feat: implement proxy for request visibility and extend reconcile status (#34)

* feat: proxy keycloak requests and extend status information

* doc: update readme

* refactor: ignore returns

* fix: bump chart

* feat: add trace span attribute for realm and namespace

* build: tidy

* fix: set USER env

Author: raffis

Dockerfile

@@ -25,5 +25,6 @@ COPY --from=builder /workspace/manager .
 USER 65532:65532
 COPY assets /assets
 ENV ASSETS_PATH="/assets"
+ENV USER k8skeycloak-controller
 
 ENTRYPOINT ["/manager"]

Dockerfile.release

@@ -6,5 +6,6 @@ COPY manager manager
 USER 65532:65532
 COPY assets /assets
 ENV ASSETS_PATH="/assets"
+ENV USER k8skeycloak-controller
 
 ENTRYPOINT ["/manager"]

README.md

@@ -122,6 +122,9 @@ Available env variables:
 | `NAMESPACES` | The controller listens by default for all namespaces. This may be limited to a comma delimted list of dedicated namespaces. | `` |
 | `CONCURRENT` | The number of concurrent reconcile workers.  | `4` |
 | `ASSETS_PATH` | The directory where to look for keycloak-config-cli | `/assets` |
+| `OTEL_EXPORTER_OTLP_ENDPOINT` | The gRPC opentelemtry-collector endpoint uri | `` |
+
+**Note:** The proxy implements opentelemetry tracing, see [further possible env](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/) variables to configure it.
 
 ## Dealing with managed realms
 

api/v1beta1/keycloakclient_types.go

@@ -11,8 +11,7 @@ type KeycloakClient struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   KeycloakClientSpec   `json:"spec,omitempty"`
-	Status KeycloakClientStatus `json:"status,omitempty"`
+	Spec KeycloakClientSpec `json:"spec,omitempty"`
 }
 
 // KeycloakClientList contains a list of KeycloakClient.
@@ -35,21 +34,7 @@ type KeycloakClientSpec struct {
 	RealmSelector *metav1.LabelSelector `json:"realmSelector"`
 	// Keycloak Client REST object.
 	// +kubebuilder:validation:Required
-	Client *KeycloakAPIClient `json:"client"`
-	// Client Roles
-	// +optional
-	// +listType=map
-	// +listMapKey=name
-	Roles []RoleRepresentation `json:"roles,omitempty"`
-	// Scope Mappings
-	// +optional
-	ScopeMappings *MappingsRepresentation `json:"scopeMappings,omitempty"`
-	// Service account realm roles for this client.
-	// +optional
-	ServiceAccountRealmRoles []string `json:"serviceAccountRealmRoles,omitempty"`
-	// Service account client roles for this client.
-	// +optional
-	ServiceAccountClientRoles map[string][]string `json:"serviceAccountClientRoles,omitempty"`
+	Client KeycloakAPIClient `json:"client"`
 }
 
 // https://www.keycloak.org/docs-api/11.0/rest-api/index.html#_mappingsrepresentation
@@ -372,18 +357,3 @@ type KeycloakScope struct {
 	// +optional
 	Resources []KeycloakResource `json:"resources,omitempty"`
 }
-
-// KeycloakClientStatus defines the observed state of KeycloakClient
-// +k8s:openapi-gen=true
-type KeycloakClientStatus struct {
-	// Conditions holds the conditions for the KeycloakRealm.
-	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
-
-	// ObservedGeneration is the last generation reconciled by the controller
-	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
-
-	// LastExececutionOutput is the stdout dump of keycloak-config-cli
-	// +optional
-	LastExececutionOutput string `json:"lastExececutionOutput,omitempty"`
-}

api/v1beta1/keycloakrealm_types.go

@@ -52,7 +52,7 @@ func init() {
 // KeycloakRealmSpec defines the desired state of KeycloakRealm
 type KeycloakRealmSpec struct {
 	// +required
-	Address string `json:"address"`
+	Address string `json:"address,omitempty"`
 
 	// Contains a credentials set of a user with enough permission to manage keycloak
 	// +optional
@@ -103,9 +103,35 @@ type KeycloakRealmStatus struct {
 	// ObservedGeneration is the last generation reconciled by the controller
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
 
-	// LastExececutionOutput is the stdout dump of keycloak-config-cli
+	// LastExececutionOutput failed requests
 	// +optional
 	LastExececutionOutput string `json:"lastExececutionOutput,omitempty"`
+
+	// LastReconcileDuration is the total time the reconcile of the realm took
+	LastReconcileDuration metav1.Duration `json:"lastReconcileDuration,omitempty"`
+
+	// LastFailedRequests failed requests
+	// +optional
+	LastFailedRequests []RequestStatus `json:"lastFailedRequests,omitempty"`
+
+	// SubResourceCatalog holds references to all sub resources including KeycloakClient and KeycloakUser associated with this realm
+	SubResourceCatalog []ResourceReference `json:"subResourceCatalog,omitempty"`
+}
+
+// ResourceReference metadata to lookup another resource
+type ResourceReference struct {
+	Kind       string `json:"kind,omitempty"`
+	Name       string `json:"name,omitempty"`
+	APIVersion string `json:"apiVersion,omitempty"`
+}
+
+// RequestStatus knows details about a keycloak API request
+type RequestStatus struct {
+	URL          string `json:"url,omitempty"`
+	Verb         string `json:"verb,omitempty"`
+	ResponseCode int    `json:"responseCode,omitempty"`
+	ResponseBody string `json:"responseBody,omitempty"`
+	Error        string `json:"error,omitempty"`
 }
 
 // KeycloakRealmNotReady
@@ -146,16 +172,16 @@ type KeycloakAPIRealm struct {
 	PasswordPolicy string `json:"passwordPolicy,omitempty"`
 	// A set of Keycloak Users.
 	// +optional
-	Users []*KeycloakAPIUser `json:"users,omitempty"`
+	Users []KeycloakAPIUser `json:"users,omitempty"`
 	// A set of Keycloak Clients.
 	// +optional
-	Clients []*KeycloakAPIClient `json:"clients,omitempty"`
+	Clients []KeycloakAPIClient `json:"clients,omitempty"`
 	// A set of Identity Providers.
 	// +optional
-	IdentityProviders []*KeycloakIdentityProvider `json:"identityProviders,omitempty"`
+	IdentityProviders []KeycloakIdentityProvider `json:"identityProviders,omitempty"`
 	// A set of Identity Provider Mappers.
 	// +optional
-	IdentityProviderMappers []*KeycloakIdentityProviderMapper `json:"identityProviderMappers,omitempty"`
+	IdentityProviderMappers []KeycloakIdentityProviderMapper `json:"identityProviderMappers,omitempty"`
 	// A set of Event Listeners.
 	// +optional
 	EventsListeners []string `json:"eventsListeners,omitempty"`

api/v1beta1/keycloakuser_types.go

@@ -14,8 +14,7 @@ type KeycloakUser struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   KeycloakUserSpec   `json:"spec,omitempty"`
-	Status KeycloakUserStatus `json:"status,omitempty"`
+	Spec KeycloakUserSpec `json:"spec,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -31,37 +30,6 @@ func init() {
 	SchemeBuilder.Register(&KeycloakUser{}, &KeycloakUserList{})
 }
 
-// KeycloakUserStatus defines the observed state of KeycloakUser
-type KeycloakUserStatus struct {
-	// Conditions holds the conditions for the KeycloakUser.
-	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty"`
-
-	// ObservedGeneration is the last generation reconciled by the controller
-	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
-
-	// LastExececutionOutput is the stdout dump of keycloak-config-cli
-	// +optional
-	LastExececutionOutput string `json:"lastExececutionOutput,omitempty"`
-}
-
-// KeycloakUserNotReady
-func KeycloakUserNotReady(realm KeycloakUser, reason, message string) KeycloakUser {
-	setResourceCondition(&realm, ReadyCondition, metav1.ConditionFalse, reason, message)
-	return realm
-}
-
-// KeycloakUserReady
-func KeycloakUserReady(realm KeycloakUser, reason, message string) KeycloakUser {
-	setResourceCondition(&realm, ReadyCondition, metav1.ConditionTrue, reason, message)
-	return realm
-}
-
-// GetStatusConditions returns a pointer to the Status.Conditions slice
-func (in *KeycloakUser) GetStatusConditions() *[]metav1.Condition {
-	return &in.Status.Conditions
-}
-
 // KeycloakUserSpec defines the desired state of KeycloakUser.
 // +k8s:openapi-gen=true
 type KeycloakUserSpec struct {
@@ -120,6 +88,7 @@ type KeycloakAPIUser struct {
 
 	DisableableCredentialTypes []string `json:"disableableCredentialTypes,omitempty"`
 	ServiceAccountClientId     string   `json:"serviceAccountClientId,omitempty"`
+	TOTP                       bool     `json:"totp,omitempty"`
 }
 
 type KeycloakCredential struct {