search

epam / edp-keycloak-operator

It is responsible for establishing a connection to provided Keycloak Server, reconciling realms, and clients according to the created CRs
https://epam.github.io/edp-install/
Apache License 2.0
28 stars 18 forks source link

Boolean parameters with value `false` are silently ignored #56

Open denvir opened 1 month ago

denvir commented 1 month ago

Some parameters contain default value even if set in the CRD to the different value. I noticed this behaviour in the KeycloakClient resource, but other resources may be affected as well. It looks for me that boolean parameters with value false are not applied. If there is no default value, then probably it is silently set to false which is desired state. But if default value is true, then these parameters have wrong value.

To Reproduce Setup postgresql and keycloak, e.g. via bitnami/postgresql and codecentric/keycloakx charts Deploy operator like described in the readme:

helm repo add epamedp https://epam.github.io/edp-helm-charts/stable
helm repo update
helm install keycloak-operator epamedp/keycloak-operator --version 1.20.0 --namespace keycloak --set name=keycloak-operator

Create keycloak-admin secret and Keycloak CRD:

apiVersion: v1.edp.epam.com/v1
kind: Keycloak
metadata:
  namespace: keycloak
  name: keycloak
spec:
  secret: keycloak-admin
  url: http://keycloak-keycloakx-http

Create KeycloakRealm CRD:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealm
metadata:
  namespace: keycloak
  name: test-realm
spec:
  realmName: test-realm
  keycloakRef:
    name: keycloak
    kind: Keycloak

Create KeycloakClient CRD:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakClient
metadata:
  namespace: keycloak
  name: backend-client
spec:
  advancedProtocolMappers: false
  attributes:
    post.logout.redirect.uris: ""
  authorizationServicesEnabled: false
  clientAuthenticatorType: client-secret
  clientId: backend-client
  consentRequired: false
  enabled: false
  fullScopeAllowed: false
  realmRef:
    kind: KeycloakRealm
    name: test-realm
  secret: backend-client-secret
  serviceAccount:
    clientRoles:
    - clientId: realm-management
      roles:
      - manage-users
    enabled: true
    realmRoles: null
  standardFlowEnabled: false

Check deployed resource: kubectl describe KeycloakClient backend-client -n keycloak

Name:         backend-client
Namespace:    keycloak
Labels:       <none>
Annotations:  <none>
API Version:  v1.edp.epam.com/v1
Kind:         KeycloakClient
Metadata:
  Creation Timestamp:  2024-05-10T10:35:06Z
  Finalizers:
    keycloak.client.operator.finalizer.name
  Generation:  3
  Owner References:
    API Version:           v1.edp.epam.com/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  KeycloakRealm
    Name:                  test-realm
    UID:                   ee1f909a-de79-4b1c-a4da-0aef722b3d6e
  Resource Version:        63205
  UID:                     19c1f7a2-6fda-492a-b977-7fd5445893d7
Spec:
  Attributes:
    post.logout.redirect.uris:
  Client Authenticator Type:    client-secret
  Client Id:                    backend-client
  Enabled:                      true
  Full Scope Allowed:           true
  Realm Ref:
    Kind:  KeycloakRealm
    Name:  test-realm
  Secret:  $backend-client-secret:clientSecret
  Service Account:
    Client Roles:
      Client Id:  realm-management
      Roles:
        manage-users
    Enabled:              true
    Realm Roles:          <nil>
  Standard Flow Enabled:  true
  Web Origins:

Status:
  Client Id:  77287e6b-1af9-40e1-a490-54bab0e7e0c7
  Value:      OK
Events:       <none>

The values for spec.enabled, spec.fullScopeAllowed and spec.standardFlowEnabled are all set to default value true instead of defined false. Note that other boolean parameters which do not have default value (spec.advancedProtocolMappers, spec.authorizationServicesEnabled and spec.consentRequired in this case) do not appear in the resource.

Kubernetes cluster type: minikube v1.33.0 on Microsoft Windows 10 with docker driver Kubernetes v1.30.0 $ kubectl version Client Version: v1.30.0 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.0

Additional context Chart version 1.20.0 I wanted to test latest snapshot version, but for some reason snapshot repo (https://epam.github.io/edp-helm-charts/snapshot) does not contain any charts:

helm repo add epamedp-snapshot https://epam.github.io/edp-helm-charts/snapshot

"epamedp-snapshot" has been added to your repositories

helm repo update

Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "codecentric" chart repository
...Successfully got an update from the "epamedp" chart repository
...Successfully got an update from the "epamedp-snapshot" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. Happy Helming!

helm search repo epamedp-snapshot

No results found
zmotso commented 1 month ago

Hi @denvir. Thank you for the detailed feedback. We will investigate the issue.