feat: Introduce KeycloakOrganization feature (#115)

- Added KeycloakOrganization custom resource definition (CRD) to support multi-tenant scenarios.
- Implemented OrganizationsEnabled field in KeycloakRealm and ClusterKeycloakRealm to enable organization features.
- Implemented Identity provider configuration for KeycloakOrganization.
- Moved StatusOK from internal/controller/helper to api/common for consistency.
- Added general operator finalizer common.FinalizerName.

Please note:
Organizations feature is available in Keycloak 25 as feature flag.
Starting with Keycloak 26, the Organizations feature is fully supported.

Author: zmotso

PROJECT

@@ -126,4 +126,13 @@ resources:
   kind: ClusterKeycloakRealm
   path: github.com/epam/edp-keycloak-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: edp.epam.com
+  group: v1
+  kind: KeycloakOrganization
+  path: github.com/epam/edp-keycloak-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

api/common/status.go

@@ -0,0 +1,7 @@
+package common
+
+const (
+	StatusOK      string = "OK"
+	StatusError   string = "error"
+	FinalizerName string = "v1.edp.epam.com/finalizer"
+)

api/v1/keycloakrealm_types.go

@@ -67,6 +67,13 @@ type KeycloakRealmSpec struct {
 	// +optional
 	DisplayName string `json:"displayName,omitempty"`
 
+	// OrganizationsEnabled enables Keycloak Organizations feature for this realm.
+	// When enabled, this realm can support Organization resources for multi-tenant scenarios,
+	// identity provider groupings, and domain-based user routing.
+	// +optional
+	// +kubebuilder:default=false
+	OrganizationsEnabled bool `json:"organizationsEnabled,omitempty"`
+
 	// UserProfileConfig is the configuration for user profiles in the realm.
 	// Attributes and groups will be added to the current realm configuration.
 	// Deletion of attributes and groups is not supported.

api/v1alpha1/clusterkeycloakrealm_types.go

@@ -63,6 +63,13 @@ type ClusterKeycloakRealmSpec struct {
 	// +optional
 	DisplayName string `json:"displayName,omitempty"`
 
+	// OrganizationsEnabled enables Keycloak Organizations feature for this realm.
+	// When enabled, this realm can support Organization resources for multi-tenant scenarios,
+	// identity provider groupings, and domain-based user routing.
+	// +optional
+	// +kubebuilder:default=false
+	OrganizationsEnabled bool `json:"organizationsEnabled,omitempty"`
+
 	// UserProfileConfig is the configuration for user profiles in the realm.
 	// +nullable
 	// +optional

api/v1alpha1/organization_types.go

@@ -0,0 +1,115 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/epam/edp-keycloak-operator/api/common"
+)
+
+// KeycloakOrganizationSpec defines the desired state of Organization.
+type KeycloakOrganizationSpec struct {
+	// Name is the unique name of the organization.
+	// The name should be unique across Organizations.
+	// +required
+	Name string `json:"name"`
+
+	// Alias is the unique alias for the organization.
+	// The alias should be unique across Organizations.
+	// +required
+	Alias string `json:"alias"`
+
+	// Domains is a list of email domains associated with the organization.
+	// Each domain should be unique across Organizations.
+	// +required
+	// +kubebuilder:validation:MinItems=1
+	Domains []string `json:"domains"`
+
+	// RedirectURL is the optional redirect URL for the organization.
+	// +optional
+	RedirectURL string `json:"redirectUrl,omitempty"`
+
+	// Description is an optional description of the organization.
+	// +optional
+	Description string `json:"description,omitempty"`
+
+	// Attributes is a map of custom attributes for the organization.
+	// +optional
+	// +nullable
+	Attributes map[string][]string `json:"attributes,omitempty"`
+
+	// IdentityProviders is a list of identity providers associated with the organization.
+	// One identity provider can't be assigned to multiple organizations.
+	// +optional
+	// +nullable
+	IdentityProviders []OrgIdentityProvider `json:"identityProviders,omitempty"`
+
+	// RealmRef is reference to Realm custom resource.
+	// +required
+	RealmRef common.RealmRef `json:"realmRef"`
+}
+
+// OrgIdentityProvider defines an identity provider for an organization.
+type OrgIdentityProvider struct {
+	// Alias is the unique identifier for the identity provider within the organization.
+	// +required
+	Alias string `json:"alias"`
+}
+
+// KeycloakOrganizationStatus defines the observed state of Organization.
+type KeycloakOrganizationStatus struct {
+	// Value contains the current reconciliation status.
+	// +optional
+	Value string `json:"value,omitempty"`
+
+	// OrganizationID is the unique identifier of the organization in Keycloak.
+	// +optional
+	OrganizationID string `json:"organizationId,omitempty"`
+
+	// Error is the error message if the reconciliation failed.
+	// +optional
+	Error string `json:"error,omitempty"`
+}
+
+func (in *KeycloakOrganizationStatus) SetOK() {
+	in.Value = common.StatusOK
+	in.Error = ""
+}
+
+func (in *KeycloakOrganizationStatus) SetError(err string) {
+	in.Value = common.StatusError
+	in.Error = err
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:storageversion
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.value",description="Reconciliation status"
+// +kubebuilder:printcolumn:name="Organization ID",type="string",JSONPath=".status.organizationId",description="Keycloak organization ID"
+// +kubebuilder:printcolumn:name="Realm",type="string",JSONPath=".spec.realmName",description="Keycloak realm name"
+// +kubebuilder:printcolumn:name="Keycloak",type="string",JSONPath=".spec.keycloakRef.name",description="Keycloak instance name"
+
+// KeycloakOrganization is the Schema for the organizations API.
+type KeycloakOrganization struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   KeycloakOrganizationSpec   `json:"spec,omitempty"`
+	Status KeycloakOrganizationStatus `json:"status,omitempty"`
+}
+
+func (in *KeycloakOrganization) GetRealmRef() common.RealmRef {
+	return in.Spec.RealmRef
+}
+
+// +kubebuilder:object:root=true
+
+// KeycloakOrganizationList contains a list of KeycloakOrganization.
+type KeycloakOrganizationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []KeycloakOrganization `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&KeycloakOrganization{}, &KeycloakOrganizationList{})
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -36,6 +36,7 @@ import (
 	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakauthflow"
 	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakclient"
 	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakclientscope"
+	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakorganization"
 	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakrealm"
 	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakrealmcomponent"
 	"github.com/epam/edp-keycloak-operator/internal/controller/keycloakrealmgroup"
@@ -267,6 +268,11 @@ func main() {
 		}
 	}
 
+	organizationCtrl := keycloakorganization.NewReconcileOrganization(mgr.GetClient(), h)
+	if err = organizationCtrl.SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create keycloak-organization controller")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

cmd/main.go

@@ -97,6 +97,13 @@ spec:
                     nullable: true
                     type: boolean
                 type: object
+              organizationsEnabled:
+                default: false
+                description: |-
+                  OrganizationsEnabled enables Keycloak Organizations feature for this realm.
+                  When enabled, this realm can support Organization resources for multi-tenant scenarios,
+                  identity provider groupings, and domain-based user routing.
+                type: boolean
               passwordPolicy:
                 description: PasswordPolicies is a list of password policies to apply
                   to the realm.