Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provider keeps adding UPDATE_PASSWORD to user required actions #62

Open
a1994sc opened this issue Feb 22, 2024 · 7 comments
Open

Provider keeps adding UPDATE_PASSWORD to user required actions #62

a1994sc opened this issue Feb 22, 2024 · 7 comments

Comments

@a1994sc
Copy link

a1994sc commented Feb 22, 2024

I am using keycloak version 21.1.1 with the provider v0.10.0 and after changing my initial password and waiting a few minutes the action UPDATE_PASSWORD is added to the required actions...

apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
metadata:
  name: aconlon
spec:
  deletionPolicy: Delete
  providerConfigRef:
    name: keycloak
  forProvider:
    realmIdRef:
      name: company
    username: aconlon
    email: allen@conlon.dev
    emailVerified: true
    firstName: Allen
    lastName: Conlon
    requiredActions: []
    initialPassword:
    - temporary: true
      valueSecretRef:
        key: password
        name: keycloak-initial-password
        namespace: crossplane-system
# kubectl get user.user aconlon -o yaml

apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
...
spec:
  forProvider:
    requiredActions:
    - UPDATE_PASSWORD

I tried to see if this was an issue with the upstream terraform provider, but I did not see anything in the issues....

Any help would be awesome, thanks.

@Breee
Copy link
Collaborator

Breee commented Feb 26, 2024

Greetings, i would say that is expected behavior wrt to the current logic of the Provider. I'll test it myself and report back to you. However, do you even need update_password, if you have set the Initial password to temporary?

I'll think about how we can solve this issue of continously applied required Actions

@a1994sc
Copy link
Author

a1994sc commented Feb 26, 2024

Well applying the update password action is fine after creating the user, however it adding that action after the user has set their new password... So they have to keep updating their password every few minutes

@Breee
Copy link
Collaborator

Breee commented Feb 26, 2024

Yeah, the question is how we shall differentiate that.

Besides of that, I don't think you need a UPDATE_PASSWORD required action Object at all, if you are using

    initialPassword:
    - temporary: true

because the temporary: true should handle that a user is forced to update their password.

Besides that:

  • The provider is trying to sync the desired state and the actual state, i.e. your manifests in the k8s cluster are your single source of truth and crossplane will continuously apply them.
  • As soon as someone changes the password, the required action will be gone in keycloak -> thus crossplane will create it again, since you defined it in your manifests.

One solution without changing the provider itself would be:

  1. Create the RequiredAction object and set it's deletion policy to Orphan (see https://docs.crossplane.io/latest/concepts/managed-resources/)
  2. Delete the object, after it has been synced successfully

That approach would not work for any GitOps based workflow tho and would require additional changes / selfbuild logic in the provider.

@a1994sc
Copy link
Author

a1994sc commented Feb 26, 2024

So the instance in question is running on keycloak 21.1.2 but I have another instance running keycloak 22.0.4 and it works fine without the issue of the password resetting... So maybe some in 22 fixed this interaction?

@haarchri
Copy link
Member

i wonder if we can skip requiredActions for late-init - its fine to have it status only or ?

@TehreemNisa
Copy link

this is happening in our keycloak instance in version 24.0.7 , the user required action continuously updates and asks for update_password to all users if we set the temporary field to true , it is mentioned in documentation that If set to true, the initial password is set up for renewal on first use.

https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.4.0/resources/user.keycloak.crossplane.io/User/v1alpha1

@Breee
Copy link
Collaborator

Breee commented Sep 12, 2024

please test xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.5.0-rc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants