Keycloak: clarify settings for realms

.env.example.keycloak

@@ -40,10 +40,14 @@ KEYCLOAK_SERVER_URL=https://example.okta.com
 ## as it will be using the Admin API
 KEYCLOAK_USERNAME=api-account
 KEYCLOAK_PASSWORD=ExamplePassword
-## Master (or equivalent) realm name
-#KEYCLOAK_MASTER_REALM=master
 ## Realm where users are stored
-#KEYCLOAK_USER_REALM=master
+## Default: master
+#KEYCLOAK_REALM=master
+## Realm where the API account is stored
+## Only required if the account is stored in a different realm than your
+## users are in
+## Default: same as KEYCLOAK_REALM
+#KEYCLOAK_ADMIN_REALM=master
 ## Use the Github Identity Provider within Keycloak?
 ## This requires you to set up the provider as an Identity provider with
 ## the user realm

README.md

@@ -191,8 +191,8 @@ OKTA_PRIVATE_KEY='{"kty": "RSA", ...}'
 ```env
 KEYCLOAK_USERNAME=api-account
 KEYCLOAK_PASSWORD=ExamplePassword
-KEYCLOAK_MASTER_REALM=master
-KEYCLOAK_USER_REALM=ExampleCorp
+KEYCLOAK_REALM=ExampleCorp
+KEYCLOAK_ADMIN_REALM=master
 KEYCLOAK_USE_GITHUB_IDP=true
 ```
 

githubapp/keycloak.py

@@ -20,14 +20,17 @@ class Keycloak:
         if not os.environ.get("KEYCLOAK_PASSWORD", None):
             raise Exception("KEYCLOAK_PASSWORD not defined")
 
+        if not os.environ.get("KEYCLOAK_ADMIN_REALM"):
+            os.environ["KEYCLOAK_ADMIN_REALM"] = os.environ.get("KEYCLOAK_REALM")
+
         self.UseGithubIDP = os.environ.get("KEYCLOAK_USE_GITHUB_IDP", "true") == "true"
 
         self.client = KeycloakAdmin(
             server_url=os.environ["KEYCLOAK_SERVER_URL"],
             username=os.environ["KEYCLOAK_USERNAME"],
             password=os.environ["KEYCLOAK_PASSWORD"],
-            realm_name=os.environ.get("KEYCLOAK_MASTER_REALM", "master"),
-            user_realm_name=os.environ.get("KEYCLOAK_USER_REALM", "master")
+            realm_name=os.environ.get("KEYCLOAK_REALM", "master"),
+            user_realm_name=os.environ.get("KEYCLOAK_ADMIN_REALM", "master")
         )
 
     def get_group_members(self, group_name: str = None):