud.createDemoUsers to opencloud.demoUsers.enabled
- Follows consistent pattern with other enable/disable settings
- Updates all references in templates, values.yaml, and documentation
- Breaking change acceptable as we're in 0.x.x version
@butonic butonic removed their request for review September 19, 2025 10:37
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@wrenix wrenix Awaiting requested review from wrenix

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Priority:p2-high High priority Type:Feature Type:Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaelstingl