feat: Make ownerReference in Keycloak resources optional (#71)

Author: zmotso

README.md

@@ -124,6 +124,14 @@ To prevent the operator from deleting resources from Keycloak, add the `edp.epam
        kind: Keycloak
    ```
 
+#### Resources deletion
+
+To avoid resources getting stuck during deletion, it is important to delete them in the correct order:
+
+1. **First**, remove realm resources `KeycloakClient`, `KeycloakRealmUser`, etc.
+2. **Then**, remove `KeycloakRealm`/`ClusterKeycloakRealm`.
+3. **Finally**, remove `Keycloak`/`ClusterKeycloak`.
+
 ## Local Development
 
 To develop the operator, first set up a local environment, and refer to the [Local Development](https://docs.kuberocketci.io/docs/developer-guide/local-development) page.

cmd/main.go

@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -184,7 +185,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	h := helper.MakeHelper(mgr.GetClient(), mgr.GetScheme(), operatorNamespace)
+	h := helper.MakeHelper(mgr.GetClient(), mgr.GetScheme(), operatorNamespace, helper.EnableOwnerRef(enableOwnerRef()))
 
 	keycloakCtrl := keycloak.NewReconcileKeycloak(mgr.GetClient(), mgr.GetScheme(), h)
 	if err = keycloakCtrl.SetupWithManager(mgr, successReconcileTimeoutValue); err != nil {
@@ -312,3 +313,19 @@ func getOperatorNamespace() (string, error) {
 
 	return ns, nil
 }
+
+func enableOwnerRef() bool {
+	val, exists := os.LookupEnv("ENABLE_OWNER_REF")
+	if !exists {
+		return false
+	}
+
+	b, err := strconv.ParseBool(val)
+	if err != nil {
+		setupLog.Error(err, "unable to parse ENABLE_OWNER_REF. Using default value false")
+
+		return false
+	}
+
+	return b
+}

deploy-templates/README.md

@@ -131,6 +131,7 @@ Development versions are also available from the [snapshot helm chart repository
 | annotations | object | `{}` | Annotations to be added to the Deployment |
 | clusterReconciliationEnabled | bool | `false` | If clusterReconciliationEnabled is true, the operator reconciles all Keycloak instances in the cluster;  otherwise, it only reconciles instances in the same namespace by default, and cluster-scoped resources are ignored. |
 | containerSecurityContext | object | `{"allowPrivilegeEscalation":false}` | Container Security Context Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| enableOwnerRef | bool | `true` | If set to true, the operator will set the owner reference for all resources that have Keycloak or KeycloakRealm as reference. This is legacy behavior and not recommended for use. In the future, this will be set to false by default. |
 | extraVolumeMounts | list | `[]` | Additional volumeMounts to be added to the container |
 | extraVolumes | list | `[]` | Additional volumes to be added to the pod |
 | image.repository | string | `"epamedp/keycloak-operator"` | KubeRocketCI keycloak-operator Docker image name. The released image can be found on [Dockerhub](https://hub.docker.com/r/epamedp/keycloak-operator) |

deploy-templates/templates/deployment.yaml

@@ -53,6 +53,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: ENABLE_OWNER_REF
+              value: {{ .Values.enableOwnerRef | quote }}
         {{- if .Values.extraVolumeMounts }}
           volumeMounts:
           {{- if .Values.extraVolumeMounts }}

deploy-templates/values.yaml

@@ -54,3 +54,7 @@ extraVolumeMounts: []
 # -- If clusterReconciliationEnabled is true, the operator reconciles all Keycloak instances in the cluster;
 #  otherwise, it only reconciles instances in the same namespace by default, and cluster-scoped resources are ignored.
 clusterReconciliationEnabled: false
+
+# -- If set to true, the operator will set the owner reference for all resources that have Keycloak or KeycloakRealm as reference.
+# This is legacy behavior and not recommended for use. In the future, this will be set to false by default.
+enableOwnerRef: true

internal/controller/helper/controller_helper.go

@@ -81,14 +81,18 @@ type Helper struct {
 	adapterBuilder    adapterBuilder
 	tokenSecretLock   *sync.Mutex
 	operatorNamespace string
+	// enableOwnerRef is a flag to enable legacy owner reference to Keycloak and KeycloakRealm for operator objects.
+	// This is needed for backward compatibility with the old version of the operator.
+	enableOwnerRef bool
 }
 
-func MakeHelper(client client.Client, scheme *runtime.Scheme, operatorNamespace string) *Helper {
-	return &Helper{
+func MakeHelper(client client.Client, scheme *runtime.Scheme, operatorNamespace string, options ...func(*Helper)) *Helper {
+	helper := &Helper{
 		tokenSecretLock:   new(sync.Mutex),
 		client:            client,
 		scheme:            scheme,
 		operatorNamespace: operatorNamespace,
+		enableOwnerRef:    false,
 		adapterBuilder: func(
 			ctx context.Context,
 			conf adapter.GoCloakConfig,
@@ -99,7 +103,7 @@ func MakeHelper(client client.Client, scheme *runtime.Scheme, operatorNamespace
 			if adminType == keycloakApi.KeycloakAdminTypeServiceAccount {
 				goKeycloakAdapter, err := adapter.MakeFromServiceAccount(ctx, conf, "master", log, restyClient)
 				if err != nil {
-					return nil, fmt.Errorf("failed to make go keycloak adapter from seviceaccount: %w", err)
+					return nil, fmt.Errorf("failed to make go keycloak adapter from service account: %w", err)
 				}
 
 				return goKeycloakAdapter, nil
@@ -113,12 +117,29 @@ func MakeHelper(client client.Client, scheme *runtime.Scheme, operatorNamespace
 			return goKeycloakAdapter, nil
 		},
 	}
+
+	for _, option := range options {
+		option(helper)
+	}
+
+	return helper
+}
+
+// EnableOwnerRef is an option to set the enableOwnerRef field in Helper.
+func EnableOwnerRef(setOwnerRef bool) func(*Helper) {
+	return func(h *Helper) {
+		h.enableOwnerRef = setOwnerRef
+	}
 }
 
 // SetKeycloakOwnerRef sets owner reference for object.
 //
 //nolint:dupl,cyclop
 func (h *Helper) SetKeycloakOwnerRef(ctx context.Context, object ObjectWithKeycloakRef) error {
+	if !h.enableOwnerRef {
+		return nil
+	}
+
 	if metav1.GetControllerOf(object) != nil {
 		return nil
 	}
@@ -173,6 +194,10 @@ func (h *Helper) SetKeycloakOwnerRef(ctx context.Context, object ObjectWithKeycl
 //
 //nolint:dupl,cyclop
 func (h *Helper) SetRealmOwnerRef(ctx context.Context, object ObjectWithRealmRef) error {
+	if !h.enableOwnerRef {
+		return nil
+	}
+
 	if metav1.GetControllerOf(object) != nil {
 		return nil
 	}