keycloak: operator doesn't watch other namespaces
Before reporting an issue
- I have searched existing issues
- I have reproduced the issue with the latest release
Area
operator
Describe the bug
according to this and this the operator should be watching namespaces defined in the QUARKUS_OPERATOR_SDK_NAMESPACES env variable, but it doesn’t seem to work for me.
Version
20.0.2
Expected behavior
reconcile keycloak resources in other namespaces than the operator runs in.
Actual behavior
reconciles only in the operator’s namespace
How to Reproduce?
deploy operator with:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-12-20 - 19:05:31 +0000
deployment.kubernetes.io/revision: "2"
meta.helm.sh/release-name: keycloak-operator
meta.helm.sh/release-namespace: keycloak-operator
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.2
name: keycloak-operator
namespace: keycloak-operator
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.2
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
app.quarkus.io/build-timestamp: 2022-12-20 - 19:05:31 +0000
creationTimestamp: null
labels:
app.kubernetes.io/name: keycloak-operator
app.kubernetes.io/version: 20.0.2
spec:
containers:
- env:
- name: OPERATOR_KEYCLOAK_IMAGE
value: quay.io/keycloak/keycloak:20.0.2
- name: QUARKUS_OPERATOR_SDK_NAMESPACES
value: iam-test
image: quay.io/keycloak/keycloak-operator:20.0.2
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /q/health/live
port: 8080
scheme: HTTP
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
name: keycloak-operator
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /q/health/ready
port: 8080
scheme: HTTP
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: keycloak-operator
serviceAccountName: keycloak-operator
terminationGracePeriodSeconds: 30
create a keycloak resource in the iam-test namespace:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
annotations:
meta.helm.sh/release-name: iam-test
meta.helm.sh/release-namespace: iam-test
creationTimestamp: "2023-01-03T12:54:17Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: internal-test
namespace: iam-test
resourceVersion: "844051854"
uid: ff5a05cb-8651-49fe-84fe-9ce437b0d6b4
spec:
db:
host: iam-db
passwordSecret:
key: password
name: iam-db.credentials.postgresql.acid.zalan.do
usernameSecret:
key: username
name: iam-db.credentials.postgresql.acid.zalan.do
vendor: postgres
hostname:
hostname: login-internal-test.example.net
http:
httpEnabled: true
httpPort: 8080
httpsPort: 8443
tlsSecret: keycloak-tls
image: repo/keycloak-customized:20.0.2
ingress:
enabled: false
instances: 1
Anything else?
the operator’s logs are also indicating that the watched namespace is only keycloak-operator:
keycloak-operator-65fcbbf475-kmn5g keycloak-operator __ ____ __ _____ ___ __ ____ ______
keycloak-operator-65fcbbf475-kmn5g keycloak-operator --/ __ \/ / / / _ | / _ \/ //_/ / / / __/
keycloak-operator-65fcbbf475-kmn5g keycloak-operator -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \
keycloak-operator-65fcbbf475-kmn5g keycloak-operator --\___\_\____/_/ |_/_/|_/_/|_|\____/___/
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:31,573 WARN [io.qua.config] (main) Unrecognized configuration key "quarkus.operator-sdk.generate-csv" was provided; it will be ignored; verify that the dependency extension for this configuration is set or that you did not make a typo
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,172 INFO [io.qua.ope.run.OperatorProducer] (main) Quarkus Java Operator SDK extension 4.0.4 (commit: d1a3d1e on branch: d1a3d1ef9b22414b740e9f4c0d74d62a673031e3) built on Fri Oct 21 09:02:30 UTC 2022
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,238 INFO [io.jav.ope.Operator] (main) Registered reconciler: 'keycloakcontroller' for resource: 'class org.keycloak.operator.crds.v2alpha1.deployment.Keycloak' for namespace(s): [keycloak-operator]
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,241 INFO [io.jav.ope.Operator] (main) Registered reconciler: 'keycloakrealmimportcontroller' for resource: 'class org.keycloak.operator.crds.v2alpha1.realmimport.KeycloakRealmImport' for namespace(s): [keycloak-operator]
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,242 INFO [io.qua.ope.run.AppEventListener] (main) Starting operator.
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,242 INFO [io.jav.ope.Operator] (main) Operator SDK 3.2.4 (commit: dfae8d5) built on Fri Oct 21 08:03:55 UTC 2022 starting...
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,242 INFO [io.jav.ope.Operator] (main) Client version: 5.12.4
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,249 INFO [io.jav.ope.pro.Controller] (main) Starting 'keycloakcontroller' controller for reconciler: org.keycloak.operator.controllers.KeycloakController_ClientProxy, resource: org.keycloak.operator.crds.v2alpha1.deployment.Keycloak
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:33,297 WARN [io.fab.kub.cli.int.VersionUsageUtils] (main) The client is using resource type 'keycloaks' with unstable version 'v2alpha1'
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:34,952 INFO [io.jav.ope.pro.Controller] (main) 'keycloakcontroller' controller started, pending event sources initialization
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:34,953 INFO [io.jav.ope.pro.Controller] (main) Starting 'keycloakrealmimportcontroller' controller for reconciler: org.keycloak.operator.controllers.KeycloakRealmImportController_ClientProxy, resource: org.keycloak.operator.crds.v2alpha1.realmimport.KeycloakRealmImport
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:34,955 WARN [io.fab.kub.cli.int.VersionUsageUtils] (main) The client is using resource type 'keycloakrealmimports' with unstable version 'v2alpha1'
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:35,016 INFO [io.jav.ope.pro.Controller] (main) 'keycloakrealmimportcontroller' controller started, pending event sources initialization
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:35,202 INFO [io.quarkus] (main) keycloak-operator 20.0.2 on JVM (powered by Quarkus 2.13.3.Final) started in 4.032s. Listening on: http://0.0.0.0:8080
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:35,202 INFO [io.quarkus] (main) Profile prod activated.
keycloak-operator-65fcbbf475-kmn5g keycloak-operator 2023-01-03 12:43:35,203 INFO [io.quarkus] (main) Installed features: [cdi, kubernetes, kubernetes-client, openshift-client, operator-sdk, rest-client, rest-client-jackson, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]
tested the versions backwards, and 19.0.2 seems to work as expected:
keycloak-operator-78d7dcc795-fbvcs keycloak-operator 2023-01-03 14:55:10,054 INFO [io.jav.ope.Operator] (main) Registered reconciler: 'keycloakcontroller' for resource: 'class org.keycloak.operator.crds.v2alpha1.deployment.Keycloak' for namespace(s): [iam-test]
keycloak-operator-78d7dcc795-fbvcs keycloak-operator 2023-01-03 14:55:10,062 INFO [io.jav.ope.Operator] (main) Registered reconciler: 'keycloakrealmimportcontroller' for resource: 'class org.keycloak.operator.crds.v2alpha1.realmimport.KeycloakRealmImport' for namespace(s): [iam-test]
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 21 (5 by maintainers)
I just released version 4.0.8 of the Quarkus extension for JOSDK which should address the issue.
The Keycloak Operator currently does not support watching other namespaces at the moment but it is something we are considering in the future. For now, it might be possible to use some workarounds by directly configuring the SDK as suggested in some comments here, but we provide no guarantees it’ll work.
there are separate ENV variables for each controller like :
QUARKUS_OPERATOR_SDK_CONTROLLERS_<controller>_NAMESPACES. useQUARKUS_OPERATOR_SDK_CONTROLLERS_KEYCLOAKREALMIMPORTCONTROLLER_NAMESPACESfor the other CRD.@fuero , use
QUARKUS_OPERATOR_SDK_CONTROLLERS_KEYCLOAKCONTROLLER_NAMESPACESinstead ofQUARKUS_OPERATOR_SDK_NAMESPACES. it’s working since20.0.5.Does this support wildcard matching of ‘*’ as well ? I can’t get that to work
@andreaTP , this got fixed in the
quarkus-operator-sdk. would you mind having a look at my PR above?