Skip to content

prevent creation of an IDP resource that would lead to an already existing Keycloak realm#318

Merged
makdeniss merged 16 commits intomainfrom
feat/prevent-creation-idp
Feb 20, 2026
Merged

prevent creation of an IDP resource that would lead to an already existing Keycloak realm#318
makdeniss merged 16 commits intomainfrom
feat/prevent-creation-idp

Conversation

@makdeniss
Copy link
Copy Markdown
Contributor

@makdeniss makdeniss commented Feb 3, 2026
edited
Loading

Add a validating admission webhook to block creation of IdentityProviderConfiguration resources when the corresponding Keycloak realm already exists (and always block master), preventing cross-workspace realm takeover/conflicts.

Changes Log

  • Added IdentityProviderConfiguration validating webhook (controller-runtime managed webhook builder) that denies CREATE for realm master and for realms that already exist in Keycloak (fail-closed on Keycloak check errors).
  • Extended Keycloak admin client to support the webhook’s realm-existence check.
  • Wired webhook server/config into the operator.

@makdeniss makdeniss self-assigned this Feb 3, 2026
@makdeniss makdeniss added the enhancement New feature or request label Feb 3, 2026
@makdeniss makdeniss requested a review from OlegErshov February 3, 2026 15:46
@makdeniss makdeniss moved this to In Progress in OpenMesh - Backlog Feb 3, 2026
@makdeniss makdeniss changed the title feat: prevent creation of an IDP resource that would lead to an already existing Keycloak realm prevent creation of an IDP resource that would lead to an already existing Keycloak realm Feb 4, 2026
@makdeniss makdeniss marked this pull request as ready for review February 6, 2026 15:14
aaronschweig
aaronschweig requested changes Feb 12, 2026
View reviewed changes
Comment thread internal/config/config.go Outdated
Comment thread internal/webhook/identityproviderconfiguration_validation_webhook.go
aaronschweig
aaronschweig requested changes Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aaronschweig aaronschweig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments below. Ideally we would also return proper admission.Warnings instead of only errors but that's bonus.

I also think my suggestions below are quick wins, so it should not take long to address them.

Comment thread internal/webhook/identityproviderconfiguration_validation_webhook.go Outdated
Comment thread internal/webhook/identityproviderconfiguration_validation_webhook.go Outdated
Comment thread internal/webhook/identityproviderconfiguration_validation_webhook.go Outdated
@aaronschweig aaronschweig linked an issue Feb 16, 2026 that may be closed by this pull request
Prevent creation of an IDP resource that would lead to an already existing Keycloak realm #286
Closed
3 tasks
@makdeniss makdeniss merged commit 3010020 into main Feb 20, 2026
11 checks passed
@makdeniss makdeniss deleted the feat/prevent-creation-idp branch February 20, 2026 13:59
@github-project-automation github-project-automation Bot moved this from In Progress to Done in OpenMesh - Backlog Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronschweig aaronschweig aaronschweig approved these changes

@OlegErshov OlegErshov OlegErshov approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@nexus49 nexus49 Awaiting requested review from nexus49

Assignees

@makdeniss makdeniss

Labels

enhancement New feature or request feature

Projects

OpenMesh - Backlog
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prevent creation of an IDP resource that would lead to an already existing Keycloak realm

3 participants

@makdeniss @aaronschweig @OlegErshov