Controller fails to clean up users which have been deleted in Keycloak

[simu]

Description

When a user that's been synced to the control-api is deleted in keycloak, subsequent reconciles for that user object fail with

{"level":"error","ts":"2023-06-09T12:33:09Z","msg":"Reconciler error","controller":"user","controllerGroup":"appuio.io","controllerKind":"User","User":{"name":"<redacted>"},"namespace":"","name":"<redacted>","reconcileID":"cfcb6169-0f20-4e83-83f4-cb063e6d1c26","error":"failed querying keycloak for user \"<redacted>\": user \"<redacted>\" not found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235"}

Additional Context

From looking through the code, there's simply no logic to handle this case cleanly. I don't remember if that was an oversight or a conscious decision to not delete users which don't exist anymore in Keycloak.

Users are created when groups are synced (cf.

appuio-keycloak-adapter/controllers/periodic_syncer.go

Line 91 in 84de744

err := r.createUser(ctx, m)

).

The user reconcile loop then tries to update changes to the user's profile in keycloak in

appuio-keycloak-adapter/controllers/user_controller.go

Lines 54 to 61 in 84de744

	func (r *UserReconciler) updateUserStatus(ctx context.Context, user controlv1.User, kcUser keycloak.User) error {
	user.Status.ID = kcUser.ID
	user.Status.Username = kcUser.Username
	user.Status.Email = kcUser.Email
	user.Status.DisplayName = kcUser.DisplayName()
	user.Status.DefaultOrganizationRef = kcUser.DefaultOrganizationRef
	return r.Status().Update(ctx, &user)
	}

Logs

{"level":"error","ts":"2023-06-09T12:33:09Z","msg":"Reconciler error","controller":"user","controllerGroup":"appuio.io","controllerKind":"User","User":{"name":"<redacted>"},"namespace":"","name":"<redacted>","reconcileID":"cfcb6169-0f20-4e83-83f4-cb063e6d1c26","error":"failed querying keycloak for user \"<redacted>\": user \"<redacted>\" not found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235"}

Expected Behavior

Stale user objects are deleted when the corresponding user in Keycloak has been deleted.

Steps To Reproduce

• Create user in Keycloak
• Wait for it to be synced to the control-api
• Delete user in Keycloak
• Observe that user object remains in control-api and reconcile errors are logged

Versions

appuio-keycloak-adapter v0.6.1