feat: Add KeycloakClient ClientRolesV2 field (#152)

Introduced the new ClientRolesV2 field for KeycloakClient
for more advanced client setup.
ClientRolesV2 supports role descriptions and composite roles,
unlike ClientRoles. ClientRoles marked as deprecated.

Author: zmotso

api/v1/keycloakclient_types.go

@@ -72,10 +72,16 @@ type KeycloakClientSpec struct {
 	AdvancedProtocolMappers bool `json:"advancedProtocolMappers,omitempty"`
 
 	// ClientRoles is a list of client roles names assigned to client.
+	// Deprecated: Use ClientRolesV2 instead.
 	// +nullable
 	// +optional
 	ClientRoles []string `json:"clientRoles,omitempty"`
 
+	// ClientRolesV2 is a list of client roles assigned to client.
+	// +nullable
+	// +optional
+	ClientRolesV2 []ClientRole `json:"clientRolesV2,omitempty"`
+
 	// ProtocolMappers is a list of protocol mappers assigned to client.
 	// +nullable
 	// +optional
@@ -204,7 +210,7 @@ type ServiceAccount struct {
 	// ClientRoles is a list of client roles assigned to service account.
 	// +nullable
 	// +optional
-	ClientRoles []ClientRole `json:"clientRoles,omitempty"`
+	ClientRoles []UserClientRole `json:"clientRoles,omitempty"`
 
 	// Attributes is a map of service account attributes.
 	// +nullable
@@ -217,7 +223,7 @@ type ServiceAccount struct {
 	Groups []string `json:"groups,omitempty"`
 }
 
-type ClientRole struct {
+type UserClientRole struct {
 	// ClientID is a client ID.
 	ClientID string `json:"clientId"`
 
@@ -227,6 +233,22 @@ type ClientRole struct {
 	Roles []string `json:"roles,omitempty"`
 }
 
+type ClientRole struct {
+	// Name is a client role name.
+	// +required
+	Name string `json:"name,omitempty"`
+
+	// Description is a client role description.
+	// +optional
+	Description string `json:"description,omitempty"`
+
+	// AssociatedClientRoles is a list of client roles names associated with the current role.
+	// These roles won't be created automatically, user should specify them separately in clientRolesV2.
+	// +nullable
+	// +optional
+	AssociatedClientRoles []string `json:"associatedClientRoles,omitempty"`
+}
+
 type ProtocolMapper struct {
 	// Name is a protocol mapper name.
 	// +optional

api/v1/keycloakrealmgroup_types.go

@@ -42,7 +42,7 @@ type KeycloakRealmGroupSpec struct {
 	// ClientRoles is a list of client roles assigned to group.
 	// +nullable
 	// +optional
-	ClientRoles []ClientRole `json:"clientRoles,omitempty"`
+	ClientRoles []UserClientRole `json:"clientRoles,omitempty"`
 }
 
 // KeycloakRealmGroupStatus defines the observed state of KeycloakRealmGroup.

api/v1/keycloakrealmuser_types.go

@@ -48,7 +48,7 @@ type KeycloakRealmUserSpec struct {
 	// ClientRoles is a list of client roles assigned to user.
 	// +nullable
 	// +optional
-	ClientRoles []ClientRole `json:"clientRoles,omitempty"`
+	ClientRoles []UserClientRole `json:"clientRoles,omitempty"`
 
 	// Groups is a list of groups assigned to user.
 	// +nullable

api/v1/zz_generated.deepcopy.go

@@ -423,12 +423,36 @@ spec:
                   URI and tokens.
                 type: string
               clientRoles:
-                description: ClientRoles is a list of client roles names assigned
-                  to client.
+                description: |-
+                  ClientRoles is a list of client roles names assigned to client.
+                  Deprecated: Use ClientRolesV2 instead.
                 items:
                   type: string
                 nullable: true
                 type: array
+              clientRolesV2:
+                description: ClientRolesV2 is a list of client roles assigned to client.
+                items:
+                  properties:
+                    associatedClientRoles:
+                      description: |-
+                        AssociatedClientRoles is a list of client roles names associated with the current role.
+                        These roles won't be created automatically, user should specify them separately in clientRolesV2.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    description:
+                      description: Description is a client role description.
+                      type: string
+                    name:
+                      description: Name is a client role name.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                nullable: true
+                type: array
               consentRequired:
                 description: ConsentRequired is a flag to enable consent.
                 type: boolean

config/crd/bases/v1.edp.epam.com_keycloakclients.yaml

@@ -1,24 +1,34 @@
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakClient
 metadata:
-  name: keycloakclient-sample
+  name: keycloakclient-sample2
 spec:
   realmRef:
     name: keycloakrealm-sample
     kind: KeycloakRealm
   advancedProtocolMappers: true
-  clientId: agocd
+  clientId: agocd2
   directAccess: true
   public: false
   secret: $client-secret-name:client-secret-key
   webUrl: https://argocd.example.com
   adminUrl: https://admin.example.com
   homeUrl: /home/
-  defaultClientScopes:
-    - groups
+  # defaultClientScopes:
+  #   - groups
   redirectUris:
     - /url1/*
     - /url2/*
+  clientRoles:
+    - administrator
+    - developer
+  # clientRolesV2:
+  #   - name: roleA
+  #     description: "Role A"
+  #     associatedClientRoles:
+  #       - roleB
+  #   - name: roleB
+  #     description: "Role B"
 
 ---
 

deploy-templates/_crd_examples/keycloakclient.yaml

@@ -423,12 +423,36 @@ spec:
                   URI and tokens.
                 type: string
               clientRoles:
-                description: ClientRoles is a list of client roles names assigned
-                  to client.
+                description: |-
+                  ClientRoles is a list of client roles names assigned to client.
+                  Deprecated: Use ClientRolesV2 instead.
                 items:
                   type: string
                 nullable: true
                 type: array
+              clientRolesV2:
+                description: ClientRolesV2 is a list of client roles assigned to client.
+                items:
+                  properties:
+                    associatedClientRoles:
+                      description: |-
+                        AssociatedClientRoles is a list of client roles names associated with the current role.
+                        These roles won't be created automatically, user should specify them separately in clientRolesV2.
+                      items:
+                        type: string
+                      nullable: true
+                      type: array
+                    description:
+                      description: Description is a client role description.
+                      type: string
+                    name:
+                      description: Name is a client role name.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                nullable: true
+                type: array
               consentRequired:
                 description: ConsentRequired is a flag to enable consent.
                 type: boolean

deploy-templates/crds/v1.edp.epam.com_keycloakclients.yaml

@@ -2287,7 +2287,15 @@ If empty - WebUrl will be used.<br/>
         <td><b>clientRoles</b></td>
         <td>[]string</td>
         <td>
-          ClientRoles is a list of client roles names assigned to client.<br/>
+          ClientRoles is a list of client roles names assigned to client.
+Deprecated: Use ClientRolesV2 instead.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b><a href="#keycloakclientspecclientrolesv2index">clientRolesV2</a></b></td>
+        <td>[]object</td>
+        <td>
+          ClientRolesV2 is a list of client roles assigned to client.<br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -3181,6 +3189,48 @@ Condition is evaluated during OpenID Connect authorization request and/or token
 </table>
 
 
+### KeycloakClient.spec.clientRolesV2[index]
+<sup><sup>[↩ Parent](#keycloakclientspec)</sup></sup>
+
+
+
+
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>name</b></td>
+        <td>string</td>
+        <td>
+          Name is a client role name.<br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>associatedClientRoles</b></td>
+        <td>[]string</td>
+        <td>
+          AssociatedClientRoles is a list of client roles names associated with the current role.
+These roles won't be created automatically, user should specify them separately in clientRolesV2.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>description</b></td>
+        <td>string</td>
+        <td>
+          Description is a client role description.<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### KeycloakClient.spec.permission
 <sup><sup>[↩ Parent](#keycloakclientspec)</sup></sup>
 

docs/api.md

@@ -33,20 +33,8 @@ func (el *PutClientRole) putKeycloakClientRole(ctx context.Context, keycloakClie
 
 	clientDto := dto.ConvertSpecToClient(&keycloakClient.Spec, "", realmName, nil)
 
-	for _, role := range clientDto.Roles {
-		exist, err := el.keycloakApiClient.ExistClientRole(clientDto, role)
-		if err != nil {
-			return errors.Wrap(err, "error during ExistClientRole")
-		}
-
-		if exist {
-			reqLog.Info("Client role already exists", "role", role)
-			continue
-		}
-
-		if err := el.keycloakApiClient.CreateClientRole(clientDto, role); err != nil {
-			return errors.Wrap(err, "unable to create client role")
-		}
+	if err := el.keycloakApiClient.SyncClientRoles(ctx, realmName, clientDto); err != nil {
+		return errors.Wrap(err, "unable to sync client roles")
 	}
 
 	reqLog.Info("End put keycloak client role")

internal/controller/keycloakclient/chain/put_client_role.go

@@ -23,7 +23,7 @@ func TestServiceAccount_Serve(t *testing.T) {
 				Attributes: map[string]string{
 					"foo": "bar",
 				},
-				ClientRoles: []keycloakApi.ClientRole{
+				ClientRoles: []keycloakApi.UserClientRole{
 					{
 						ClientID: "clid2",
 						Roles:    []string{"foo", "bar"},