search

redhat-cop / group-sync-operator

Synchronizes groups from external providers into OpenShift
Apache License 2.0
110 stars 60 forks source link

upgraded gocloak to v13.9.0 #308

Closed tanalam2411 closed 6 months ago

tanalam2411 commented 6 months ago

As per the issue mentioned in Gocloak gocloak is broken for Keycloak v17.0 : need to remove /auth from the gocloak endpoint path, have updated Gocloak to its latest version (v13.9.0) to bring that fix in group-sync-operator.

Verified by creating GroupSync CR for Provider type keycloak

apiVersion: redhatcop.redhat.io/v1alpha1
kind: GroupSync
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"redhatcop.redhat.io/v1alpha1","kind":"GroupSync","metadata":{"annotations":{},"name":"keycloak-groupsync","namespace":"group-sync-operator"},"spec":{"providers":[{"keycloak":{"credentialsSecret":{"name":"keycloak-group-sync","namespace":"group-sync-operator"},"insecure":true,"loginRealm":"master","realm":"master","scope":"sub","url":"https://keycloak.lab.kubeapp.cloud"},"name":"keycloak"}]}}
  creationTimestamp: "2024-02-16T21:23:05Z"
  generation: 1
  name: keycloak-groupsync
  namespace: group-sync-operator
  resourceVersion: "9074428"
  uid: 7ae9fc86-f09c-46bd-8fe1-b7379fbe8480
spec:
  providers:
  - keycloak:
      credentialsSecret:
        kind: Secret
        name: keycloak-group-sync
        namespace: group-sync-operator
      insecure: true
      loginRealm: master
      realm: master
      scope: sub
      url: https://keycloak.lab.kubeapp.cloud
    name: keycloak
status:
  conditions:
  - lastTransitionTime: "2024-02-16T21:23:30Z"
    message: ""
    observedGeneration: 1
    reason: LastReconcileCycleSucceded
    status: "True"
    type: ReconcileSuccess
  lastSyncSuccessTime: "2024-02-16T21:23:30Z"

Observed logs:

  1.708118585902769e+09 INFO    controllers.GroupSync   Beginning Sync  {"groupsync": "group-sync-operator/keycloak-groupsync", "Provider": "keycloak"}
1.7081185872111435e+09  INFO    syncer_keycloak Successfully Authenticated with Keycloak Provider
1.7081186109454274e+09  INFO    controllers.GroupSync   Sync Completed Successfully {"groupsync": "group-sync-operator/keycloak-groupsync", "Provider": "keycloak", "Groups Created or Updated": 9, "Groups Pruned": 0}
sabre1041 commented 6 months ago

@tanalam2411 thanks for the contribution. Will look into review the PR soon.

In the meantime, the operator supports versions before and after v17.0. The Operator documentation for Keycloak highlights how to manage the configuration with both versions

tanalam2411 commented 6 months ago

@tanalam2411 thanks for the contribution. Will look into review the PR soon.

In the meantime, the operator supports versions before and after v17.0. The Operator documentation for Keycloak highlights how to manage the configuration with both versions

As per the README Older versions (<17.0.0) including Red Hat SSO should include the context path /auth appended to the hostname and for new version (>17.0.0) of Keycloak or RHSSO we don't need to append /auth to the hostname but the gocloak (version v11.2.0) is itself appending /auth internally which is causing this error "Unable to find matching target resource method" as a responce from keycloak server. And this has been fixed in current latest version of gocloak - https://github.com/Nerzal/gocloak/blob/v13.9.0/client.go#L183

sabre1041 commented 6 months ago

@tanalam2411 I just testing the current released Group Sync Operator with the latest versions of Red Hat Single Sing On and upstream keycloak successfully

apiVersion: redhatcop.redhat.io/v1alpha1
kind: GroupSync
metadata:
  name: keycloak-groupsync
  namespace: group-sync-operator
spec:
  providers:
    - keycloak:
        credentialsSecret:
          kind: Secret
          name: keycloak-group-sync
          namespace: group-sync-operator
        prune: false
        realm: master
        scope: sub
        url: 'https://keycloak.<apps_domain>'
      name: keycloak
    - keycloak:
        credentialsSecret:
          kind: Secret
          name: rhsso-group-sync
          namespace: group-sync-operator
        loginRealm: master
        prune: false
        realm: master
        scope: sub
        url: 'https://keycloak-rhsso.<apps_domain>/auth'
      name: keycloak
tanalam2411 commented 6 months ago

@tanalam2411 I just testing the current released Group Sync Operator with the latest versions of Red Hat Single Sing On and upstream keycloak successfully

apiVersion: redhatcop.redhat.io/v1alpha1
kind: GroupSync
metadata:
  name: keycloak-groupsync
  namespace: group-sync-operator
spec:
  providers:
    - keycloak:
        credentialsSecret:
          kind: Secret
          name: keycloak-group-sync
          namespace: group-sync-operator
        prune: false
        realm: master
        scope: sub
        url: 'https://keycloak.<apps_domain>'
      name: keycloak
    - keycloak:
        credentialsSecret:
          kind: Secret
          name: rhsso-group-sync
          namespace: group-sync-operator
        loginRealm: master
        prune: false
        realm: master
        scope: sub
        url: 'https://keycloak-rhsso.<apps_domain>/auth'
      name: keycloak

Yes its working, tested on different cluster and it worked for upstream keycloak. @sabre1041 should we keep this PR as its updating goloack's version and doesn't have any major impacting change.