feat: Add support for list of attributes with the same key

Signed-off-by: Douglass Kirkley <doug.kirkley@gmail.com>

Author: zmotso

api/v1/keycloakclient_types.go

@@ -213,10 +213,17 @@ type ServiceAccount struct {
 	ClientRoles []UserClientRole `json:"clientRoles,omitempty"`
 
 	// Attributes is a map of service account attributes.
+	// Deprecated: Use AttributesV2 instead.
 	// +nullable
 	// +optional
 	Attributes map[string]string `json:"attributes,omitempty"`
 
+	// AttributesV2 is a map of service account attributes.
+	// this multi-value attributes
+	// +nullable
+	// +optional
+	AttributesV2 map[string][]string `json:"attributesV2,omitempty"`
+
 	// Groups is a list of groups assigned to service account
 	// +nullable
 	// +optional

api/v1/keycloakrealmidentityprovider_types.go

@@ -59,6 +59,17 @@ type KeycloakRealmIdentityProviderSpec struct {
 	// +nullable
 	// +optional
 	Mappers []IdentityProviderMapper `json:"mappers,omitempty"`
+
+	// AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+	// Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+	// Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.
+	// +optional
+	AdminFineGrainedPermissionsEnabled bool `json:"adminFineGrainedPermissionsEnabled,omitempty"`
+
+	// Permission is a identity provider permissions configuration
+	// +nullable
+	// +optional
+	Permission *AdminFineGrainedPermission `json:"permission,omitempty"`
 }
 
 type IdentityProviderMapper struct {

api/v1/keycloakrealmuser_types.go

@@ -56,10 +56,17 @@ type KeycloakRealmUserSpec struct {
 	Groups []string `json:"groups,omitempty"`
 
 	// Attributes is a map of user attributes.
+	// Deprecated: Use AttributesV2 instead.
 	// +nullable
 	// +optional
 	Attributes map[string]string `json:"attributes,omitempty"`
 
+	// AttributesV2 is a map of service account attributes.
+	// this multi-value attributes
+	// +nullable
+	// +optional
+	AttributesV2 map[string][]string `json:"attributesV2,omitempty"`
+
 	// ReconciliationStrategy is a strategy for reconciliation. Possible values: full, create-only.
 	// Default value: full. If set to create-only, user will be created only if it does not exist. If user exists, it will not be updated.
 	// If set to full, user will be created if it does not exist, or updated if it exists.

api/v1/zz_generated.deepcopy.go

@@ -308,7 +308,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = keycloakrealmidentityprovider.NewReconcile(mgr.GetClient(), h, secretref.NewSecretRef(mgr.GetClient())).
+	if err = keycloakrealmidentityprovider.NewReconcile(mgr.GetClient(), h).
 		SetupWithManager(mgr, successReconcileTimeoutValue); err != nil {
 		setupLog.Error(err, "unable to create keycloak-realm-identity-provider controller")
 		os.Exit(1)

cmd/main.go

@@ -613,7 +613,19 @@ spec:
                   attributes:
                     additionalProperties:
                       type: string
-                    description: Attributes is a map of service account attributes.
+                    description: |-
+                      Attributes is a map of service account attributes.
+                      Deprecated: Use AttributesV2 instead.
+                    nullable: true
+                    type: object
+                  attributesV2:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: |-
+                      AttributesV2 is a map of service account attributes.
+                      this multi-value attributes
                     nullable: true
                     type: object
                   clientRoles:

config/crd/bases/v1.edp.epam.com_keycloakclients.yaml

@@ -50,6 +50,12 @@ spec:
                 description: AddReadTokenRoleOnCreate is a flag to add read token
                   role on create.
                 type: boolean
+              adminFineGrainedPermissionsEnabled:
+                description: |-
+                  AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+                  Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+                  Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.
+                type: boolean
               alias:
                 description: Alias is a alias of identity provider.
                 type: string
@@ -102,6 +108,26 @@ spec:
                   type: object
                 nullable: true
                 type: array
+              permission:
+                description: Permission is a identity provider permissions configuration
+                nullable: true
+                properties:
+                  scopePermissions:
+                    description: ScopePermissions mapping of scope and the policies
+                      attached
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        policies:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
               providerId:
                 description: ProviderID is a provider ID of identity provider.
                 type: string

config/crd/bases/v1.edp.epam.com_keycloakrealmidentityproviders.yaml

@@ -47,7 +47,19 @@ spec:
               attributes:
                 additionalProperties:
                   type: string
-                description: Attributes is a map of user attributes.
+                description: |-
+                  Attributes is a map of user attributes.
+                  Deprecated: Use AttributesV2 instead.
+                nullable: true
+                type: object
+              attributesV2:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: |-
+                  AttributesV2 is a map of service account attributes.
+                  this multi-value attributes
                 nullable: true
                 type: object
               clientRoles:

config/crd/bases/v1.edp.epam.com_keycloakrealmusers.yaml

@@ -613,7 +613,19 @@ spec:
                   attributes:
                     additionalProperties:
                       type: string
-                    description: Attributes is a map of service account attributes.
+                    description: |-
+                      Attributes is a map of service account attributes.
+                      Deprecated: Use AttributesV2 instead.
+                    nullable: true
+                    type: object
+                  attributesV2:
+                    additionalProperties:
+                      items:
+                        type: string
+                      type: array
+                    description: |-
+                      AttributesV2 is a map of service account attributes.
+                      this multi-value attributes
                     nullable: true
                     type: object
                   clientRoles:

deploy-templates/crds/v1.edp.epam.com_keycloakclients.yaml

@@ -50,6 +50,12 @@ spec:
                 description: AddReadTokenRoleOnCreate is a flag to add read token
                   role on create.
                 type: boolean
+              adminFineGrainedPermissionsEnabled:
+                description: |-
+                  AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for an identity provider.
+                  Feature flag admin-fine-grained-authz:v1 should be enabled in Keycloak server.
+                  Important: FGAP:V1 Keycloak feature remains in preview and may be deprecated and removed in a future releases.
+                type: boolean
               alias:
                 description: Alias is a alias of identity provider.
                 type: string
@@ -102,6 +108,26 @@ spec:
                   type: object
                 nullable: true
                 type: array
+              permission:
+                description: Permission is a identity provider permissions configuration
+                nullable: true
+                properties:
+                  scopePermissions:
+                    description: ScopePermissions mapping of scope and the policies
+                      attached
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        policies:
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
               providerId:
                 description: ProviderID is a provider ID of identity provider.
                 type: string