feat: Allow finalizer cleanup when realm is already deleted (#173)

Author: Andrea Serrecchia

cmd/main.go

@@ -323,7 +323,6 @@ func enableOwnerRef() bool {
 	b, err := strconv.ParseBool(val)
 	if err != nil {
 		setupLog.Error(err, "unable to parse ENABLE_OWNER_REF. Using default value false")
-
 		return false
 	}
 

internal/controller/helper/controller_helper.go

@@ -65,6 +65,7 @@ type ControllerHelper interface {
 	SetRealmOwnerRef(ctx context.Context, object ObjectWithRealmRef) error
 	SetFailureCount(fc FailureCountable) time.Duration
 	TryToDelete(ctx context.Context, obj client.Object, terminator Terminator, finalizer string) (isDeleted bool, resultErr error)
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	GetKeycloakRealmFromRef(ctx context.Context, object ObjectWithRealmRef, kcClient keycloak.Client) (*gocloak.RealmRepresentation, error)
 	CreateKeycloakClientFromRealmRef(ctx context.Context, object ObjectWithRealmRef) (keycloak.Client, error)
 	CreateKeycloakClientFromRealm(ctx context.Context, realm *keycloakApi.KeycloakRealm) (keycloak.Client, error)
@@ -248,6 +249,18 @@ func (h *Helper) SetRealmOwnerRef(ctx context.Context, object ObjectWithRealmRef
 	}
 }
 
+func (h *Helper) TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error {
+	if !obj.GetDeletionTimestamp().IsZero() {
+		if controllerutil.RemoveFinalizer(obj, finalizer) {
+			if err := h.client.Update(ctx, obj); err != nil {
+				return errors.Wrap(err, "unable to update instance")
+			}
+		}
+	}
+
+	return nil
+}
+
 func (h *Helper) TryToDelete(ctx context.Context, obj client.Object, terminator Terminator, finalizer string) (isDeleted bool, resultErr error) {
 	logger := ctrl.LoggerFrom(ctx)
 

internal/controller/helper/controller_helper_auth.go

@@ -25,6 +25,7 @@ const (
 )
 
 var ErrKeycloakIsNotAvailable = errors.New("keycloak is not available")
+var ErrKeycloakRealmNotFound = errors.New("keycloak realm is not available")
 
 // KeycloakAuthData contains data for keycloak authentication.
 type KeycloakAuthData struct {
@@ -220,13 +221,21 @@ func (h *Helper) getKeycloakAuthDataFromRealmRef(ctx context.Context, object Obj
 	case keycloakApi.KeycloakRealmKind:
 		realm := &keycloakApi.KeycloakRealm{}
 		if err := h.client.Get(ctx, types.NamespacedName{Name: name, Namespace: object.GetNamespace()}, realm); err != nil {
+			if k8sErrors.IsNotFound(err) && object.GetDeletionTimestamp() != nil {
+				return nil, ErrKeycloakRealmNotFound
+			}
+
 			return nil, fmt.Errorf("unable to get realm: %w", err)
 		}
 
 		return h.getKeycloakAuthDataFromRealm(ctx, realm)
 	case keycloakAlpha.ClusterKeycloakRealmKind:
 		clusterRealm := &keycloakAlpha.ClusterKeycloakRealm{}
 		if err := h.client.Get(ctx, types.NamespacedName{Name: name}, clusterRealm); err != nil {
+			if k8sErrors.IsNotFound(err) && object.GetDeletionTimestamp() != nil {
+				return nil, ErrKeycloakRealmNotFound
+			}
+
 			return nil, fmt.Errorf("unable to get cluster realm: %w", err)
 		}
 

internal/controller/keycloakauthflow/keycloakauthflow_controller.go

@@ -27,6 +27,7 @@ const finalizerName = "keycloak.authflow.operator.finalizer.name"
 
 type Helper interface {
 	SetFailureCount(fc helper.FailureCountable) time.Duration
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	TryToDelete(ctx context.Context, obj client.Object, terminator helper.Terminator, finalizer string) (isDeleted bool, resultErr error)
 	CreateKeycloakClientFromRealmRef(ctx context.Context, object helper.ObjectWithRealmRef) (keycloak.Client, error)
 	SetRealmOwnerRef(ctx context.Context, object helper.ObjectWithRealmRef) error
@@ -126,6 +127,15 @@ func (r *Reconcile) tryReconcile(ctx context.Context, instance *keycloakApi.Keyc
 
 	kClient, err := r.helper.CreateKeycloakClientFromRealmRef(ctx, instance)
 	if err != nil {
+		// if the realm is already deleted try to delete finalizer
+		if errors.Is(err, helper.ErrKeycloakRealmNotFound) {
+			if removeErr := r.helper.TryRemoveFinalizer(ctx, instance, finalizerName); removeErr != nil {
+				return fmt.Errorf("unable to remove finalizer: %w", removeErr)
+			}
+
+			return nil
+		}
+
 		return fmt.Errorf("unable to create keycloak client from realm ref: %w", err)
 	}
 

internal/controller/keycloakclient/keycloakclient_controller.go

@@ -24,6 +24,7 @@ import (
 
 type Helper interface {
 	SetFailureCount(fc helper.FailureCountable) time.Duration
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	TryToDelete(ctx context.Context, obj client.Object, terminator helper.Terminator, finalizer string) (isDeleted bool, resultErr error)
 	SetRealmOwnerRef(ctx context.Context, object helper.ObjectWithRealmRef) error
 	CreateKeycloakClientFromRealmRef(ctx context.Context, object helper.ObjectWithRealmRef) (keycloak.Client, error)
@@ -125,6 +126,15 @@ func (r *ReconcileKeycloakClient) tryReconcile(ctx context.Context, keycloakClie
 
 	kClient, err := r.helper.CreateKeycloakClientFromRealmRef(ctx, keycloakClient)
 	if err != nil {
+		// if the realm is already deleted try to delete finalizer
+		if errors.Is(err, helper.ErrKeycloakRealmNotFound) {
+			if removeErr := r.helper.TryRemoveFinalizer(ctx, keycloakClient, keyCloakClientOperatorFinalizerName); removeErr != nil {
+				return fmt.Errorf("unable to remove finalizer: %w", removeErr)
+			}
+
+			return nil
+		}
+
 		return fmt.Errorf("unable to create keycloak client from realm ref: %w", err)
 	}
 

internal/controller/keycloakclient/keycloakclient_controller_integration_test.go

@@ -11,6 +11,7 @@ import (
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/epam/edp-keycloak-operator/api/common"
 	keycloakApi "github.com/epam/edp-keycloak-operator/api/v1"
@@ -65,7 +66,7 @@ var _ = Describe("KeycloakClient controller", Ordered, func() {
 					Browser:     "browser",
 					DirectGrant: "direct grant",
 				},
-				AdminFineGrainedPermissionsEnabled: true,
+				//AdminFineGrainedPermissionsEnabled: true,
 			},
 		}
 
@@ -397,4 +398,55 @@ var _ = Describe("KeycloakClient controller", Ordered, func() {
 				createdKeycloakClient.Status.ClientID != ""
 		}, timeout, interval).Should(BeTrue(), "KeycloakClient should be updated successfully")
 	})
+
+	It("Should successfully delete KeycloakClient if ErrKeycloakRealmNotFound occurs", func() {
+		By("By creating a KeycloakRealm")
+		testRealm := &keycloakApi.KeycloakRealm{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-realm",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakRealmSpec{
+				RealmName: "test-realm",
+				KeycloakRef: common.KeycloakRef{
+					Kind: keycloakApi.KeycloakKind,
+					Name: KeycloakCR,
+				},
+			},
+		}
+		Expect(k8sClient.Create(ctx, testRealm)).Should(Succeed())
+
+		By("Creating a KeycloakClient")
+		keycloakClient := &keycloakApi.KeycloakClient{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-keycloak-client",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakClientSpec{
+				RealmRef: common.RealmRef{Name: "test-realm"},
+				ClientId: "test-client-id",
+			},
+		}
+		Expect(k8sClient.Create(ctx, keycloakClient)).Should(Succeed())
+
+		By("Waiting for KeycloakClient to be ready")
+		Eventually(func() bool {
+			var c keycloakApi.KeycloakClient
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: keycloakClient.Name, Namespace: ns}, &c)
+			return err == nil && controllerutil.ContainsFinalizer(&c, keyCloakClientOperatorFinalizerName)
+		}, timeout, interval).Should(BeTrue())
+
+		By("Deleting KeycloakRealm")
+		Expect(k8sClient.Delete(ctx, testRealm)).Should(Succeed())
+
+		By("Deleting KeycloakClient")
+		Expect(k8sClient.Delete(ctx, keycloakClient)).Should(Succeed())
+
+		By("Waiting for KeycloakClient to be deleted")
+		Eventually(func() bool {
+			var c keycloakApi.KeycloakClient
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: keycloakClient.Name, Namespace: ns}, &c)
+			return k8sErrors.IsNotFound(err)
+		}, timeout, interval).Should(BeTrue())
+	})
 })

internal/controller/keycloakclientscope/keycloakclientscope_controller.go

@@ -28,6 +28,7 @@ const finalizerName = "keycloak.clientscope.operator.finalizer.name"
 
 type Helper interface {
 	SetFailureCount(fc helper.FailureCountable) time.Duration
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	TryToDelete(ctx context.Context, obj client.Object, terminator helper.Terminator, finalizer string) (isDeleted bool, resultErr error)
 	SetRealmOwnerRef(ctx context.Context, object helper.ObjectWithRealmRef) error
 	GetKeycloakRealmFromRef(ctx context.Context, object helper.ObjectWithRealmRef, kcClient keycloak.Client) (*gocloak.RealmRepresentation, error)
@@ -131,6 +132,15 @@ func (r *Reconcile) tryReconcile(ctx context.Context, instance *keycloakApi.Keyc
 
 	cl, err := r.helper.CreateKeycloakClientFromRealmRef(ctx, instance)
 	if err != nil {
+		// if the realm is already deleted try to delete finalizer
+		if errors.Is(err, helper.ErrKeycloakRealmNotFound) {
+			if removeErr := r.helper.TryRemoveFinalizer(ctx, instance, finalizerName); removeErr != nil {
+				return "", fmt.Errorf("unable to remove finalizer: %w", removeErr)
+			}
+
+			return "", nil
+		}
+
 		return "", fmt.Errorf("unable to create keycloak client from realm ref: %w", err)
 	}
 

internal/controller/keycloakrealmgroup/keycloakrealmgroup_controller.go

@@ -24,6 +24,7 @@ const keyCloakRealmGroupOperatorFinalizerName = "keycloak.realmgroup.operator.fi
 
 type Helper interface {
 	SetFailureCount(fc helper.FailureCountable) time.Duration
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	TryToDelete(ctx context.Context, obj client.Object, terminator helper.Terminator, finalizer string) (isDeleted bool, resultErr error)
 	SetRealmOwnerRef(ctx context.Context, object helper.ObjectWithRealmRef) error
 	GetKeycloakRealmFromRef(ctx context.Context, object helper.ObjectWithRealmRef, kcClient keycloak.Client) (*gocloak.RealmRepresentation, error)
@@ -115,6 +116,15 @@ func (r *ReconcileKeycloakRealmGroup) tryReconcile(ctx context.Context, keycloak
 
 	kClient, err := r.helper.CreateKeycloakClientFromRealmRef(ctx, keycloakRealmGroup)
 	if err != nil {
+		// if the realm is already deleted try to delete finalizer
+		if errors.Is(err, helper.ErrKeycloakRealmNotFound) {
+			if removeErr := r.helper.TryRemoveFinalizer(ctx, keycloakRealmGroup, keyCloakRealmGroupOperatorFinalizerName); removeErr != nil {
+				return fmt.Errorf("unable to remove finalizer: %w", removeErr)
+			}
+
+			return nil
+		}
+
 		return fmt.Errorf("unable to create keycloak client from realm ref: %w", err)
 	}
 

internal/controller/keycloakrealmidentityprovider/keycloakrealmidentityprovider_controller.go

@@ -28,6 +28,7 @@ const finalizerName = "keycloak.realmidp.operator.finalizer.name"
 
 type Helper interface {
 	SetFailureCount(fc helper.FailureCountable) time.Duration
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	TryToDelete(ctx context.Context, obj client.Object, terminator helper.Terminator, finalizer string) (isDeleted bool, resultErr error)
 	SetRealmOwnerRef(ctx context.Context, object helper.ObjectWithRealmRef) error
 	GetKeycloakRealmFromRef(ctx context.Context, object helper.ObjectWithRealmRef, kcClient keycloak.Client) (*gocloak.RealmRepresentation, error)
@@ -139,6 +140,15 @@ func (r *Reconcile) tryReconcile(ctx context.Context, keycloakRealmIDP *keycloak
 
 	kClient, err := r.helper.CreateKeycloakClientFromRealmRef(ctx, keycloakRealmIDP)
 	if err != nil {
+		// if the realm is already deleted try to delete finalizer
+		if errors.Is(err, helper.ErrKeycloakRealmNotFound) {
+			if removeErr := r.helper.TryRemoveFinalizer(ctx, keycloakRealmIDP, finalizerName); removeErr != nil {
+				return fmt.Errorf("unable to remove finalizer: %w", removeErr)
+			}
+
+			return nil
+		}
+
 		return fmt.Errorf("unable to create keycloak client from realm ref: %w", err)
 	}
 

internal/controller/keycloakrealmrole/keycloakrealmrole_controller.go

@@ -27,6 +27,7 @@ const keyCloakRealmRoleOperatorFinalizerName = "keycloak.realmrole.operator.fina
 
 type Helper interface {
 	SetFailureCount(fc helper.FailureCountable) time.Duration
+	TryRemoveFinalizer(ctx context.Context, obj client.Object, finalizer string) error
 	TryToDelete(ctx context.Context, obj client.Object, terminator helper.Terminator, finalizer string) (isDeleted bool, resultErr error)
 	SetRealmOwnerRef(ctx context.Context, object helper.ObjectWithRealmRef) error
 	GetKeycloakRealmFromRef(ctx context.Context, object helper.ObjectWithRealmRef, kcClient keycloak.Client) (*gocloak.RealmRepresentation, error)
@@ -138,6 +139,15 @@ func (r *ReconcileKeycloakRealmRole) tryReconcile(ctx context.Context, keycloakR
 
 	kClient, err := r.helper.CreateKeycloakClientFromRealmRef(ctx, keycloakRealmRole)
 	if err != nil {
+		// if the realm is already deleted try to delete finalizer
+		if errors.Is(err, helper.ErrKeycloakRealmNotFound) {
+			if removeErr := r.helper.TryRemoveFinalizer(ctx, keycloakRealmRole, keyCloakRealmRoleOperatorFinalizerName); removeErr != nil {
+				return "", fmt.Errorf("unable to remove finalizer: %w", removeErr)
+			}
+
+			return "", nil
+		}
+
 		return "", fmt.Errorf("unable to create keycloak client from realm ref: %w", err)
 	}