feat: Add the ability to add KeycloakClient service accounts to groups

Signed-off-by: Douglass Kirkley <doug.kirkley@gmail.com>

Author: dougkirkley

api/v1/keycloakclient_types.go

@@ -208,6 +208,11 @@ type ServiceAccount struct {
 	// +nullable
 	// +optional
 	Attributes map[string]string `json:"attributes,omitempty"`
+
+	// Groups is a list of groups assigned to service account
+	// +nullable
+	// +optional
+	Groups []string `json:"groups,omitempty"`
 }
 
 type ClientRole struct {

api/v1/zz_generated.deepcopy.go

@@ -613,6 +613,12 @@ spec:
                   enabled:
                     description: Enabled is a flag to enable service account.
                     type: boolean
+                  groups:
+                    description: Groups is a list of groups assigned to service account
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                   realmRoles:
                     description: RealmRoles is a list of realm roles assigned to service
                       account.

config/crd/bases/v1.edp.epam.com_keycloakclients.yaml

@@ -613,6 +613,12 @@ spec:
                   enabled:
                     description: Enabled is a flag to enable service account.
                     type: boolean
+                  groups:
+                    description: Groups is a list of groups assigned to service account
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                   realmRoles:
                     description: RealmRoles is a list of realm roles assigned to service
                       account.

deploy-templates/crds/v1.edp.epam.com_keycloakclients.yaml

@@ -3108,6 +3108,13 @@ ServiceAccount is a service account configuration.
           Enabled is a flag to enable service account.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>groups</b></td>
+        <td>[]string</td>
+        <td>
+          Groups is a list of groups assigned to service account<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>realmRoles</b></td>
         <td>[]string</td>

docs/api.md

@@ -45,5 +45,12 @@ func (el *ServiceAccount) Serve(_ context.Context, keycloakClient *keycloakApi.K
 		}
 	}
 
+	if keycloakClient.Spec.ServiceAccount.Groups != nil {
+		if err := el.keycloakApiClient.SetServiceAccountGroups(realmName,
+			keycloakClient.Status.ClientID, keycloakClient.Spec.ServiceAccount.Groups, addOnly); err != nil {
+			return errors.Wrap(err, "unable to sync service account groups")
+		}
+	}
+
 	return nil
 }

internal/controller/keycloakclient/chain/service_account.go

@@ -30,6 +30,7 @@ func TestServiceAccount_Serve(t *testing.T) {
 					},
 				},
 				RealmRoles: []string{"baz", "zaz"},
+				Groups:     []string{"group1", "group2"},
 			},
 		},
 		Status: keycloakApi.KeycloakClientStatus{
@@ -46,6 +47,8 @@ func TestServiceAccount_Serve(t *testing.T) {
 			kc.Spec.ServiceAccount.ClientRoles[0].ClientID: kc.Spec.ServiceAccount.ClientRoles[0].Roles}, false).Return(nil)
 	apiClient.On("SetServiceAccountAttributes", realmName, kc.Status.ClientID,
 		kc.Spec.ServiceAccount.Attributes, false).Return(nil)
+	apiClient.On("SetServiceAccountGroups", realmName, kc.Status.ClientID,
+		kc.Spec.ServiceAccount.Groups, false).Return(nil)
 
 	sa := NewServiceAccount(apiClient)
 

internal/controller/keycloakclient/chain/service_account_test.go

@@ -111,6 +111,10 @@ var _ = Describe("KeycloakClient controller", Ordered, func() {
 					Browser:     "browser",
 					DirectGrant: "direct grant",
 				},
+				ServiceAccount: &keycloakApi.ServiceAccount{
+					Enabled: true,
+					Groups:  []string{"test-group"},
+				},
 			},
 		}
 		Expect(k8sClient.Create(ctx, keycloakClient)).Should(Succeed())
@@ -154,6 +158,9 @@ var _ = Describe("KeycloakClient controller", Ordered, func() {
 					Browser:     "browser",
 					DirectGrant: "direct grant",
 				},
+				ServiceAccount: &keycloakApi.ServiceAccount{
+					Enabled: true,
+				},
 			},
 		}
 		Expect(k8sClient.Create(ctx, keycloakClient)).Should(Succeed())

internal/controller/keycloakclient/keycloakclient_controller_integration_test.go

@@ -74,3 +74,34 @@ func (a GoCloakAdapter) SetServiceAccountAttributes(realm, clientID string, attr
 
 	return nil
 }
+
+func (a GoCloakAdapter) SetServiceAccountGroups(realm, clientID string, groups []string, addOnly bool) error {
+	user, err := a.client.GetClientServiceAccount(context.Background(), a.token.AccessToken, realm, clientID)
+	if err != nil {
+		return errors.Wrap(err, "unable to get client service account")
+	}
+
+	svcGroups := make(map[string]struct{})
+	if addOnly && user.Groups != nil {
+		for _, group := range *user.Groups {
+			svcGroups[group] = struct{}{}
+		}
+	}
+
+	for _, group := range groups {
+		svcGroups[group] = struct{}{}
+	}
+
+	var newGroups []string
+	for group := range svcGroups {
+		newGroups = append(newGroups, group)
+	}
+
+	user.Groups = &newGroups
+
+	if err = a.client.UpdateUser(context.Background(), a.token.AccessToken, realm, *user); err != nil {
+		return errors.Wrapf(err, "unable to update service account user: %s", clientID)
+	}
+
+	return nil
+}

pkg/client/keycloak/adapter/gocloak_adapter_service_account.go

@@ -27,6 +27,7 @@ type Client interface {
 	SyncServiceAccountRoles(realm, clientID string, realmRoles []string,
 		clientRoles map[string][]string, addOnly bool) error
 	SetServiceAccountAttributes(realm, clientID string, attributes map[string]string, addOnly bool) error
+	SetServiceAccountGroups(realm, clientID string, groups []string, addOnly bool) error
 	ExportToken() ([]byte, error)
 }