CRD generation from RealmRepresentation

[andreaTP]

This is the first step for #9172

Resolves #9787

those are the changes to the model needed successfully generate a CRD for the operator.

[andreaTP]

Due to limitations in the CRD schema we should limit the recursive subGroups to a finite number.
What would be a reasonable number of allowed, nested, subGroups?
cc. @stianst @pedroigor

[andreaTP]

Due to limitations in the CRD schema we should limit the recursive subComponents to a finite number.
What would be a reasonable number of allowed, nested, subComponents?
cc. @stianst @pedroigor

[andreaTP]

Transitive update from the kubernetes-client (the old version breaks)

[hmlnarik]

Jackson version needs to honor quarkus / wildfly versions and cannot be changed for the sake of an added library local to a part of the project. See e.g. quarkus/pom.xml on how to override library versions should this be necessary.

[andreaTP]

Instead of adding this unused field I would be happy to remove the following accessors, unfortunately, the latter is a breaking change for the import/export functionality.
cc. @stianst @pedroigor

[vmuzikar]

I'm probably missing something, but why do you need to remove a simple boolean field?

[andreaTP]

Here we are adding back the field, that remains unused, since it's emitted by the Json serialization.
If we don't add it, you would need to remove all the relevant fields autheticatorFlow (WITH the typo) from the exported RealmRepresentation before importing it as a CR.

[andreaTP]

@stianst this is the only change in the core I'm leaving, as far as I can tell it should be ok, but let me know if I have to duplicate even this file.

[jonathanvila]

I'm a bit lost here. I see files in the test folder, but I haven't found any proper Test checking the changes. Can you clarify ?

[andreaTP]

I'm a bit lost here. I see files in the test folder, but I haven't found any proper Test checking the changes. Can you clarify ?

Sure, the files in the test folder will make the compilation fail if the CRD can't be generated.

[jonathanvila]

LGTM

[vmuzikar]

@andreaTP Thanks, nice job! ;)

@iankko @pskopek Could you please double check that the dependencies changes (potentially affecting the whole project) are ok?

[vmuzikar]

Where is this dep used? We don't have any tests.

[andreaTP]

This is generating a CRD in the test scope.

[vmuzikar]

I'm probably missing something, but why do you need to remove a simple boolean field?

[vmuzikar]

I know that eventually realm really is not null but I'm not sure if in some cases it really cannot be null in the process.

[andreaTP]

Happy to move the NotNull to the id if it's needed.
Just waiting for a nudge from someone 🙂

[vmuzikar]

Does it mean we won't support policies here?

[andreaTP]

Correct, according to @pedroigor it's not needed.

[vmuzikar]

Doe it meant we won't support resources here?

[andreaTP]

Correct, according to @pedroigor it's not needed.

[vmuzikar]

I hate that we need to have another Group representation just without sub-groups. It feels very error prone as changes in the main class could be easily forgot to be ported here. But I guess we don't have many options, right?

[andreaTP]

But I guess we don't have many options, right?

In other parts of this repository we are generating those things using annotation processors, that would be a cleaner option but will require a little time investment.

[vmuzikar]

This should not be part of the final PR. This belongs to the operator.

[andreaTP]

This is in the test scope, and guarantees that the model can generate a CRD without throwing exceptions at compile time. It's actually a "compile-time" regression test.

[vmuzikar]

This should not be part of the final PR. This belongs to the operator.

[andreaTP]

As above, I do believe that checking the CRD generation in this module is extremely good for debugging purposes.

[vmuzikar]

@andreaTP One more thing. Could you please create a separate GH Issue for this?

[andreaTP]

@vmuzikar ready for next round 👍

[hmlnarik]

Thank you for the PR.

I like the idea of generating CRDs from representations. I don't think this approach is valid though for the following reasons:

• The approach adds new dependencies to keycloak core, meaning that all distributed artifacts (including adapters) would need another set of libraries
• The approach changes Keycloak representations for the sake of single technology (operator) in a way that is bringing in additional complexity for every other component (REST endpoints, storage).
• This also affects future storage ability to generate representations automatically, which is one of the future goals of storage work

Can the CRD generation be kept local to the operator module?

[andreaTP]

Hi @hmlnarik ! Thanks a lot for sharing your valuable POV!

Let me iterate on your observations:

The approach adds new dependencies to keycloak core, meaning that all distributed artifacts (including adapters) would need another set of libraries

This is not correct, in this PR, the only change of transitive dependencies is the bump of Jackson.
The other two libraries added are marked as provided so that they are needed only at compile time of this module but not included in the transitive dependencies.

The approach changes Keycloak representations for the sake of single technology (operator) in a way that is bringing in additional complexity for every other component (REST endpoints, storage).

All the changes in this PR are strictly NOT affecting the current representation that remains forward and backward compatible. The additions are also not affecting in any sense the usage of the representation in other modules (as demonstrated by the complete source compatibility).
Please note that the underlying reason for those changes is to break recursive data structures solely for the seek of CRD generation (they are not representable in OpenAPI v3).
I would argue that having a model with no recursive data structures is actually a simplification in a good direction (e.g. compatibility with OpenAPI v3) and we might want to tend to it in the future (removing the necessity for the additional annotations and alternative classes).

This also affects future storage ability to generate representations automatically, which is one of the future goals of storage work

I fail to see how, can you please elaborate how adding opt-in annotations for generating a correct CRD is breaking other workflows?

Can the CRD generation be kept local to the operator module?

Only with major hacks/tooling, having the ability to do those kind of changes is the main reason for having the operator in this repository.

[stianst]

Core module is used both for the server and the adapters, and can't have these additional dependencies added I'm afraid.

[andreaTP]

@stianst @hmlnarik @vmuzikar
I think this is ready for next round.

Changed the approach to include keycloak-core from sources instead of depending on it, with some Maven juggling.
This imply having to duplicate all the Java source files that need to be "patched", I hope we can revisit this approach in the future.

[vmuzikar]

@andreaTP Thanks for the update. Even though it's a nasty workaround, it is good enough for the operator prototype. We for sure need more permanent solution (to "annotate" the fields in a different way) before releasing the operator.

[andreaTP]

@vmuzikar here you have an alternative approach using sed in a bash script:
https://github.com/andreaTP/keycloak/pull/3/files

there are pro/cons in respect to the current approach ... check out which one is preferred.

[vmuzikar]

@andreaTP +1
The sed approach seems a little bit cleaner to me. More than good enough for the prototype.

[vmuzikar]

@andreaTP Changes LGTM now. But I'm not able to test them. Running mvn package as usually doesn't generate the new CRD. Am I doing something wrong?

[andreaTP]

@vmuzikar running from the top folder of the repo:

mvn clean compile -f operator/pom.xml

generates the CRDs in e.g. operator/target/classes/META-INF/fabric8/realms.keycloak.org-v1.yml, the Realm CRD is not copied to the kubernetes folder since it doesn't have an associated Controller (just yet) reference.