search

kiwigrid / keycloak-controller

This controller manages Keycloak clients and realms over Kubernetes resources.
https://hub.docker.com/r/kiwigrid/keycloak-controller
MIT License
35 stars 13 forks source link

Keycloak server compatibility versions ? #20

Closed Mattzr closed 4 years ago

Mattzr commented 4 years ago

Hi, First of all - great job on this keycloak controller, it's really useful and a lot easier way to manage a keycloak cluster compare to the traditional way with the json files to import.

So I have a question and suggestion at once:

It would be great to have a compatibility matrix in the README.md.

Why ?

Because when changing an existing KeycloakRealm by changing the roles for example, I'm seeing an error on the logs that seems to be related to an attribute that can't be parsed by the keycloak api probably because my keycloak server is ahead:

keycloak-instance/onboarding: unable to create realm
javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: 
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field \"webAuthnPolicyRpEntityName\"
 (class org.keycloak.representations.idm.RealmRepresentation), not marked as ignorable (106 known properties:
  \"userFederationMappers\", \"rememberMe\", \"duplicateEmailsAllowed\", \"adminEventsDetailsEnabled\", \"users\",
   \"components\", \"otpPolicyType\", \"accessCodeLifespanUserAction\", \"id\", \"enabledEventTypes\", \"applications\",
    \"eventsListeners\", \"ssoSessionMaxLifespanRememberMe\", \"defaultDefaultClientScopes\", \"notBefore\", \"publicKey\", 
    \"smtpServer\", \"resetPasswordAllowed\", \"accessTokenLifespanForImplicitFlow\", \"clientScopes\", 
    \"internationalizationEnabled\", \"attributes\", \"accessTokenLifespan\", \"passwordCredentialGrantAllowed\", 
    \"federatedUsers\", \"applicationScopeMappings\", \"displayName\", \"refreshTokenMaxReuse\", \"oauthClients\",
     \"defaultGroups\", \"browserFlow\", \"failureFactor\", \"directGrantFlow\", \"otpPolicyDigits\", 
     \"revokeRefreshToken\", \"otpSupportedApplications\", \"registrationFlow\", \"editUsernameAllowed\",
      \"ssoSessionIdleTimeoutRememberMe\", \"emailTheme\", \"realm\", \"actionTokenGeneratedByAdminLifespan\",
       \"authenticatorConfig\", \"offlineSessionMaxLifespan\", \"protocolMappers\", \"accountTheme\",
        \"maxDeltaTimeSeconds\" [truncated]])\n at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
Mattzr commented 4 years ago

Ok so new attributes were introduced in Keycloak 8.

keycloak-admin-client dependency version might need an upgrade to be compatible with version 8:

https://mvnrepository.com/artifact/org.keycloak/keycloak-admin-client/6.0.1

Would still be good to have a compatibility map !

wistefan commented 4 years ago

Fixed by 2.0.0

Mattzr commented 4 years ago

Thanks for the fix. I still think it would be good to maintain a matrix of Keycloak compatibility version !