feat!: add terraform keycloak provider

Author: nicolst

cmd/main.go

@@ -52,7 +52,7 @@ import (
 // Config for the overall controller
 type config struct {
 	// Whether to use the dummy implementation of the Keycloak interface
-	KeycloakDummy bool `env:"KEYCLOAK_DUMMY"`
+	KeycloakProvider string `env:"KEYCLOAK_PROVIDER"`
 
 	// If set, will try to populate keycloakConfig using this secret
 	GCPSecret string `env:"GCP_SECRET"`
@@ -164,50 +164,13 @@ func main() {
 	cfg, err := env.ParseAsWithOptions[config](env.Options{Prefix: "KEYCLOAKERATOR_"})
 	if err != nil {
 		setupLog.Error(err, "unable to parse general config from env")
+		os.Exit(1)
 	}
 
-	var oidcService controller.OIDCService = &controller.OidcDummy{}
-	if !cfg.KeycloakDummy {
-		kcConfig := &keycloakConfig{}
-
-		if cfg.GCPSecret != "" {
-			if err = readKeycloakConfigFromSecretManager(ctx, cfg.GCPSecret, kcConfig); err != nil {
-				setupLog.Error(err, "unable to fetch or parse config from secret manager")
-			}
-		}
-
-		err = env.ParseWithOptions(kcConfig, env.Options{
-			Prefix: "KEYCLOAKERATOR_",
-		})
-		if err != nil {
-			fmt.Printf("error parsing environment variables: %s", err)
-			os.Exit(1)
-		}
-
-		if !kcConfig.Valid() {
-			fmt.Print("missing one or more keycloak parameters")
-			os.Exit(1)
-		}
-
-		setupLog.Info("initializing GoCloak wrapper")
-
-		// The oauth2/clientcredentials package provides a TokenSource which keeps our Keycloak token
-		// up to date automatically.
-		authConfig := &clientcredentials.Config{
-			ClientID:     kcConfig.ClientId,
-			ClientSecret: kcConfig.ClientSecret,
-			TokenURL: kcConfig.KeycloakUrl.JoinPath(
-				"realms",
-				kcConfig.ClientRealm,
-				"protocol/openid-connect/token",
-			).String(),
-		}
-
-		oidcService = keycloak.NewGocloakWrapper(
-			kcConfig.KeycloakUrl.String(),
-			kcConfig.ClientRealm,
-			authConfig.TokenSource(ctx),
-		)
+	oidcService, err := initKeycloakProvider(ctx, cfg)
+	if err != nil {
+		setupLog.Error(err, "unable to initialize keycloak provider")
+		os.Exit(1)
 	}
 
 	// Set up our reconciler
@@ -257,3 +220,77 @@ func readKeycloakConfigFromSecretManager(ctx context.Context, secret string, kc
 
 	return yaml.Unmarshal(resp.GetPayload().GetData(), kc)
 }
+
+func initKeycloakProvider(ctx context.Context, cfg config) (controller.OIDCService, error) {
+	switch cfg.KeycloakProvider {
+	case "dummy":
+		return &controller.OidcDummy{}, nil
+	case "gocloak":
+		return gocloakProvider(ctx, cfg)
+	case "terraform":
+		return terraformProvider(ctx, cfg)
+	default:
+		return nil, fmt.Errorf("unknown keycloak provider %q", cfg.KeycloakProvider)
+	}
+}
+
+func terraformProvider(ctx context.Context, cfg config) (controller.OIDCService, error) {
+	kcConfig, err := getKeycloakConfig(ctx, cfg.GCPSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	return keycloak.NewTerraformProviderWrapper(ctx,
+		kcConfig.KeycloakUrl.String(),
+		kcConfig.ClientId,
+		kcConfig.ClientSecret,
+		kcConfig.ClientRealm,
+	)
+}
+
+func gocloakProvider(ctx context.Context, cfg config) (controller.OIDCService, error) {
+	kcConfig, err := getKeycloakConfig(ctx, cfg.GCPSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	// The oauth2/clientcredentials package provides a TokenSource which keeps our Keycloak token
+	// up to date automatically.
+	authConfig := &clientcredentials.Config{
+		ClientID:     kcConfig.ClientId,
+		ClientSecret: kcConfig.ClientSecret,
+		TokenURL: kcConfig.KeycloakUrl.JoinPath(
+			"realms",
+			kcConfig.ClientRealm,
+			"protocol/openid-connect/token",
+		).String(),
+	}
+
+	return keycloak.NewGocloakWrapper(
+		kcConfig.KeycloakUrl.String(),
+		kcConfig.ClientRealm,
+		authConfig.TokenSource(ctx),
+	), nil
+}
+
+func getKeycloakConfig(ctx context.Context, gcpSecret string) (*keycloakConfig, error) {
+	kcConfig := &keycloakConfig{}
+
+	if gcpSecret != "" {
+		if err := readKeycloakConfigFromSecretManager(ctx, gcpSecret, kcConfig); err != nil {
+			return nil, fmt.Errorf("unable to fetch or parse config from secret manager: %w", err)
+		}
+	}
+
+	if err := env.ParseWithOptions(kcConfig, env.Options{
+		Prefix: "KEYCLOAKERATOR_",
+	}); err != nil {
+		return nil, fmt.Errorf("error parsing environment variables: %s", err)
+	}
+
+	if !kcConfig.Valid() {
+		return nil, fmt.Errorf("missing one or more keycloak parameters")
+	}
+
+	return kcConfig, nil
+}

go.mod

@@ -1,14 +1,17 @@
 module github.com/statisticsnorway/keycloakerator
 
-go 1.21
+go 1.22.0
+
+toolchain go1.23.1
 
 require (
 	cloud.google.com/go/secretmanager v1.13.1
 	github.com/Nerzal/gocloak/v13 v13.9.0
 	github.com/caarlos0/env/v11 v11.0.1
+	github.com/keycloak/terraform-provider-keycloak v0.0.0-20250210105921-9ee4f2d90096
 	github.com/onsi/ginkgo/v2 v2.14.0
 	github.com/onsi/gomega v1.30.0
-	golang.org/x/oauth2 v0.20.0
+	golang.org/x/oauth2 v0.22.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.29.0
 	k8s.io/apimachinery v0.29.0
@@ -20,13 +23,14 @@ require (
 require (
 	cloud.google.com/go/auth v0.4.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/compute/metadata v0.5.0 // indirect
 	cloud.google.com/go/iam v1.1.8 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
@@ -49,10 +53,18 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.4 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -75,7 +87,7 @@ require (
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
@@ -85,10 +97,10 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.180.0 // indirect
 	google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240509183442-62759503f434 // indirect
-	google.golang.org/grpc v1.63.2 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect