Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: add migration to keycloak startup to set client redirect uris #3640

Merged
merged 2 commits into from
Feb 6, 2024
Merged

refactor: add migration to keycloak startup to set client redirect uris #3640

merged 2 commits into from
Feb 6, 2024

Conversation

shreddedbacon
Copy link
Member

General Checklist

  • Affected Issues have been mentioned in the Closing issues section
  • Documentation has been written/updated
  • PR title is ready for inclusion in changelog

Database Migrations

  • If your PR contains a database migation, it MUST be the latest in date order alphabetically

Just adds support to be able to change keycloak redirect uris via an environment variable (and eventually via helmchart) rather than having to define them in keycloak UI manually.

@shreddedbacon shreddedbacon added this to the 2.18.0 milestone Jan 17, 2024
@shreddedbacon shreddedbacon marked this pull request as ready for review January 17, 2024 02:32
rocketeerbkw
rocketeerbkw requested changes Jan 17, 2024
View reviewed changes
Copy link
Member

@rocketeerbkw rocketeerbkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is an "all the time" type operation, not a one time migration, it would be more aligned with the sync_client_secrets than configure_blah_blah.

That would mean a slight rename and function definition moved to utilities section and invocation moved after all migrations.

services/keycloak/startup-scripts/00-configure-lagoon.sh Outdated Show resolved Hide resolved
services/keycloak/startup-scripts/00-configure-lagoon.sh Outdated Show resolved Hide resolved
@shreddedbacon
Copy link
Member Author

Since this is an "all the time" type operation, not a one time migration, it would be more aligned with the sync_client_secrets than configure_blah_blah.

That would mean a slight rename and function definition moved to utilities section and invocation moved after all migrations.

I'm happy to move it to the utilities section, along with

  • configure_admin_email
  • configure_smtp_settings
  • configure_realm_settings
    as these also run every time to ensure that the admin email, smtp and realm settings are up to date by configuring them from what is defined in the provided varaibles or config maps.

as for sync vs configure, i don't really think it matters. if there are enough strongly held opinions that it should be changed to sync, then we will should also update the other 3 function names to be sync.

@shreddedbacon
Copy link
Member Author

For invocation after all other migrations take place, we would also need to move the other functions I mentioned too then. They were added to the top so that they're applied sooner rather than later, due to the slow nature of this script. I really hope that we can make movement on #3499 or #3624 to reduce how many migrations need to run so that this delay in execution is less of a problem in the future

@rocketeerbkw
Copy link
Member

There's two "issues:" The sync functions not using the naming "standards" and not living in the "correct" place is only a organizational and self-documentation concern. It's not a deal breaker. Having the functions live in the migrations section is confusing IMO, and doesn't match our sections comments For those reasons, every migration must be designed to run __only once__ per keycloak install., so moving them is a DX concern. Moving them all in the file is easy and solves all the concerns. I don't care if they all start with sync_ it's just another DX self-documenting nod. If none of this part happens now, I'll just open a PR to do it later, since I also didn't realize that there were other sync functions besides the client secrets ones (I thought those other ones happened in another file for some reason).

The other one is where in the invocation it runs. IMO it's a bug that the sync functions where placed in the middle of the migrations. Considering the non-idempotent bugs we've had in the past the migrations were cleaned up and the sync parts where moved separately for a good reason. The migrations should "know" exactly what the state was from prior migrations. They should for sure all get moved after the migrations.

@shreddedbacon
Copy link
Member Author

There's two "issues:" The sync functions not using the naming "standards" and not living in the "correct" place is only a organizational and self-documentation concern. It's not a deal breaker. Having the functions live in the migrations section is confusing IMO, and doesn't match our sections comments For those reasons, every migration must be designed to run __only once__ per keycloak install., so moving them is a DX concern. Moving them all in the file is easy and solves all the concerns. I don't care if they all start with sync_ it's just another DX self-documenting nod. If none of this part happens now, I'll just open a PR to do it later, since I also didn't realize that there were other sync functions besides the client secrets ones (I thought those other ones happened in another file for some reason).

They're moved to utilities now.

The other one is where in the invocation it runs. IMO it's a bug that the sync functions where placed in the middle of the migrations. Considering the non-idempotent bugs we've had in the past the migrations were cleaned up and the sync parts where moved separately for a good reason. The migrations should "know" exactly what the state was from prior migrations. They should for sure all get moved after the migrations.

Yes, I agree with the whole invocation thing to a degree. But I absolutely believe that we need to get #3499 or #3624 in place so that we can properly reset though, there are far too many migrations taking place currently and it is confusing and a horrible experience to try and ensure that future migrations work correctly with all the other migrations that are already there.

@rocketeerbkw
Copy link
Member

Since I didn't realize there were existing sync funcs in the "wrong" place it's fair to defer that for later. It'll have to get done at some point in the refactor anyway.

No reason to keep configure_lagoon_redirect_uris there though? It can run after all migrations.

@shreddedbacon
Copy link
Member Author

I've moved that to the end. We can pick up discussion of migration/startup procedure once we've made decisions on the realm import process, but not in this PR.

@tobybellwood
Copy link
Member

waiting on #3624 and any further updates to Keycloak

rocketeerbkw
rocketeerbkw approved these changes Feb 2, 2024
View reviewed changes
Copy link
Member

@rocketeerbkw rocketeerbkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feature can't be taken full advantage of until other keycloak work also makes it in, but this piece is ready to go 👍

@tobybellwood tobybellwood changed the title refactor: add migration to keycloak to change client redirect uris refactor: add migration to keycloak startup to set client redirect uris Feb 6, 2024
@tobybellwood tobybellwood merged commit 6858398 into main Feb 6, 2024
1 check passed
@shreddedbacon shreddedbacon deleted the keycloak-redirecturis branch February 6, 2024 02:06
@rocketeerbkw rocketeerbkw mentioned this pull request Sep 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rocketeerbkw rocketeerbkw rocketeerbkw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.18.0
Development

Successfully merging this pull request may close these issues.
3 participants
@shreddedbacon @rocketeerbkw @tobybellwood