New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRD generation from RealmRepresentation #9759
Conversation
protected List<String> realmRoles; | ||
protected Map<String, List<String>> clientRoles; | ||
// TODO: eventually generate code for Nth levels of depth | ||
// protected List<GroupRepresentation> subGroups; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Due to limitations in the CRD schema we should limit the recursive subGroups
to a finite number.
What would be a reasonable number of allowed, nested, subGroups
?
cc. @stianst @pedroigor
private String providerId; | ||
private String subType; | ||
// TODO: eventually generate code for Nth levels of depth | ||
// private MultivaluedHashMap<String, ComponentExportRepresentation> subComponents = new MultivaluedHashMap<>(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Due to limitations in the CRD schema we should limit the recursive subComponents
to a finite number.
What would be a reasonable number of allowed, nested, subComponents
?
cc. @stianst @pedroigor
pom.xml
Outdated
@@ -81,7 +81,7 @@ | |||
<infinispan.version>12.1.7.Final</infinispan.version> | |||
<infinispan.protostream.processor.version>4.4.1.Final</infinispan.protostream.processor.version> | |||
<javax.annotation-api.version>1.3.2</javax.annotation-api.version> | |||
<jackson.version>2.12.1</jackson.version> | |||
<jackson.version>2.13.1</jackson.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Transitive update from the kubernetes-client
(the old version breaks)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Jackson version needs to honor quarkus / wildfly versions and cannot be changed for the sake of an added library local to a part of the project. See e.g. quarkus/pom.xml on how to override library versions should this be necessary.
@@ -67,6 +67,9 @@ public void setPriority(int priority) { | |||
* | |||
* @return | |||
*/ | |||
@Deprecated | |||
private boolean autheticatorFlow; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of adding this unused field I would be happy to remove the following accessors, unfortunately, the latter is a breaking change for the import/export functionality.
cc. @stianst @pedroigor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm probably missing something, but why do you need to remove a simple boolean field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we are adding back the field, that remains unused, since it's emitted by the Json serialization.
If we don't add it, you would need to remove all the relevant fields autheticatorFlow
(WITH the typo) from the exported RealmRepresentation
before importing it as a CR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stianst this is the only change in the core I'm leaving, as far as I can tell it should be ok, but let me know if I have to duplicate even this file.
...src/main/java/org/keycloak/representations/overrides/NoSubGroupsGroupRepresentationList.java
Outdated
Show resolved
Hide resolved
I'm a bit lost here. I see files in the test folder, but I haven't found any proper Test checking the changes. Can you clarify ? |
Sure, the files in the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
core/pom.xml
Outdated
<dependency> | ||
<groupId>io.fabric8</groupId> | ||
<artifactId>crd-generator-apt</artifactId> | ||
<scope>test</scope> | ||
</dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is this dep used? We don't have any tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is generating a CRD in the test scope.
@@ -67,6 +67,9 @@ public void setPriority(int priority) { | |||
* | |||
* @return | |||
*/ | |||
@Deprecated | |||
private boolean autheticatorFlow; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm probably missing something, but why do you need to remove a simple boolean field?
@@ -42,6 +44,7 @@ | |||
private static final Logger logger = Logger.getLogger(RealmRepresentation.class); | |||
|
|||
protected String id; | |||
@NotNull |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know that eventually realm
really is not null but I'm not sure if in some cases it really cannot be null
in the process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to move the NotNull
to the id
if it's needed.
Just waiting for a nudge from someone 🙂
@@ -33,7 +34,9 @@ | |||
private String id; | |||
private String name; | |||
private String iconUri; | |||
@SchemaFrom(type = java.lang.Void.class) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it mean we won't support policies here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, according to @pedroigor it's not needed.
private List<PolicyRepresentation> policies; | ||
@SchemaFrom(type = java.lang.Void.class) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doe it meant we won't support resources here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, according to @pedroigor it's not needed.
import java.util.List; | ||
import java.util.Map; | ||
|
||
public class NoSubGroupsGroupRepresentation { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hate that we need to have another Group representation just without sub-groups. It feels very error prone as changes in the main class could be easily forgot to be ported here. But I guess we don't have many options, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I guess we don't have many options, right?
In other parts of this repository we are generating those things using annotation processors, that would be a cleaner option but will require a little time investment.
// Result is available at: target/test-classes/META-INF/fabric8/examplerealmcrds.keycloak.org-v1.yml | ||
@Group("keycloak.org") | ||
@Version("v1alpha1") | ||
public class ExampleRealmCRD extends CustomResource<ExampleRealmCRDSpec, Void> implements Namespaced { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be part of the final PR. This belongs to the operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is in the test
scope, and guarantees that the model can generate a CRD without throwing exceptions at compile time. It's actually a "compile-time" regression test.
|
||
import javax.validation.constraints.NotNull; | ||
|
||
public class ExampleRealmCRDSpec { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be part of the final PR. This belongs to the operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As above, I do believe that checking the CRD generation in this module is extremely good for debugging purposes.
@andreaTP One more thing. Could you please create a separate GH Issue for this? |
@vmuzikar ready for next round 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR.
I like the idea of generating CRDs from representations. I don't think this approach is valid though for the following reasons:
- The approach adds new dependencies to keycloak core, meaning that all distributed artifacts (including adapters) would need another set of libraries
- The approach changes Keycloak representations for the sake of single technology (operator) in a way that is bringing in additional complexity for every other component (REST endpoints, storage).
- This also affects future storage ability to generate representations automatically, which is one of the future goals of storage work
Can the CRD generation be kept local to the operator
module?
Hi @hmlnarik ! Thanks a lot for sharing your valuable POV! Let me iterate on your observations:
This is not correct, in this PR, the only change of transitive dependencies is the bump of Jackson.
All the changes in this PR are strictly NOT affecting the current representation that remains forward and backward compatible. The additions are also not affecting in any sense the usage of the representation in other modules (as demonstrated by the complete source compatibility).
I fail to see how, can you please elaborate how adding opt-in annotations for generating a correct CRD is breaking other workflows?
Only with major hacks/tooling, having the ability to do those kind of changes is the main reason for having the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Core module is used both for the server and the adapters, and can't have these additional dependencies added I'm afraid.
@stianst @hmlnarik @vmuzikar Changed the approach to include |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andreaTP Thanks for the update. Even though it's a nasty workaround, it is good enough for the operator prototype. We for sure need more permanent solution (to "annotate" the fields in a different way) before releasing the operator.
@vmuzikar here you have an alternative approach using there are pro/cons in respect to the current approach ... check out which one is preferred. |
@andreaTP +1 |
Patching keycloak-core with sed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andreaTP Changes LGTM now. But I'm not able to test them. Running mvn package
as usually doesn't generate the new CRD. Am I doing something wrong?
@vmuzikar running from the top folder of the repo: mvn clean compile -f operator/pom.xml generates the CRDs in e.g. |
Enabling CRD generation from RealmRepresentation Closes keycloak#9759
This is the first step for #9172Resolves #9787
those are the changes to the model needed successfully generate a CRD for the operator.