Baseline for Keycloak deployment in operator

[vmuzikar]

Limitations that will be addressed as a follow-up:

• No clustering support (Clustering support in operator #9730)
• Pod Templates are not implemented in the controller (Pod Templates in operator #9729)
• No tests (Testsuite baseline #9174)

Resolves #9171, resolves #9552

[andreaTP]

First round of review finished!

Great work @vmuzikar !

I like the overall structure and especially the State management, although I think we should try to avoid introducing (so early!) complexities like WatchedResourcesStore and the custom "Vault" integration relying respectively on the capabilities of the Java SDK and the standard K8s API.

[andreaTP]

Can we agree on one logging framework and stick with it? I don't really mind which as long as is one.

[vmuzikar]

It is still the same logging framework coming from Quarkus. It's just using static methods and not CDI. I realized CDI approach is pretty stupid for logging as we don't have everything as beans and passing deps manually is a mess. This is an elegant way offered by Quarkus and we should stick with it everywhere.

[andreaTP]

Do we mind that, in this same codebase, the Keycloak Quarkus distribution takes a different approach?

[andreaTP]

this is still valid, but I don't have a super strong opinion against, feel free to mark this as Resolved if we don't care about consistency in this codebase.

[vmuzikar]

Well, AFAIK rest of the KC can't fully utilize Quarkus features (due to WF), that includes the logging. In the operator we can use what Quarkus provides.

[andreaTP]

why we have this if? IIRC UID spans over different namespaces

[vmuzikar]

Cross-namespace owner references are disallowed by design. Namespaced dependents can specify cluster-scoped or namespaced owners.

https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/

[andreaTP]

In this case I would throw an exception instead of silently ignoring.

[andreaTP]

this comment instead is still valid, can you, please, either remove the condition at all or throw an Exception instead of silently returning?

[vmuzikar]

What if we have a managed resource in different namespace than the CR? We surely want to support those scenarios. Of course, the resources then would have to be "manually" removed by the Operator upon CR deletion.

[andreaTP]

correct, but the early return doesn't solve this either ...

[vmuzikar]

So what do you suggest exactly? For sure throwing an exception is not a solution in context of this method. Of course, for true support for foreign resources located in other namespaces we'd need to implement additional logic.

In any case, I'm pretty sure this gets refactored sooner or later when the Dependent Resources are ready in the SDK.

[andreaTP]

I would completely remove this condition as it's misleading and not used ATM, but not anything blocking 👍

[vmuzikar]

@andreaTP Thank you for your review! I hopefully answered all the comments. :)

[vmuzikar]

I removed the watched resources store (i.e. the Deployment won't be restarted on secret change). But I decided not to change the format for referring Secrets (${secret:...) for now as it would create even bigger difference between local configuration using conf files and configuration using CRs. Because we'd need to use name and values separately.

[andreaTP]

@vmuzikar Great update! 👏

A few more comments, but only one important regarding the(missing or I missed it 🙂 ) condition for recreating the Deployment, all the rest is totally in the right direction!

[andreaTP]

this is still valid, but I don't have a super strong opinion against, feel free to mark this as Resolved if we don't care about consistency in this codebase.

[andreaTP]

this comment instead is still valid, can you, please, either remove the condition at all or throw an Exception instead of silently returning?

[andreaTP]

LGTM, totally good enough to start iterating! 💯

[jonathanvila]

Probably using other variables names could make this less confusing ? wdyt ?

[vmuzikar]

Ok, unified the naming of the local variable with the field name.

[jonathanvila]

I would suggest to move this out to another PR

[vmuzikar]

👍

[jonathanvila]

I would suggest another naming, as every element created by the operator are operands .... so probably operator.operand.keycloakImage could be clearer ? wdyt ?

[vmuzikar]

Renamed to operator.keycloak.image. WDYT?

[jonathanvila]

👍

[jonathanvila]

should we always prefix the operands with the cr name ? or at least with keycloak ? In the same namespace the user could have another postgresql-db for other purposes. Wdyt ?

[vmuzikar]

This is actually not an operand. ;) It's just a helper deployment for devs to easily deploy KC with external DB.

[jonathanvila]

Yes you are right....I see what you mean.

[vmuzikar]

@jonathanvila Thanks for the review! I pushed requested changes and rebased on top of master. Will squash the commits once I have a final approval from you and @andreaTP.

[andreaTP]

LGTM

[jonathanvila]

LGTM 👍

[vmuzikar]

I squashed the commits.

[AndrewFarley]

Please forgive me if this is a silly question, but can I ask if/when this will make it into a release of Keycloak-X? I'd like to have a reasonable probe in Kubernetes instead of just a tcpProbe. I can't see this being functional on the latest docker image, 16.1.1, or perhaps the question should instead be when will the docker images be updated eg: to the 17.0.1 release from yesterday?

[andreaTP]

Hi @AndrewFarley this operator will be included as preview in the next Keycloak release:
https://www.keycloak.org/2022/03/releases