Provider keeps adding `UPDATE_PASSWORD` to user required actions

[a1994sc]

I am using keycloak version 21.1.1 with the provider v0.10.0 and after changing my initial password and waiting a few minutes the action UPDATE_PASSWORD is added to the required actions...

apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
metadata:
  name: aconlon
spec:
  deletionPolicy: Delete
  providerConfigRef:
    name: keycloak
  forProvider:
    realmIdRef:
      name: company
    username: aconlon
    email: allen@conlon.dev
    emailVerified: true
    firstName: Allen
    lastName: Conlon
    requiredActions: []
    initialPassword:
    - temporary: true
      valueSecretRef:
        key: password
        name: keycloak-initial-password
        namespace: crossplane-system

# kubectl get user.user aconlon -o yaml

apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
...
spec:
  forProvider:
    requiredActions:
    - UPDATE_PASSWORD

I tried to see if this was an issue with the upstream terraform provider, but I did not see anything in the issues....

Any help would be awesome, thanks.

[Breee]

Greetings, i would say that is expected behavior wrt to the current logic of the Provider. I'll test it myself and report back to you. However, do you even need update_password, if you have set the Initial password to temporary?

I'll think about how we can solve this issue of continously applied required Actions

[a1994sc]

Well applying the update password action is fine after creating the user, however it adding that action after the user has set their new password... So they have to keep updating their password every few minutes

[Breee]

Yeah, the question is how we shall differentiate that.

Besides of that, I don't think you need a UPDATE_PASSWORD required action Object at all, if you are using

    initialPassword:
    - temporary: true

because the temporary: true should handle that a user is forced to update their password.

Besides that:

• The provider is trying to sync the desired state and the actual state, i.e. your manifests in the k8s cluster are your single source of truth and crossplane will continuously apply them.
• As soon as someone changes the password, the required action will be gone in keycloak -> thus crossplane will create it again, since you defined it in your manifests.

One solution without changing the provider itself would be:

1. Create the RequiredAction object and set it's deletion policy to Orphan (see https://docs.crossplane.io/latest/concepts/managed-resources/)
2. Delete the object, after it has been synced successfully

That approach would not work for any GitOps based workflow tho and would require additional changes / selfbuild logic in the provider.

[a1994sc]

So the instance in question is running on keycloak 21.1.2 but I have another instance running keycloak 22.0.4 and it works fine without the issue of the password resetting... So maybe some in 22 fixed this interaction?

[haarchri]

i wonder if we can skip requiredActions for late-init - its fine to have it status only or ?

[TehreemNisa]

this is happening in our keycloak instance in version 24.0.7 , the user required action continuously updates and asks for update_password to all users if we set the temporary field to true , it is mentioned in documentation that If set to true, the initial password is set up for renewal on first use.

https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.4.0/resources/user.keycloak.crossplane.io/User/v1alpha1

[Breee]

please test xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.5.0-rc