Reconcile authorization service settings after client roles reconciliation

[kereis]

Description

The Client CRD includes settings for authorization services. When an authorization policy contains a check for a required role, then the reconciliation will fail as client roles are reconciled after client reconciliation. I've seen that it affects the creation of new clients only.

Discussion

No response

Motivation

Besides Client CR, there's no other way to provide authorization settings to the operator/Keycloak.

Details

In

keycloak-realm-operator/pkg/controller/keycloakclient/keycloakclient_reconciler.go

Line 31 in f0b2224

func (i *KeycloakClientReconciler) Reconcile(state *common.ClientState, cr *kc.KeycloakClient) common.DesiredClusterState {

we can see that clients are reconciled first before client roles.

keycloak-realm-operator/pkg/controller/keycloakclient/keycloakclient_reconciler.go

Lines 35 to 59 in f0b2224

	if cr.DeletionTimestamp != nil {
	desired.AddAction(i.getDeletedClientState(state, cr))
	return desired
	}
	if state.Client == nil {
	desired.AddAction(i.getCreatedClientState(state, cr))
	} else {
	desired.AddAction(i.getUpdatedClientState(state, cr))
	}
	if state.ClientSecret == nil {
	desired.AddAction(i.getCreatedClientSecretState(state, cr))
	} else {
	desired.AddAction(i.getUpdatedClientSecretState(state, cr))
	}
	if state.DeprecatedClientSecret != nil {
	// Delete client secret created using the previous naming scheme, i.e., keycloak-client-secret-<CLIENT_ID>.
	// See GH issue #473 and KEYCLOAK-18346.
	desired.AddAction(i.getDeletedDeprecatedClientSecretState(state, cr))
	}
	i.ReconcileRoles(state, cr, &desired)

We need to split authorizationSettings from the client reconciliation process and extract it to its own reconciliation logic. Then, that extracted logic should be called after client roles (or default client roles) reconciliation.

Ideally, keycloak/keycloak#16998 should be resolved in advance.