doodlescheduling / keycloak-controller Goto Github PK

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-20T07:27:38.976605759Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.5"},"ImageID":"sha256:21f23cff71774971e0b43c067aa0f56e30d729cb1c9b276754735d09323b8529","DiffIDs":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:3adcf0c35e1fd885eb1e01c82605065107d4186a8f73b7cda77171105ed005fe"],"ImageConfig":{"architecture":"amd64","created":"2024-04-25T13:20:05.01943657Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-04-25T13:19:55Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"1573137421316f137efc6bf8bb01a818c1870122","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.3.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.5)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-24790","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.11, 1.22.4","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-24790","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses","Description":"The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.","Severity":"CRITICAL","VendorSeverity":{"alma":2,"amazon":2,"bitnami":4,"cbl-mariner":4,"nvd":4,"oracle-oval":2,"photon":4,"redhat":2,"rocky":2,"ubuntu":2},"CVSS":{"bitnami":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"redhat":{"V3Vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","V3Score":6.7}},"References":["http://www.openwall.com/lists/oss-security/2024/06/04/1","https://access.redhat.com/errata/RHSA-2024:4212","https://access.redhat.com/security/cve/CVE-2024-24790","https://bugzilla.redhat.com/2292668","https://bugzilla.redhat.com/2292787","https://bugzilla.redhat.com/show_bug.cgi?id=2292668","https://bugzilla.redhat.com/show_bug.cgi?id=2292787","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790","https://errata.almalinux.org/9/ALSA-2024-4212.html","https://errata.rockylinux.org/RLSA-2024:4212","https://github.com/golang/go/commit/051bdf3fd12a40307606ff9381138039c5f452f0 (1.21)","https://github.com/golang/go/commit/12d5810cdb1f73cf23d7a86462143e9463317fca (1.22)","https://github.com/golang/go/issues/67680","https://go.dev/cl/590316","https://go.dev/issue/67680","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ","https://linux.oracle.com/cve/CVE-2024-24790.html","https://linux.oracle.com/errata/ELSA-2024-5291.html","https://nvd.nist.gov/vuln/detail/CVE-2024-24790","https://pkg.go.dev/vuln/GO-2024-2887","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2024-24790"],"PublishedDate":"2024-06-05T16:15:10.56Z","LastModifiedDate":"2024-06-18T17:59:12.547Z"},{"VulnerabilityID":"CVE-2023-45288","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.9, 1.22.2","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"PrimaryURL":"https://avd.aquasec.com/nvd/cve-2023-45288","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS","Description":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","Severity":"HIGH","VendorSeverity":{"alma":3,"amazon":2,"azure":3,"cbl-mariner":3,"ghsa":2,"oracle-oval":3,"photon":3,"redhat":3,"rocky":3,"ubuntu":2},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","V3Score":5.3},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5}},"References":["http://www.openwall.com/lists/oss-security/2024/04/03/16","http://www.openwall.com/lists/oss-security/2024/04/05/4","https://access.redhat.com/errata/RHSA-2024:2724","https://access.redhat.com/security/cve/CVE-2023-45288","https://bugzilla.redhat.com/2268017","https://bugzilla.redhat.com/2268018","https://bugzilla.redhat.com/2268019","https://bugzilla.redhat.com/2268273","https://bugzilla.redhat.com/show_bug.cgi?id=2268017","https://bugzilla.redhat.com/show_bug.cgi?id=2268018","https://bugzilla.redhat.com/show_bug.cgi?id=2268019","https://bugzilla.redhat.com/show_bug.cgi?id=2268273","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783","https://errata.almalinux.org/9/ALSA-2024-2724.html","https://errata.rockylinux.org/RLSA-2024:3346","https://go.dev/cl/576155","https://go.dev/issue/65051","https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M","https://kb.cert.org/vuls/id/421644","https://linux.oracle.com/cve/CVE-2023-45288.html","https://linux.oracle.com/errata/ELSA-2024-3346.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","https://nowotarski.info/http2-continuation-flood-technical-details","https://nowotarski.info/http2-continuation-flood/","https://nvd.nist.gov/vuln/detail/CVE-2023-45288","https://pkg.go.dev/vuln/GO-2024-2687","https://security.netapp.com/advisory/ntap-20240419-0009","https://security.netapp.com/advisory/ntap-20240419-0009/","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2023-45288","https://www.kb.cert.org/vuls/id/421644"],"PublishedDate":"2024-04-04T21:15:16.113Z","LastModifiedDate":"2024-05-01T18:15:10.493Z"}]},{"Target":"OS Packages","Class":"license","Licenses":[{"Severity":"HIGH","Category":"restricted","PkgName":"base-files","FilePath":"","Name":"GPL-3.0","Confidence":1,"Link":""},{"Severity":"HIGH","Category":"restricted","PkgName":"netbase","FilePath":"","Name":"GPL-2.0","Confidence":1,"Link":""}]},{"Target":"manager","Class":"license"},{"Target":"Loose File License(s)","Class":"license-file"}]}

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-26T06:01:36.473331553Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}

Hello
First of all, i'm grateful for this well-designed controller :).
I'm facing an issue with groups not being imported.

Group structure :

groups:
  - name: my-group
    path: /my-group
    clientRoles:
      my-first-realm:
        - impersonation
        - view-users
      my-second-realm:
        - view-users
        - impersonation

Describe the change

For now, groups are defined by : Groups []string `json:"groups,omitempty"`
From Keycloak api doc, group representation consist of maps, strings, array and subgroups.
https://www.keycloak.org/docs-api/21.0.1/rest-api/index.html#_grouprepresentation

Current situation

Groups are : Groups []string `json:"groups,omitempty"`

Should

Groups should be : Groups []GroupRepresentation `json:"groups,omitempty"`

Additional context

Add any other context about the problem here.

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-21T06:01:32.391379371Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.5"},"ImageID":"sha256:21f23cff71774971e0b43c067aa0f56e30d729cb1c9b276754735d09323b8529","DiffIDs":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:3adcf0c35e1fd885eb1e01c82605065107d4186a8f73b7cda77171105ed005fe"],"ImageConfig":{"architecture":"amd64","created":"2024-04-25T13:20:05.01943657Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-04-25T13:19:55Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"1573137421316f137efc6bf8bb01a818c1870122","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.3.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.5)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-24790","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.11, 1.22.4","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-24790","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses","Description":"The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.","Severity":"CRITICAL","VendorSeverity":{"alma":2,"amazon":2,"bitnami":4,"cbl-mariner":4,"nvd":4,"oracle-oval":2,"photon":4,"redhat":2,"rocky":2,"ubuntu":2},"CVSS":{"bitnami":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"redhat":{"V3Vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","V3Score":6.7}},"References":["http://www.openwall.com/lists/oss-security/2024/06/04/1","https://access.redhat.com/errata/RHSA-2024:4212","https://access.redhat.com/security/cve/CVE-2024-24790","https://bugzilla.redhat.com/2292668","https://bugzilla.redhat.com/2292787","https://bugzilla.redhat.com/show_bug.cgi?id=2292668","https://bugzilla.redhat.com/show_bug.cgi?id=2292787","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790","https://errata.almalinux.org/9/ALSA-2024-4212.html","https://errata.rockylinux.org/RLSA-2024:4212","https://github.com/golang/go/commit/051bdf3fd12a40307606ff9381138039c5f452f0 (1.21)","https://github.com/golang/go/commit/12d5810cdb1f73cf23d7a86462143e9463317fca (1.22)","https://github.com/golang/go/issues/67680","https://go.dev/cl/590316","https://go.dev/issue/67680","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ","https://linux.oracle.com/cve/CVE-2024-24790.html","https://linux.oracle.com/errata/ELSA-2024-5291.html","https://nvd.nist.gov/vuln/detail/CVE-2024-24790","https://pkg.go.dev/vuln/GO-2024-2887","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2024-24790"],"PublishedDate":"2024-06-05T16:15:10.56Z","LastModifiedDate":"2024-06-18T17:59:12.547Z"},{"VulnerabilityID":"CVE-2023-45288","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.9, 1.22.2","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"PrimaryURL":"https://avd.aquasec.com/nvd/cve-2023-45288","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS","Description":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","Severity":"HIGH","VendorSeverity":{"alma":3,"amazon":2,"azure":3,"cbl-mariner":3,"ghsa":2,"oracle-oval":3,"photon":3,"redhat":3,"rocky":3,"ubuntu":2},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","V3Score":5.3},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5}},"References":["http://www.openwall.com/lists/oss-security/2024/04/03/16","http://www.openwall.com/lists/oss-security/2024/04/05/4","https://access.redhat.com/errata/RHSA-2024:2724","https://access.redhat.com/security/cve/CVE-2023-45288","https://bugzilla.redhat.com/2268017","https://bugzilla.redhat.com/2268018","https://bugzilla.redhat.com/2268019","https://bugzilla.redhat.com/2268273","https://bugzilla.redhat.com/show_bug.cgi?id=2268017","https://bugzilla.redhat.com/show_bug.cgi?id=2268018","https://bugzilla.redhat.com/show_bug.cgi?id=2268019","https://bugzilla.redhat.com/show_bug.cgi?id=2268273","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783","https://errata.almalinux.org/9/ALSA-2024-2724.html","https://errata.rockylinux.org/RLSA-2024:2724","https://go.dev/cl/576155","https://go.dev/issue/65051","https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M","https://kb.cert.org/vuls/id/421644","https://linux.oracle.com/cve/CVE-2023-45288.html","https://linux.oracle.com/errata/ELSA-2024-3346.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","https://nowotarski.info/http2-continuation-flood-technical-details","https://nowotarski.info/http2-continuation-flood/","https://nvd.nist.gov/vuln/detail/CVE-2023-45288","https://pkg.go.dev/vuln/GO-2024-2687","https://security.netapp.com/advisory/ntap-20240419-0009","https://security.netapp.com/advisory/ntap-20240419-0009/","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2023-45288","https://www.kb.cert.org/vuls/id/421644"],"PublishedDate":"2024-04-04T21:15:16.113Z","LastModifiedDate":"2024-05-01T18:15:10.493Z"}]},{"Target":"OS Packages","Class":"license","Licenses":[{"Severity":"HIGH","Category":"restricted","PkgName":"base-files","FilePath":"","Name":"GPL-3.0","Confidence":1,"Link":""},{"Severity":"HIGH","Category":"restricted","PkgName":"netbase","FilePath":"","Name":"GPL-2.0","Confidence":1,"Link":""}]},{"Target":"manager","Class":"license"},{"Target":"Loose File License(s)","Class":"license-file"}]}

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-23T06:01:28.504697553Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-24T06:01:45.354477927Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}

Describe the bug

If only sub resources have been changed and spec.interval is set to a high number reconciliation
is awaiting the interval.
However this does not happen if the realm generation was changed.

To Reproduce

Change a keycloakclient or user.

Expected behavior

It should trigger a reconcile. The generations of the observed sub resources have to be acknowledged as well.

Environment

• controller version: v2.0.7

Additional context

This gate exists to avoid unnecessary pod scheduling of realm reconcilers.

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-25T06:01:34.76107056Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}

High or critical vulnerabilities detected. Scan results are below:

{"SchemaVersion":2,"CreatedAt":"2024-08-22T06:01:33.849772886Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT [\"/manager\"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"},{"Target":"OS Packages","Class":"license","Licenses":[{"Severity":"HIGH","Category":"restricted","PkgName":"base-files","FilePath":"","Name":"GPL-3.0","Confidence":1,"Link":""},{"Severity":"HIGH","Category":"restricted","PkgName":"netbase","FilePath":"","Name":"GPL-2.0","Confidence":1,"Link":""}]},{"Target":"manager","Class":"license"},{"Target":"Loose File License(s)","Class":"license-file"}]}

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Status Checks

These updates await pending status checks. To force their creation now, click the checkbox below.

• chore(deps-dev): update github/codeql-action action to v3.26.6
• chore(deps-dev): update actions/upload-artifact action to v4.4.0

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps-dev): update pascalgn/size-label-action digest to 49850f3

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Describe the bug

KeycloakRealm CR does not reconcile in a loop

To Reproduce

Set the spec.interval to 15s, check the KeycloakRealm Events

apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakRealm
metadata:
  name: master
  namespace: keycloak
spec:
  interval: 15s
  ...

Check the KeycloakRealm Events

I do not have the Suspended property set.
Basically, the loop stops. If I change some config via the UI, it never gets overriden.

Expected behavior

At interval=15, I would expect 4 reconciliation events per minutes, in this screenshot 4min44 ~ 18 events, but we only get 2.

Environment

• controller version: 2.2.0
• keycloak version: 24.0.1
• kubernetes version: 1.27.7

Describe the bug

When I deploy the controller and create a KeycloakRealm and a KeycloakClient for that realm, if Client Authentication needs to be enabled, I have to specify client.spec.publicClient: false. This gets translated into a REST API request containing "publicClient":true in the end and Client Authentication is not enabled. I found the reason to be that in keycloak-controller, publicClient is omitted from the generated realm.json because it is boolean false, and the property has omitempty specified: https://github.com/DoodleScheduling/keycloak-controller/blob/0eec656cc41362d6e026622515604de54ef7a546/api/v1beta1/keycloakclient_types.go#L133C4-L133C4

Note: latest tag is used for adorsys/keycloak-config-cli bacause latest-23.0.3 does not exist. At the time of writing, latest has digest 73a3369546ac (which is latest-23.0.1)

Note: the client was created on the Keycloak 23.0.3 UI and exported as JSON, converted to YAML and added to the KeyclockClient resource descriptor.

The custom resources:

apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakRealm
metadata:
  name: test-realm
spec:
  address: http://example-kc-service.idp:8080 # example on website includes /auth postfix which is not needed as of keycloak 19.x
  authSecret:
    name: keycloak-controller-user
  interval: 10m
  reconcilerTemplate:
    spec:
      containers:
      - name: keycloak-config-cli
        image: adorsys/keycloak-config-cli:latest # there is no 23.0.3 image
  resourceSelector:
    matchLabels:
      realm: test-realm
  realm:
    id: "test-realm"
    realm: "test-realm"
    enabled: true
    displayName: "Test Realm"
---
apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakClient
metadata:
  name: kc-client-example
  labels:
    realm: test-realm
spec:
  client:
    clientId: test2-client-secret
    name: test4-client-secret
    description: ""
    rootUrl: ""
    adminUrl: ""
    baseUrl: ""
    surrogateAuthRequired: false
    enabled: true
    alwaysDisplayInConsole: true
    clientAuthenticatorType: client-secret
    secret: "${secret:keycloak-client-secret-test2-client-secret:secret}" # from a secret
    redirectUris: []
    webOrigins: []
    notBefore: 0
    bearerOnly: false
    consentRequired: false
    standardFlowEnabled: true
    implicitFlowEnabled: false
    directAccessGrantsEnabled: true
    serviceAccountsEnabled: false
    publicClient: false                          # <--------- here
    frontchannelLogout: false
    protocol: openid-connect
    attributes:
      oauth2.device.authorization.grant.enabled: "false"
      backchannel.logout.revoke.offline.tokens: "false"
      use.refresh.tokens: "true"
      oidc.ciba.grant.enabled: "false"
      backchannel.logout.session.required: "true"
      client_credentials.use_refresh_token: "false"
      acr.loa.map: "{}"
      require.pushed.authorization.requests: "false"
      tls.client.certificate.bound.access.tokens: "false"
      display.on.consent.screen: "false"
      token.response.type.bearer.lower-case: "false"
    authenticationFlowBindingOverrides: {}
    fullScopeAllowed: true
    nodeReRegistrationTimeout: -1
    defaultClientScopes:
      - web-origins
      - acr
      - profile
      - roles
      - email
    optionalClientScopes:
      - address
      - phone
      - offline_access
      - microprofile-jwt
    access:
      view: true
      configure: true
      manage: true

In the reconciler pod, the generated realm.json does not have the publicClient property, as expected, in line with omitempty:

{
  "id": "test-realm",
  "realm": "test-realm",
  "enabled": true,
  "displayName": "Test Realm",
  "clients": [
    {
      "clientId": "test2-client-secret",
      "name": "test4-client-secret",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "verysecret",
      "standardFlowEnabled": true,
      "directAccessGrantsEnabled": true,
      "protocol": "openid-connect",
      "attributes": {
        "acr.loa.map": "{}",
        "backchannel.logout.revoke.offline.tokens": "false",
        "backchannel.logout.session.required": "true",
        "client_credentials.use_refresh_token": "false",
        "display.on.consent.screen": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "oidc.ciba.grant.enabled": "false",
        "require.pushed.authorization.requests": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "token.response.type.bearer.lower-case": "false",
        "use.refresh.tokens": "true"
      },
      "fullScopeAllowed": true,
      "nodeReRegistrationTimeout": -1,
      "access": {
        "configure": true,
        "manage": true,
        "view": true
      },
      "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
      ],
      "defaultClientScopes": [
        "web-origins",
        "acr",
        "profile",
        "roles",
        "email"
      ],
      "alwaysDisplayInConsole": true
    }
  ],
  "components": null,
  "requiredActions": null
}

In keycloak-config-cli, the request contains a true value for publicClient:

# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] o.a.http.impl.execchain.MainClientExec   : Executing request PUT /admin/realms/test-realm/clients/649ad426-bda4-4393-b148-7fc16c90bd2a HTTP/1.1
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] o.a.http.impl.execchain.MainClientExec   : Proxy auth state: UNCHALLENGED
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> PUT /admin/realms/test-realm/clients/649ad426-bda4-4393-b148-7fc16c90bd2a HTTP/1.1
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> Authorization: Bearer ey...redacted...Cn_Q
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> Content-Type: application/json
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> Content-Length: 1659
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> Host: example-kc-service.idp:8080
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> Connection: Keep-Alive
# 2024-01-09 01:37:03.772 DEBUG 1 --- [           main] org.apache.http.headers                  : http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.14 (Java/17.0.9)
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "PUT /admin/realms/test-realm/clients/649ad426-bda4-4393-b148-7fc16c90bd2a HTTP/1.1[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "Authorization: Bearer ey...redacted...n_Q[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "Content-Type: application/json[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "Content-Length: 1659[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "Host: example-kc-service.idp:8080[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/17.0.9)[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [           main] org.apache.http.wire                     : http-outgoing-0 >> "{"id":"649ad426-bda4-4393-b148-7fc16c90bd2a","clientId":"test2-client-secret","name":"test4-client-secret","description":null,"rootUrl":null,"adminUrl":null,"baseUrl":null,"surrogateAuthRequired":false,"enabled":true,"alwaysDisplayInConsole":true,"clientAuthenticatorType":"client-secret","secret":null,"registrationAccessToken":null,"defaultRoles":null,"redirectUris":[],"webOrigins":[],"notBefore":0,"bearerOnly":false,"consentRequired":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":false,"authorizationServicesEnabled":null,"directGrantsOnly":null,"publicClient":true,"frontchannelLogout":false,"protocol":"openid-connect","attributes":{"oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","client_credentials.use_refresh_token":"false","acr.loa.map":"{}","require.pushed.authorization.requests":"false","tls.client.certificate.bound.access.tokens":"false","display.on.consent.screen":"false","oauth2.device.authorization.grant.enabled":"false","backchannel.logout.revoke.offline.tokens":"false","token.response.type.bearer.lower-case":"false","use.refresh.tokens":"true"},"authenticationFlowBindingOverrides":{},"fullScopeAllowed":true,"nodeReRegistrationTimeout":-1,"registeredNodes":null,"protocolMappers":null,"clientTemplate":null,"useTemplateConfig":null,"useTemplateScope":null,"useTemplateMappers":null,"defaultClientScopes":["web-origins","acr","roles","profile","email"],"optionalClientScopes":["address","phone","offline_access","microprofile-jwt"],"authorizationSettings":null,"access":{"view":true,"configure":true,"manage":true},"origin":null}"

To Reproduce

Steps to reproduce the behavior:

1. Apply the above resource descriptors to a Keycloak instance.
2. Wait for the resources to be reconciled by Keycloak Controller.
3. Observe how Client Authentication is not enabled for client test4-client-secret in realm test-realm.

Expected behavior

Client Authentication should be enabled for client test4-client-secret in realm test-realm

Environment

• controller version: v2.0.7 - installed using Helm
• keycloak version: v23.0.3 - installed using Keycloak Operator v23.0.3
• kubernetes version: minikube v1.32.0

Additional context

Minikube running on Docker Desktop 4.26.1 (131620) on MacOS 14.2.1 on Intel.