fix: Deletion resources related to subgroup (#95)

zmotso · SergK · commit 6447eb4d26ea · 2024-10-16T13:01:13.000+03:00
Problem:
If we delete the subgroup before deleting the resources
that contain this subgroup
(Example: KeycloakRealmGroup.spec.subGroup/KeycloakRealmUser.spec.groups)
deletion of KeycloakRealmGroup/KeycloakRealmUser blocks with an error.
This happens because we are syncing KeycloakRealmUser/KeycloakRealmGroup
before deletion, and syncing can't be processed without a subgroup.
Solution:
Moved deletion of KeycloakRealmUser/KeycloakRealmGroup before syncing.
We don't need to sync objects that are marked for deletion.
diff --git a/controllers/keycloakrealmgroup/keycloakrealmgroup_controller.go b/controllers/keycloakrealmgroup/keycloakrealmgroup_controller.go
@@ -130,14 +130,7 @@ func (r *ReconcileKeycloakRealmGroup) tryReconcile(ctx context.Context, keycloak
 		return fmt.Errorf("unable to get keycloak realm from ref: %w", err)
 	}
 
-	id, err := kClient.SyncRealmGroup(ctx, gocloak.PString(realm.Realm), &keycloakRealmGroup.Spec)
-	if err != nil {
-		return fmt.Errorf("unable to sync realm group: %w", err)
-	}
-
-	keycloakRealmGroup.Status.ID = id
-
-	if _, err := r.helper.TryToDelete(
+	deleted, err := r.helper.TryToDelete(
 		ctx,
 		keycloakRealmGroup,
 		makeTerminator(
@@ -147,10 +140,22 @@ func (r *ReconcileKeycloakRealmGroup) tryReconcile(ctx context.Context, keycloak
 			objectmeta.PreserveResourcesOnDeletion(keycloakRealmGroup),
 		),
 		keyCloakRealmGroupOperatorFinalizerName,
-	); err != nil {
+	)
+	if err != nil {
 		return fmt.Errorf("failed to delete keycloak realm group: %w", err)
 	}
 
+	if deleted {
+		return nil
+	}
+
+	id, err := kClient.SyncRealmGroup(ctx, gocloak.PString(realm.Realm), &keycloakRealmGroup.Spec)
+	if err != nil {
+		return fmt.Errorf("unable to sync realm group: %w", err)
+	}
+
+	keycloakRealmGroup.Status.ID = id
+
 	return nil
 }
 
diff --git a/controllers/keycloakrealmgroup/keycloakrealmgroup_controller_integration_test.go b/controllers/keycloakrealmgroup/keycloakrealmgroup_controller_integration_test.go
@@ -30,7 +30,7 @@ var _ = Describe("KeycloakRealmGroup controller", Ordered, func() {
 		Expect(adapter.SkipAlreadyExistsErr(err)).ShouldNot(HaveOccurred())
 
 		By("Creating a KeycloakRealmGroup subgroup")
-		group := &keycloakApi.KeycloakRealmGroup{
+		subgroup := &keycloakApi.KeycloakRealmGroup{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test-subgroup",
 				Namespace: ns,
@@ -44,16 +44,39 @@ var _ = Describe("KeycloakRealmGroup controller", Ordered, func() {
 				Path: "/test-subgroup",
 			},
 		}
-		Expect(k8sClient.Create(ctx, group)).Should(Succeed())
+		Expect(k8sClient.Create(ctx, subgroup)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			createdGroup := &keycloakApi.KeycloakRealmGroup{}
+			err = k8sClient.Get(ctx, types.NamespacedName{Name: subgroup.Name, Namespace: ns}, createdGroup)
+			g.Expect(err).ShouldNot(HaveOccurred())
+			g.Expect(createdGroup.Status.Value).Should(Equal(helper.StatusOK))
+		}).WithTimeout(time.Second * 20).WithPolling(time.Second).Should(Succeed())
+
+		By("Creating a KeycloakRealmGroup subgroup2")
+		subgroup2 := &keycloakApi.KeycloakRealmGroup{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-subgroup2",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakRealmGroupSpec{
+				Name: "test-subgroup2",
+				RealmRef: common.RealmRef{
+					Kind: keycloakApi.KeycloakRealmKind,
+					Name: KeycloakRealmCR,
+				},
+				Path: "/test-subgroup2",
+			},
+		}
+		Expect(k8sClient.Create(ctx, subgroup2)).Should(Succeed())
 		Eventually(func(g Gomega) {
 			createdGroup := &keycloakApi.KeycloakRealmGroup{}
-			err = k8sClient.Get(ctx, types.NamespacedName{Name: "test-subgroup", Namespace: ns}, createdGroup)
+			err = k8sClient.Get(ctx, types.NamespacedName{Name: subgroup2.Name, Namespace: ns}, createdGroup)
 			g.Expect(err).ShouldNot(HaveOccurred())
 			g.Expect(createdGroup.Status.Value).Should(Equal(helper.StatusOK))
 		}).WithTimeout(time.Second * 20).WithPolling(time.Second).Should(Succeed())
 
 		By("Creating a KeycloakRealmGroup")
-		group = &keycloakApi.KeycloakRealmGroup{
+		group := &keycloakApi.KeycloakRealmGroup{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      groupCR,
 				Namespace: ns,
@@ -83,7 +106,7 @@ var _ = Describe("KeycloakRealmGroup controller", Ordered, func() {
 		Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: groupCR}, group)).Should(Succeed())
 
 		By("Updating a parent KeycloakRealmGroup")
-		group.Spec.SubGroups = []string{}
+		group.Spec.SubGroups = []string{"test-subgroup2"}
 
 		Expect(k8sClient.Update(ctx, group)).Should(Succeed())
 		Eventually(func(g Gomega) {
@@ -93,7 +116,7 @@ var _ = Describe("KeycloakRealmGroup controller", Ordered, func() {
 			g.Expect(updatedGroup.Status.Value).Should(Equal(helper.StatusOK))
 		}, time.Minute, time.Second*5).Should(Succeed())
 	})
-	It("Should delete KeycloakRealmGroup", func() {
+	It("Should delete KeycloakRealmGroup and subgroup", func() {
 		By("Getting KeycloakRealmGroup")
 		group := &keycloakApi.KeycloakRealmGroup{}
 		Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: groupCR}, group)).Should(Succeed())
@@ -105,6 +128,82 @@ var _ = Describe("KeycloakRealmGroup controller", Ordered, func() {
 
 			g.Expect(k8sErrors.IsNotFound(err)).Should(BeTrue())
 		}, timeout, interval).Should(Succeed())
+
+		By("Getting KeycloakRealmGroup subgroup")
+		subgroup := &keycloakApi.KeycloakRealmGroup{}
+		Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: "test-subgroup2"}, subgroup)).Should(Succeed())
+		By("Deleting KeycloakRealmGroup subgroup")
+		Expect(k8sClient.Delete(ctx, subgroup)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			deletedSubGroup := &keycloakApi.KeycloakRealmGroup{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: subgroup.Name, Namespace: ns}, deletedSubGroup)
+
+			g.Expect(k8sErrors.IsNotFound(err)).Should(BeTrue())
+		}, timeout, interval).Should(Succeed())
+	})
+	It("Should delete KeycloakRealmGroup if subgroup is deleted", func() {
+		By("Creating a subgroup")
+		subgroup := &keycloakApi.KeycloakRealmGroup{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-subgroup-for-deletion",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakRealmGroupSpec{
+				Name: "test-subgroup-for-deletion",
+				RealmRef: common.RealmRef{
+					Kind: keycloakApi.KeycloakRealmKind,
+					Name: KeycloakRealmCR,
+				},
+			},
+		}
+		Expect(k8sClient.Create(ctx, subgroup)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			createdSubGroup := &keycloakApi.KeycloakRealmGroup{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: subgroup.Name, Namespace: ns}, createdSubGroup)
+			g.Expect(err).ShouldNot(HaveOccurred())
+			g.Expect(createdSubGroup.Status.Value).Should(Equal(helper.StatusOK))
+		}).WithTimeout(time.Second * 20).WithPolling(time.Second).Should(Succeed())
+
+		By("Creating a group with subgroup")
+		group := &keycloakApi.KeycloakRealmGroup{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-group-for-deletion",
+				Namespace: ns,
+			},
+			Spec: keycloakApi.KeycloakRealmGroupSpec{
+				Name: "test-group-for-deletion",
+				RealmRef: common.RealmRef{
+					Kind: keycloakApi.KeycloakRealmKind,
+					Name: KeycloakRealmCR,
+				},
+				SubGroups: []string{"test-subgroup-for-deletion"},
+			},
+		}
+		Expect(k8sClient.Create(ctx, group)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			createdGroup := &keycloakApi.KeycloakRealmGroup{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: group.Name, Namespace: ns}, createdGroup)
+			g.Expect(err).ShouldNot(HaveOccurred())
+			g.Expect(createdGroup.Status.Value).Should(Equal(helper.StatusOK))
+		}).WithTimeout(time.Second * 20).WithPolling(time.Second).Should(Succeed())
+
+		By("Deleting subgroup")
+		Expect(k8sClient.Delete(ctx, subgroup)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			deletedSubGroup := &keycloakApi.KeycloakRealmGroup{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: subgroup.Name, Namespace: ns}, deletedSubGroup)
+
+			g.Expect(k8sErrors.IsNotFound(err)).Should(BeTrue())
+		}, timeout, interval).Should(Succeed())
+
+		By("Deleting group")
+		Expect(k8sClient.Delete(ctx, group)).Should(Succeed())
+		Eventually(func(g Gomega) {
+			deletedGroup := &keycloakApi.KeycloakRealmGroup{}
+			err := k8sClient.Get(ctx, types.NamespacedName{Name: group.Name, Namespace: ns}, deletedGroup)
+
+			g.Expect(k8sErrors.IsNotFound(err)).Should(BeTrue())
+		}, timeout, interval).Should(Succeed())
 	})
 	It("Should preserve group with annotation", func() {
 		By("Creating a KeycloakRealmGroup")
diff --git a/controllers/keycloakrealmgroup/terminator.go b/controllers/keycloakrealmgroup/terminator.go
@@ -7,6 +7,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	"github.com/epam/edp-keycloak-operator/pkg/client/keycloak"
+	"github.com/epam/edp-keycloak-operator/pkg/client/keycloak/adapter"
 )
 
 type terminator struct {
@@ -26,6 +27,12 @@ func (t *terminator) DeleteResource(ctx context.Context) error {
 	log.Info("Start deleting group")
 
 	if err := t.kClient.DeleteGroup(ctx, t.realmName, t.groupName); err != nil {
+		if adapter.IsErrNotFound(err) {
+			log.Info("Group not found, skipping deletion")
+
+			return nil
+		}
+
 		return fmt.Errorf("unable to delete group %w", err)
 	}
 
diff --git a/controllers/keycloakrealmuser/keycloakrealmuser_controller.go b/controllers/keycloakrealmuser/keycloakrealmuser_controller.go
@@ -132,6 +132,25 @@ func (r *Reconcile) tryReconcile(ctx context.Context, instance *keycloakApi.Keyc
 		return fmt.Errorf("unable to get keycloak realm from ref: %w", err)
 	}
 
+	if instance.Spec.KeepResource {
+		deleted, err := r.helper.TryToDelete(ctx, instance,
+			makeTerminator(
+				gocloak.PString(realm.Realm),
+				instance.Spec.Username,
+				kClient,
+				objectmeta.PreserveResourcesOnDeletion(instance),
+			),
+			finalizer,
+		)
+		if err != nil {
+			return fmt.Errorf("failed to delete keycloak realm user: %w", err)
+		}
+
+		if deleted {
+			return nil
+		}
+	}
+
 	password, getPasswordErr := r.getPassword(ctx, instance)
 	if getPasswordErr != nil {
 		return fmt.Errorf("unable to get password: %w", getPasswordErr)
@@ -153,19 +172,7 @@ func (r *Reconcile) tryReconcile(ctx context.Context, instance *keycloakApi.Keyc
 		return errors.Wrap(err, "unable to sync realm user")
 	}
 
-	if instance.Spec.KeepResource {
-		if _, err := r.helper.TryToDelete(ctx, instance,
-			makeTerminator(
-				gocloak.PString(realm.Realm),
-				instance.Spec.Username,
-				kClient,
-				objectmeta.PreserveResourcesOnDeletion(instance),
-			),
-			finalizer,
-		); err != nil {
-			return errors.Wrap(err, "unable to set finalizers")
-		}
-	} else {
+	if !instance.Spec.KeepResource {
 		if err := r.client.Delete(ctx, instance); err != nil {
 			return errors.Wrap(err, "unable to delete instance of keycloak realm user")
 		}
