Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconcile authorization service settings after client roles reconciliation #11

Open
kereis opened this issue Feb 14, 2023 · 0 comments · May be fixed by #12
Open

Reconcile authorization service settings after client roles reconciliation #11

kereis opened this issue Feb 14, 2023 · 0 comments · May be fixed by #12

Comments

@kereis
Copy link

kereis commented Feb 14, 2023

Description

The Client CRD includes settings for authorization services. When an authorization policy contains a check for a required role, then the reconciliation will fail as client roles are reconciled after client reconciliation. I've seen that it affects the creation of new clients only.

Discussion

No response

Motivation

Besides Client CR, there's no other way to provide authorization settings to the operator/Keycloak.

Details

In

keycloak-realm-operator/pkg/controller/keycloakclient/keycloakclient_reconciler.go

Line 31 in f0b2224

func (i *KeycloakClientReconciler) Reconcile(state *common.ClientState, cr *kc.KeycloakClient) common.DesiredClusterState {
we can see that clients are reconciled first before client roles.

keycloak-realm-operator/pkg/controller/keycloakclient/keycloakclient_reconciler.go

Lines 35 to 59 in f0b2224

if cr.DeletionTimestamp != nil {
desired.AddAction(i.getDeletedClientState(state, cr))
return desired
}
if state.Client == nil {
desired.AddAction(i.getCreatedClientState(state, cr))
} else {
desired.AddAction(i.getUpdatedClientState(state, cr))
}
if state.ClientSecret == nil {
desired.AddAction(i.getCreatedClientSecretState(state, cr))
} else {
desired.AddAction(i.getUpdatedClientSecretState(state, cr))
}
if state.DeprecatedClientSecret != nil {
// Delete client secret created using the previous naming scheme, i.e., keycloak-client-secret-<CLIENT_ID>.
// See GH issue #473 and KEYCLOAK-18346.
desired.AddAction(i.getDeletedDeprecatedClientSecretState(state, cr))
}
i.ReconcileRoles(state, cr, &desired)

We need to split authorizationSettings from the client reconciliation process and extract it to its own reconciliation logic. Then, that extracted logic should be called after client roles (or default client roles) reconciliation.

Ideally, keycloak/keycloak#16998 should be resolved in advance.
@kereis kereis linked a pull request Mar 17, 2023 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add reconciliation of authorization services in KeycloakClients kereis/keycloak-realm-operator
1 participant
@kereis