From 45036ff249ac3573b99680bf11fd3e660cba653f Mon Sep 17 00:00:00 2001
From: Timofei Larkin <lllamnyp@gmail.com>
Date: Wed, 8 Oct 2025 20:37:08 +0300
Subject: [PATCH] [oidc] Check APIVersions before deploying

When enabling OIDC, the Tenant applications may try to deploy
KeycloakRealmGroups before the Keycloak operator is live. This may
lead to a race where neither HelmRelease is able to progress. This patch
addresses this.

```release-note
[oidc] Do not deploy KeycloakRealmGroup resources as part of the Tenant
application if the v1.edp.epam.com API is not yet available.
```

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
---
 packages/apps/tenant/templates/keycloakgroups.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/apps/tenant/templates/keycloakgroups.yaml b/packages/apps/tenant/templates/keycloakgroups.yaml
index 1f4cc957..59288ca4 100644
--- a/packages/apps/tenant/templates/keycloakgroups.yaml
+++ b/packages/apps/tenant/templates/keycloakgroups.yaml
@@ -1,6 +1,7 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
 {{- if eq $oidcEnabled "true" }}
+{{- if .Capabilities.APIVersions.Has "v1.edp.epam.com/v1" }}
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakRealmGroup
 metadata:
@@ -51,3 +52,4 @@ spec:
     name: keycloakrealm-cozy
     kind: ClusterKeycloakRealm
 {{- end }}
+{{- end }}