Why

To prevent the user being able to directly access keycloak, it is provisioned into a restricted namespace and this operator is provisioned into the same namespace in order to orchestrate the creation / deletion of slices and bindings to the keycloak instance on behalf of the users who cannot access this namespace.

What

Create a Keycloak operator and deployment mechanism that will handle the following:

• Creation and Deletion of a keycloak realm
• Creation and Deletion of a keycloak user
• Creation and Deletion of a public or bearer client

The operator will also be aware of the Shared Service Custom Resources and act on these if configured to do so

• SharedService This is the configuration template for a particular shared service
• SharedServiceSlice This is used to inform the operator to setup what it considers a slice of the service. In this case it will be a realm
• SharedServiceAction
  In a future iteration we may look to abstract this shared service concept out along with the types into a lib allowing for it be reused across other operators.

Out of scope

• Deciding what happens if a SharedService CR is deleted (IE should we remove all the shared service instance)
• Configuration of a cluster (although it is something we would like to look into later)
• Configuration of proxies (again will likely look at it later down the line)