doodlescheduling / keycloak-controller Goto Github PK
View Code? Open in Web Editor NEWKeycloak realm reconciliation for kubernetes
License: Apache License 2.0
Keycloak realm reconciliation for kubernetes
License: Apache License 2.0
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-20T07:27:38.976605759Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.5"},"ImageID":"sha256:21f23cff71774971e0b43c067aa0f56e30d729cb1c9b276754735d09323b8529","DiffIDs":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:3adcf0c35e1fd885eb1e01c82605065107d4186a8f73b7cda77171105ed005fe"],"ImageConfig":{"architecture":"amd64","created":"2024-04-25T13:20:05.01943657Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-04-25T13:19:55Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"1573137421316f137efc6bf8bb01a818c1870122","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.3.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.5)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-24790","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.11, 1.22.4","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-24790","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses","Description":"The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.","Severity":"CRITICAL","VendorSeverity":{"alma":2,"amazon":2,"bitnami":4,"cbl-mariner":4,"nvd":4,"oracle-oval":2,"photon":4,"redhat":2,"rocky":2,"ubuntu":2},"CVSS":{"bitnami":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"redhat":{"V3Vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","V3Score":6.7}},"References":["http://www.openwall.com/lists/oss-security/2024/06/04/1","https://access.redhat.com/errata/RHSA-2024:4212","https://access.redhat.com/security/cve/CVE-2024-24790","https://bugzilla.redhat.com/2292668","https://bugzilla.redhat.com/2292787","https://bugzilla.redhat.com/show_bug.cgi?id=2292668","https://bugzilla.redhat.com/show_bug.cgi?id=2292787","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790","https://errata.almalinux.org/9/ALSA-2024-4212.html","https://errata.rockylinux.org/RLSA-2024:4212","https://github.com/golang/go/commit/051bdf3fd12a40307606ff9381138039c5f452f0 (1.21)","https://github.com/golang/go/commit/12d5810cdb1f73cf23d7a86462143e9463317fca (1.22)","https://github.com/golang/go/issues/67680","https://go.dev/cl/590316","https://go.dev/issue/67680","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ","https://linux.oracle.com/cve/CVE-2024-24790.html","https://linux.oracle.com/errata/ELSA-2024-5291.html","https://nvd.nist.gov/vuln/detail/CVE-2024-24790","https://pkg.go.dev/vuln/GO-2024-2887","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2024-24790"],"PublishedDate":"2024-06-05T16:15:10.56Z","LastModifiedDate":"2024-06-18T17:59:12.547Z"},{"VulnerabilityID":"CVE-2023-45288","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.9, 1.22.2","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"PrimaryURL":"https://avd.aquasec.com/nvd/cve-2023-45288","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS","Description":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","Severity":"HIGH","VendorSeverity":{"alma":3,"amazon":2,"azure":3,"cbl-mariner":3,"ghsa":2,"oracle-oval":3,"photon":3,"redhat":3,"rocky":3,"ubuntu":2},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","V3Score":5.3},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5}},"References":["http://www.openwall.com/lists/oss-security/2024/04/03/16","http://www.openwall.com/lists/oss-security/2024/04/05/4","https://access.redhat.com/errata/RHSA-2024:2724","https://access.redhat.com/security/cve/CVE-2023-45288","https://bugzilla.redhat.com/2268017","https://bugzilla.redhat.com/2268018","https://bugzilla.redhat.com/2268019","https://bugzilla.redhat.com/2268273","https://bugzilla.redhat.com/show_bug.cgi?id=2268017","https://bugzilla.redhat.com/show_bug.cgi?id=2268018","https://bugzilla.redhat.com/show_bug.cgi?id=2268019","https://bugzilla.redhat.com/show_bug.cgi?id=2268273","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783","https://errata.almalinux.org/9/ALSA-2024-2724.html","https://errata.rockylinux.org/RLSA-2024:3346","https://go.dev/cl/576155","https://go.dev/issue/65051","https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M","https://kb.cert.org/vuls/id/421644","https://linux.oracle.com/cve/CVE-2023-45288.html","https://linux.oracle.com/errata/ELSA-2024-3346.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","https://nowotarski.info/http2-continuation-flood-technical-details","https://nowotarski.info/http2-continuation-flood/","https://nvd.nist.gov/vuln/detail/CVE-2023-45288","https://pkg.go.dev/vuln/GO-2024-2687","https://security.netapp.com/advisory/ntap-20240419-0009","https://security.netapp.com/advisory/ntap-20240419-0009/","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2023-45288","https://www.kb.cert.org/vuls/id/421644"],"PublishedDate":"2024-04-04T21:15:16.113Z","LastModifiedDate":"2024-05-01T18:15:10.493Z"}]},{"Target":"OS Packages","Class":"license","Licenses":[{"Severity":"HIGH","Category":"restricted","PkgName":"base-files","FilePath":"","Name":"GPL-3.0","Confidence":1,"Link":""},{"Severity":"HIGH","Category":"restricted","PkgName":"netbase","FilePath":"","Name":"GPL-2.0","Confidence":1,"Link":""}]},{"Target":"manager","Class":"license"},{"Target":"Loose File License(s)","Class":"license-file"}]}
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-26T06:01:36.473331553Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}
Hello
First of all, i'm grateful for this well-designed controller :).
I'm facing an issue with groups not being imported.
Group structure :
groups:
- name: my-group
path: /my-group
clientRoles:
my-first-realm:
- impersonation
- view-users
my-second-realm:
- view-users
- impersonation
For now, groups are defined by : Groups []string `json:"groups,omitempty"`
From Keycloak api doc, group representation consist of maps, strings, array and subgroups.
https://www.keycloak.org/docs-api/21.0.1/rest-api/index.html#_grouprepresentation
Groups are : Groups []string `json:"groups,omitempty"`
Groups should be : Groups []GroupRepresentation `json:"groups,omitempty"`
Add any other context about the problem here.
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-21T06:01:32.391379371Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.5"},"ImageID":"sha256:21f23cff71774971e0b43c067aa0f56e30d729cb1c9b276754735d09323b8529","DiffIDs":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:3adcf0c35e1fd885eb1e01c82605065107d4186a8f73b7cda77171105ed005fe"],"ImageConfig":{"architecture":"amd64","created":"2024-04-25T13:20:05.01943657Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-04-25T13:20:05.01943657Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:3d6fa0469044370439d20eaf7e0d25450e01335a93c13ba46e368d7785914c0c","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-04-25T13:19:55Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"1573137421316f137efc6bf8bb01a818c1870122","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.3.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.5)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary","Vulnerabilities":[{"VulnerabilityID":"CVE-2024-24790","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.11, 1.22.4","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"SeveritySource":"nvd","PrimaryURL":"https://avd.aquasec.com/nvd/cve-2024-24790","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses","Description":"The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.","Severity":"CRITICAL","VendorSeverity":{"alma":2,"amazon":2,"bitnami":4,"cbl-mariner":4,"nvd":4,"oracle-oval":2,"photon":4,"redhat":2,"rocky":2,"ubuntu":2},"CVSS":{"bitnami":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"nvd":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","V3Score":9.8},"redhat":{"V3Vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","V3Score":6.7}},"References":["http://www.openwall.com/lists/oss-security/2024/06/04/1","https://access.redhat.com/errata/RHSA-2024:4212","https://access.redhat.com/security/cve/CVE-2024-24790","https://bugzilla.redhat.com/2292668","https://bugzilla.redhat.com/2292787","https://bugzilla.redhat.com/show_bug.cgi?id=2292668","https://bugzilla.redhat.com/show_bug.cgi?id=2292787","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790","https://errata.almalinux.org/9/ALSA-2024-4212.html","https://errata.rockylinux.org/RLSA-2024:4212","https://github.com/golang/go/commit/051bdf3fd12a40307606ff9381138039c5f452f0 (1.21)","https://github.com/golang/go/commit/12d5810cdb1f73cf23d7a86462143e9463317fca (1.22)","https://github.com/golang/go/issues/67680","https://go.dev/cl/590316","https://go.dev/issue/67680","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k","https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ","https://linux.oracle.com/cve/CVE-2024-24790.html","https://linux.oracle.com/errata/ELSA-2024-5291.html","https://nvd.nist.gov/vuln/detail/CVE-2024-24790","https://pkg.go.dev/vuln/GO-2024-2887","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2024-24790"],"PublishedDate":"2024-06-05T16:15:10.56Z","LastModifiedDate":"2024-06-18T17:59:12.547Z"},{"VulnerabilityID":"CVE-2023-45288","PkgName":"stdlib","PkgIdentifier":{"PURL":"pkg:golang/[email protected]","UID":"63059503c675931a"},"InstalledVersion":"1.20.14","FixedVersion":"1.21.9, 1.22.2","Status":"fixed","Layer":{"Digest":"sha256:30f6850d5f8edd9b8f716ca8827b8054efa46dc1ceecff5f0cb6b1272e289f71","DiffID":"sha256:5dd2bbcae9fc61a53aa3841e0c55d76863c18369a05c3ed155db861b1cf10f84"},"PrimaryURL":"https://avd.aquasec.com/nvd/cve-2023-45288","DataSource":{"ID":"govulndb","Name":"The Go Vulnerability Database","URL":"https://pkg.go.dev/vuln/"},"Title":"golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS","Description":"An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","Severity":"HIGH","VendorSeverity":{"alma":3,"amazon":2,"azure":3,"cbl-mariner":3,"ghsa":2,"oracle-oval":3,"photon":3,"redhat":3,"rocky":3,"ubuntu":2},"CVSS":{"ghsa":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","V3Score":5.3},"redhat":{"V3Vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","V3Score":7.5}},"References":["http://www.openwall.com/lists/oss-security/2024/04/03/16","http://www.openwall.com/lists/oss-security/2024/04/05/4","https://access.redhat.com/errata/RHSA-2024:2724","https://access.redhat.com/security/cve/CVE-2023-45288","https://bugzilla.redhat.com/2268017","https://bugzilla.redhat.com/2268018","https://bugzilla.redhat.com/2268019","https://bugzilla.redhat.com/2268273","https://bugzilla.redhat.com/show_bug.cgi?id=2268017","https://bugzilla.redhat.com/show_bug.cgi?id=2268018","https://bugzilla.redhat.com/show_bug.cgi?id=2268019","https://bugzilla.redhat.com/show_bug.cgi?id=2268273","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783","https://errata.almalinux.org/9/ALSA-2024-2724.html","https://errata.rockylinux.org/RLSA-2024:2724","https://go.dev/cl/576155","https://go.dev/issue/65051","https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M","https://kb.cert.org/vuls/id/421644","https://linux.oracle.com/cve/CVE-2023-45288.html","https://linux.oracle.com/errata/ELSA-2024-3346.html","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT","https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","https://nowotarski.info/http2-continuation-flood-technical-details","https://nowotarski.info/http2-continuation-flood/","https://nvd.nist.gov/vuln/detail/CVE-2023-45288","https://pkg.go.dev/vuln/GO-2024-2687","https://security.netapp.com/advisory/ntap-20240419-0009","https://security.netapp.com/advisory/ntap-20240419-0009/","https://ubuntu.com/security/notices/USN-6886-1","https://www.cve.org/CVERecord?id=CVE-2023-45288","https://www.kb.cert.org/vuls/id/421644"],"PublishedDate":"2024-04-04T21:15:16.113Z","LastModifiedDate":"2024-05-01T18:15:10.493Z"}]},{"Target":"OS Packages","Class":"license","Licenses":[{"Severity":"HIGH","Category":"restricted","PkgName":"base-files","FilePath":"","Name":"GPL-3.0","Confidence":1,"Link":""},{"Severity":"HIGH","Category":"restricted","PkgName":"netbase","FilePath":"","Name":"GPL-2.0","Confidence":1,"Link":""}]},{"Target":"manager","Class":"license"},{"Target":"Loose File License(s)","Class":"license-file"}]}
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-23T06:01:28.504697553Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-24T06:01:45.354477927Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}
If only sub resources have been changed and spec.interval is set to a high number reconciliation
is awaiting the interval.
However this does not happen if the realm generation was changed.
Change a keycloakclient or user.
It should trigger a reconcile. The generations of the observed sub resources have to be acknowledged as well.
This gate exists to avoid unnecessary pod scheduling of realm reconcilers.
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-25T06:01:34.76107056Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT ["/manager"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"}]}
High or critical vulnerabilities detected. Scan results are below:
{"SchemaVersion":2,"CreatedAt":"2024-08-22T06:01:33.849772886Z","ArtifactName":"ghcr.io/doodlescheduling/keycloak-controller:latest","ArtifactType":"container_image","Metadata":{"OS":{"Family":"debian","Name":"12.6"},"ImageID":"sha256:4b7a4e41441930b8028e844739f529ba1345e8fe4c9f133939c1da64f1b290f6","DiffIDs":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"],"RepoTags":["ghcr.io/doodlescheduling/keycloak-controller:latest"],"RepoDigests":["ghcr.io/doodlescheduling/keycloak-controller@sha256:02ac465e29468b27ced191230ded71527e150adf1a19d9afc44f20b43d1de9eb"],"ImageConfig":{"architecture":"amd64","created":"2024-08-21T07:55:30.168008604Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"WORKDIR /","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"COPY manager manager # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"USER 65532:65532","comment":"buildkit.dockerfile.v0","empty_layer":true},{"created":"2024-08-21T07:55:30.168008604Z","created_by":"ENTRYPOINT [\"/manager\"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:f144bb4c7c7f0d2aa7eeffd36d934ec40db1ee167be727e326aad9fdc616f475","sha256:49626df344c912cfe9f8d8fcd635d301bd41127cd326914212cf2443a96cf421","sha256:945d17be9a3e27af5ca1c671792bf1a8f2c3f4d13d3994665d95f084ed4f8a60","sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368","sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc","sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc","sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b","sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3","sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217","sha256:670f5657a47c8e4e7652d59511839da525efb1a9ce3948192595021e3f74a493"]},"config":{"Entrypoint":["/manager"],"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Labels":{"org.opencontainers.image.created":"2024-08-21T07:55:21Z","org.opencontainers.image.description":"keycloak-controller","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"4eb2243cf704d5065166d048aa99c782172cbe20","org.opencontainers.image.source":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.title":"keycloak-controller","org.opencontainers.image.url":"https://github.com/doodlescheduling/keycloak-controller","org.opencontainers.image.version":"2.4.0"},"User":"65532:65532","WorkingDir":"/"}}},"Results":[{"Target":"ghcr.io/doodlescheduling/keycloak-controller:latest (debian 12.6)","Class":"os-pkgs","Type":"debian"},{"Target":"manager","Class":"lang-pkgs","Type":"gobinary"},{"Target":"OS Packages","Class":"license","Licenses":[{"Severity":"HIGH","Category":"restricted","PkgName":"base-files","FilePath":"","Name":"GPL-3.0","Confidence":1,"Link":""},{"Severity":"HIGH","Category":"restricted","PkgName":"netbase","FilePath":"","Name":"GPL-2.0","Confidence":1,"Link":""}]},{"Target":"manager","Class":"license"},{"Target":"Loose File License(s)","Class":"license-file"}]}
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates await pending status checks. To force their creation now, click the checkbox below.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
Dockerfile
gcr.io/distroless/static nonroot@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
proxy/Dockerfile
gcr.io/distroless/static nonroot@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
.github/workflows/main.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
shogo82148/actions-goveralls v1.9.0@785c9d68212c91196d3994652647f8721918ba11
.github/workflows/pr-actions.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
zgosalvez/github-actions-ensure-sha-pinned-actions v3.0.11@3c16e895bb662b4d7e284f032cbe8835a57773cc
.github/workflows/pr-build.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
azure/setup-helm v3.5@5119fcb9089d432beecbf79bb2c7915207344b78
actions/setup-python v5.2.0@f677139bbe7f9c59b41e40162b753c062f5d49a3
helm/chart-testing-action v2.6.1@e6669bcd63d7cb57cb4380c33043eebe5d111992
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
actions/upload-artifact v4.3.6@834a144ee995460fba8ed112a2fc961b36a5ec5a
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
engineerd/setup-kind v0.5.0@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0
actions/download-artifact v4.1.8@fa0a91b85d4f404e444e00e005971372dc801d16
imranismail/setup-kustomize v2.1.0@2ba527d4d055ab63514ba50a99456fc35684947f
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
azure/setup-helm v3.5@5119fcb9089d432beecbf79bb2c7915207344b78
actions/setup-python v5.2.0@f677139bbe7f9c59b41e40162b753c062f5d49a3
helm/chart-testing-action v2.6.1@e6669bcd63d7cb57cb4380c33043eebe5d111992
helm/kind-action v1.10.0@0025e74a8c7512023d06dc019c617aa3cf561fde
actions/download-artifact v4.1.8@fa0a91b85d4f404e444e00e005971372dc801d16
.github/workflows/pr-goreleaser.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
goreleaser/goreleaser-action v6.0.0@286f3b13b1b49da4ac219696163fb8c1c93e1200
.github/workflows/pr-label.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
pascalgn/size-label-action bbbaa0d5ccce8e2e76254560df5c64b82dac2e12
.github/workflows/pr-stale.yaml
actions/stale v9.0.0@28ca1036281a5e5922ead5184a1bbf96e5fc984e
.github/workflows/pr-trivy.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
aquasecurity/trivy-action 0.24.0@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
github/codeql-action v3.26.5@2c779ab0d087cd7fe7b826087247c2c81f27bfa6
.github/workflows/rebase.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
cirrus-actions/rebase 1.8@b87d48154a87a85666003575337e27b8cd65f691
.github/workflows/release.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
actions/setup-go v5.0.2@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
docker/login-action v3.3.0@9780b0c442fbb1117ed29e0efdff1e18412f7567
sigstore/cosign-installer v3.6.0@4959ce089c160fddf62f7b42464195ba1a56d382
anchore/sbom-action v0.17.2@61119d458adab75f756bc0b9e4bde25725f86a7a
goreleaser/goreleaser-action v6.0.0@286f3b13b1b49da4ac219696163fb8c1c93e1200
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
azure/setup-helm v3.5@5119fcb9089d432beecbf79bb2c7915207344b78
sigstore/cosign-installer v3.6.0@4959ce089c160fddf62f7b42464195ba1a56d382
.github/workflows/report-on-vulnerabilities.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
aquasecurity/trivy-action 0.24.0@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
actions/upload-artifact v4.3.6@834a144ee995460fba8ed112a2fc961b36a5ec5a
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
actions/download-artifact v4.1.8@fa0a91b85d4f404e444e00e005971372dc801d16
JasonEtco/create-an-issue v2.9.2@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5
.github/workflows/scan.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332
github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818
github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818
github/codeql-action codeql-bundle-20221020@f0a12816612c7306b485a22cb164feb43c6df818
.github/workflows/scorecard.yaml
step-security/harden-runner v2.9.1@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
actions/checkout v4.1.7@692973e3d937129bcbf40652eb9f2f61becf3332
ossf/scorecard-action v2.4.0@62b2cac7ed8198b15735ed49ab1e5cf35480ba46
actions/upload-artifact v4.3.6@834a144ee995460fba8ed112a2fc961b36a5ec5a
github/codeql-action v3.26.5@2c779ab0d087cd7fe7b826087247c2c81f27bfa6
go.mod
go 1.22.0
github.com/fluxcd/pkg/runtime v0.49.0
github.com/go-logr/logr v1.4.2
github.com/kylelemons/godebug v1.1.0
github.com/onsi/ginkgo/v2 v2.20.2
github.com/onsi/gomega v1.34.2
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.9.0
github.com/tj/assert v0.0.3
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0
go.opentelemetry.io/otel v1.29.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0
go.opentelemetry.io/otel/sdk v1.29.0
google.golang.org/grpc v1.66.0
k8s.io/api v0.31.0
k8s.io/apiextensions-apiserver v0.31.0
k8s.io/apimachinery v0.31.0
k8s.io/client-go v0.31.0
sigs.k8s.io/controller-runtime v0.19.0
chart/keycloak-controller/values.yaml
quay.io/brancz/kube-rbac-proxy v0.18.1
config/base/manager/kustomization.yaml
ghcr.io/doodlescheduling/keycloak-controller v2.4.0
KeycloakRealm CR does not reconcile in a loop
Set the spec.interval to 15s, check the KeycloakRealm Events
apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakRealm
metadata:
name: master
namespace: keycloak
spec:
interval: 15s
...
Check the KeycloakRealm Events
I do not have the Suspended property set.
Basically, the loop stops. If I change some config via the UI, it never gets overriden.
At interval=15, I would expect 4 reconciliation events per minutes, in this screenshot 4min44 ~ 18 events, but we only get 2.
When I deploy the controller and create a KeycloakRealm and a KeycloakClient for that realm, if Client Authentication needs to be enabled, I have to specify client.spec.publicClient: false
. This gets translated into a REST API request containing "publicClient":true
in the end and Client Authentication is not enabled. I found the reason to be that in keycloak-controller, publicClient
is omitted from the generated realm.json
because it is boolean false, and the property has omitempty
specified: https://github.com/DoodleScheduling/keycloak-controller/blob/0eec656cc41362d6e026622515604de54ef7a546/api/v1beta1/keycloakclient_types.go#L133C4-L133C4
Note: latest
tag is used for adorsys/keycloak-config-cli
bacause latest-23.0.3
does not exist. At the time of writing, latest
has digest 73a3369546ac
(which is latest-23.0.1
)
Note: the client was created on the Keycloak 23.0.3 UI and exported as JSON, converted to YAML and added to the KeyclockClient resource descriptor.
The custom resources:
apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakRealm
metadata:
name: test-realm
spec:
address: http://example-kc-service.idp:8080 # example on website includes /auth postfix which is not needed as of keycloak 19.x
authSecret:
name: keycloak-controller-user
interval: 10m
reconcilerTemplate:
spec:
containers:
- name: keycloak-config-cli
image: adorsys/keycloak-config-cli:latest # there is no 23.0.3 image
resourceSelector:
matchLabels:
realm: test-realm
realm:
id: "test-realm"
realm: "test-realm"
enabled: true
displayName: "Test Realm"
---
apiVersion: keycloak.infra.doodle.com/v1beta1
kind: KeycloakClient
metadata:
name: kc-client-example
labels:
realm: test-realm
spec:
client:
clientId: test2-client-secret
name: test4-client-secret
description: ""
rootUrl: ""
adminUrl: ""
baseUrl: ""
surrogateAuthRequired: false
enabled: true
alwaysDisplayInConsole: true
clientAuthenticatorType: client-secret
secret: "${secret:keycloak-client-secret-test2-client-secret:secret}" # from a secret
redirectUris: []
webOrigins: []
notBefore: 0
bearerOnly: false
consentRequired: false
standardFlowEnabled: true
implicitFlowEnabled: false
directAccessGrantsEnabled: true
serviceAccountsEnabled: false
publicClient: false # <--------- here
frontchannelLogout: false
protocol: openid-connect
attributes:
oauth2.device.authorization.grant.enabled: "false"
backchannel.logout.revoke.offline.tokens: "false"
use.refresh.tokens: "true"
oidc.ciba.grant.enabled: "false"
backchannel.logout.session.required: "true"
client_credentials.use_refresh_token: "false"
acr.loa.map: "{}"
require.pushed.authorization.requests: "false"
tls.client.certificate.bound.access.tokens: "false"
display.on.consent.screen: "false"
token.response.type.bearer.lower-case: "false"
authenticationFlowBindingOverrides: {}
fullScopeAllowed: true
nodeReRegistrationTimeout: -1
defaultClientScopes:
- web-origins
- acr
- profile
- roles
- email
optionalClientScopes:
- address
- phone
- offline_access
- microprofile-jwt
access:
view: true
configure: true
manage: true
In the reconciler pod, the generated realm.json
does not have the publicClient
property, as expected, in line with omitempty
:
{
"id": "test-realm",
"realm": "test-realm",
"enabled": true,
"displayName": "Test Realm",
"clients": [
{
"clientId": "test2-client-secret",
"name": "test4-client-secret",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "verysecret",
"standardFlowEnabled": true,
"directAccessGrantsEnabled": true,
"protocol": "openid-connect",
"attributes": {
"acr.loa.map": "{}",
"backchannel.logout.revoke.offline.tokens": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"display.on.consent.screen": "false",
"oauth2.device.authorization.grant.enabled": "false",
"oidc.ciba.grant.enabled": "false",
"require.pushed.authorization.requests": "false",
"tls.client.certificate.bound.access.tokens": "false",
"token.response.type.bearer.lower-case": "false",
"use.refresh.tokens": "true"
},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"access": {
"configure": true,
"manage": true,
"view": true
},
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"email"
],
"alwaysDisplayInConsole": true
}
],
"components": null,
"requiredActions": null
}
In keycloak-config-cli, the request contains a true
value for publicClient
:
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] o.a.http.impl.execchain.MainClientExec : Executing request PUT /admin/realms/test-realm/clients/649ad426-bda4-4393-b148-7fc16c90bd2a HTTP/1.1
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] o.a.http.impl.execchain.MainClientExec : Proxy auth state: UNCHALLENGED
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> PUT /admin/realms/test-realm/clients/649ad426-bda4-4393-b148-7fc16c90bd2a HTTP/1.1
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Authorization: Bearer ey...redacted...Cn_Q
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Content-Type: application/json
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Content-Length: 1659
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Host: example-kc-service.idp:8080
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Connection: Keep-Alive
# 2024-01-09 01:37:03.772 DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.14 (Java/17.0.9)
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "PUT /admin/realms/test-realm/clients/649ad426-bda4-4393-b148-7fc16c90bd2a HTTP/1.1[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Authorization: Bearer ey...redacted...n_Q[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Content-Type: application/json[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Content-Length: 1659[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Host: example-kc-service.idp:8080[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/17.0.9)[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "[\r][\n]"
# 2024-01-09 01:37:03.773 DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "{"id":"649ad426-bda4-4393-b148-7fc16c90bd2a","clientId":"test2-client-secret","name":"test4-client-secret","description":null,"rootUrl":null,"adminUrl":null,"baseUrl":null,"surrogateAuthRequired":false,"enabled":true,"alwaysDisplayInConsole":true,"clientAuthenticatorType":"client-secret","secret":null,"registrationAccessToken":null,"defaultRoles":null,"redirectUris":[],"webOrigins":[],"notBefore":0,"bearerOnly":false,"consentRequired":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":false,"authorizationServicesEnabled":null,"directGrantsOnly":null,"publicClient":true,"frontchannelLogout":false,"protocol":"openid-connect","attributes":{"oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","client_credentials.use_refresh_token":"false","acr.loa.map":"{}","require.pushed.authorization.requests":"false","tls.client.certificate.bound.access.tokens":"false","display.on.consent.screen":"false","oauth2.device.authorization.grant.enabled":"false","backchannel.logout.revoke.offline.tokens":"false","token.response.type.bearer.lower-case":"false","use.refresh.tokens":"true"},"authenticationFlowBindingOverrides":{},"fullScopeAllowed":true,"nodeReRegistrationTimeout":-1,"registeredNodes":null,"protocolMappers":null,"clientTemplate":null,"useTemplateConfig":null,"useTemplateScope":null,"useTemplateMappers":null,"defaultClientScopes":["web-origins","acr","roles","profile","email"],"optionalClientScopes":["address","phone","offline_access","microprofile-jwt"],"authorizationSettings":null,"access":{"view":true,"configure":true,"manage":true},"origin":null}"
Steps to reproduce the behavior:
test4-client-secret
in realm test-realm
.Client Authentication should be enabled for client test4-client-secret
in realm test-realm
Minikube running on Docker Desktop 4.26.1 (131620) on MacOS 14.2.1 on Intel.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.