bugfix make kk deletable

Signed-off-by: kklinch0 <kklinch0@gmail.com>
2026-01-28 18:18:41 +00:00 · 2025-07-05 17:07:59 +03:00
3 changed files with 188 additions and 4 deletions
--- a/internal/controller/system_helm_reconciler.go
+++ b/internal/controller/system_helm_reconciler.go
@@ -11,7 +11,9 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -77,6 +79,158 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 	}

 	log.Info("finished reconciliation", "updatedHelmReleases", updated)
+
+	// Check if oidc-enabled has changed from true to false
+	oidcDisabled, err := r.checkOIDCDisabledTransition(ctx)
+	if err != nil {
+		log.Error(err, "failed to check OIDC status")
+	}
+
+	if oidcDisabled {
+		type crdToDelete struct {
+			kind      string
+			name      string
+			namespace string
+			gvk       schema.GroupVersionKind
+		}
+
+		crds := []crdToDelete{
+			{
+				kind:      "ClusterKeycloak",
+				name:      "keycloak-cozy",
+				namespace: "cozy-keycloak",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1alpha1", Kind: "ClusterKeycloak"},
+			},
+			{
+				kind:      "ClusterKeycloakRealm",
+				name:      "keycloakrealm-cozy",
+				namespace: "cozy-keycloak",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1alpha1", Kind: "ClusterKeycloakRealm"},
+			},
+			{
+				kind:      "KeycloakClient",
+				name:      "keycloakclient",
+				namespace: "cozy-keycloak",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClient"},
+			},
+			{
+				kind:      "KeycloakClient",
+				name:      "kubeapps-client",
+				namespace: "cozy-keycloak",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClient"},
+			},
+			{
+				kind:      "KeycloakClientScope",
+				name:      "keycloakclientscope-cozy",
+				namespace: "cozy-keycloak",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClientScope"},
+			},
+			{
+				kind:      "KeycloakClientScope",
+				name:      "kubernetes-client",
+				namespace: "cozy-keycloak",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClientScope"},
+			},
+			{
+				kind:      "KeycloakRealmGroup",
+				name:      "cozystack-cluster-admin",
+				namespace: "cozy-system",
+				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakRealmGroup"},
+			},
+		}
+
+		for _, crd := range crds {
+			u := &unstructured.Unstructured{}
+			u.SetGroupVersionKind(crd.gvk)
+			u.SetName(crd.name)
+			u.SetNamespace(crd.namespace)
+
+			if err := r.Get(ctx, client.ObjectKeyFromObject(u), u); err != nil {
+				if kerrors.IsNotFound(err) {
+					continue
+				}
+				log.Error(err, "failed to get "+crd.kind, "name", crd.name)
+				continue
+			}
+
+			if finalizers := u.GetFinalizers(); len(finalizers) > 0 {
+				u.SetFinalizers(nil)
+				if err := r.Update(ctx, u); err != nil {
+					log.Error(err, "failed to remove finalizers from "+crd.kind, "name", crd.name)
+					continue
+				}
+				log.Info("removed finalizers from "+crd.kind, "name", crd.name)
+			}
+
+			if err := r.Delete(ctx, u); err != nil && !kerrors.IsNotFound(err) {
+				log.Error(err, "failed to delete "+crd.kind, "name", crd.name)
+				continue
+			}
+			log.Info("deleted "+crd.kind, "name", crd.name)
+		}
+
+		for _, name := range []string{"keycloak-configure", "keycloak-operator", "keycloak"} {
+			hr := &helmv2.HelmRelease{}
+			key := client.ObjectKey{Name: name, Namespace: "cozy-keycloak"}
+
+			err := r.Get(ctx, key, hr)
+			if err != nil {
+				if kerrors.IsNotFound(err) {
+					log.Info("HelmRelease already deleted", "name", name)
+					continue
+				}
+				log.Error(err, "failed to get HelmRelease", "name", name)
+				return ctrl.Result{}, err
+			}
+
+			if err := r.Delete(ctx, hr); err != nil {
+				log.Error(err, "failed to delete HelmRelease", "name", name)
+				return ctrl.Result{}, err
+			}
+			log.Info("deletion requested for HelmRelease", "name", name)
+
+			timeout := time.After(30 * time.Second)
+			tick := time.Tick(1 * time.Second)
+		WAIT_LOOP:
+			for {
+				select {
+				case <-timeout:
+					log.Error(fmt.Errorf("timeout"), "waiting for HelmRelease to be deleted", "name", name)
+					return ctrl.Result{RequeueAfter: 10 * time.Second}, nil
+				case <-tick:
+					err := r.Get(ctx, key, &helmv2.HelmRelease{})
+					if kerrors.IsNotFound(err) {
+						log.Info("HelmRelease deletion confirmed", "name", name)
+						break WAIT_LOOP
+					} else if err != nil {
+						log.Error(err, "error checking HelmRelease deletion", "name", name)
+						return ctrl.Result{}, err
+					}
+				}
+			}
+		}
+		ns := &corev1.Namespace{}
+		nsKey := client.ObjectKey{Name: "cozy-keycloak"}
+
+		if err := r.Get(ctx, nsKey, ns); err != nil {
+			if kerrors.IsNotFound(err) {
+				log.Info("Namespace cozy-keycloak already deleted")
+			} else {
+				log.Error(err, "failed to get namespace cozy-keycloak")
+				return ctrl.Result{}, err
+			}
+		} else {
+			if ns.DeletionTimestamp == nil {
+				if err := r.Delete(ctx, ns); err != nil {
+					log.Error(err, "failed to delete namespace cozy-keycloak")
+					return ctrl.Result{}, err
+				}
+				log.Info("deletion requested for namespace cozy-keycloak")
+			} else {
+				log.Info("namespace cozy-keycloak is already being deleted")
+			}
+		}
+	}
 	return ctrl.Result{}, nil
 }

@@ -88,12 +242,11 @@ func (r *CozystackConfigReconciler) computeDigest(ctx context.Context) (string,
 		err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: name}, &cm)
 		if err != nil {
 			if kerrors.IsNotFound(err) {
-				continue // ignore missing
+				continue
 			}
 			return "", err
 		}

-		// Sort keys for consistent hashing
 		var keys []string
 		for k := range cm.Data {
 			keys = append(keys, k)
@@ -137,3 +290,34 @@ func contains(slice []string, val string) bool {
 	}
 	return false
 }
+
+func (r *CozystackConfigReconciler) checkOIDCDisabledTransition(ctx context.Context) (bool, error) {
+	const configName = "cozystack"
+	const fieldKey = "oidc-enabled"
+	const lastOIDCStateAnnotation = "cozystack.io/last-oidc-enabled"
+
+	var cm corev1.ConfigMap
+	if err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: configName}, &cm); err != nil {
+		return false, err
+	}
+
+	current := cm.Data[fieldKey]
+	if current != "false" && current != "true" {
+		return false, nil
+	}
+
+	last := cm.Annotations[lastOIDCStateAnnotation]
+
+	if cm.Annotations == nil {
+		cm.Annotations = map[string]string{}
+	}
+	if last != current {
+		patch := client.MergeFrom(cm.DeepCopy())
+		cm.Annotations[lastOIDCStateAnnotation] = current
+		if err := r.Patch(ctx, &cm, patch); err != nil {
+			return false, fmt.Errorf("failed to update oidc-enabled annotation: %w", err)
+		}
+	}
+
+	return last == "true" && current == "false", nil
+}
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -354,7 +354,7 @@ releases:
  optional: true
  dependsOn: [cilium,kubeovn]

-{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}
 - name: keycloak
  releaseName: keycloak
  chart: cozy-keycloak
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -182,7 +182,7 @@ releases:
  dependsOn: []
  {{- end }}

-{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}
 - name: keycloak
  releaseName: keycloak
  chart: cozy-keycloak