🐛 Fix IdP CR upgrade issues. (#578)

closes #577 

Also ensures only the IdentityProvider and Clients with the part-of
label are manged.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed API key preservation during upgrade scenarios where existing
secrets are updated.

* **Chores**
* Refactored identity provider client configuration management for
improved maintainability.
* Enhanced OIDC issuer URL configuration handling for better flexibility
in different deployment environments.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Jeff Ortel <jortel@redhat.com>

Author: jortel

roles/tackle/tasks/idpclient-create.yml

@@ -0,0 +1,16 @@
+---
+- name: "Check for existing IdpClient: {{ idpclient.name }}"
+  k8s_info:
+    api_version: tackle.konveyor.io/v1alpha1
+    kind: IdpClient
+    name: "{{ idpclient.name }}"
+    namespace: "{{ app_namespace }}"
+  register: existing_idpclient
+
+- name: "Create/update IdpClient if operator-managed: {{ idpclient.name }}"
+  when: >-
+    (existing_idpclient.resources | length) == 0 or
+    ((existing_idpclient.resources[0].metadata.labels | default({})).get('app.kubernetes.io/part-of', '') == app_name)
+  k8s:
+    state: present
+    definition: "{{ lookup('template', idpclient.template) }}"

roles/tackle/tasks/main.yml

@@ -36,12 +36,14 @@
     openshift_cluster: true
   when: "'route.openshift.io' in api_groups"
 
-- name: "Create IdpClient CRs (web-ui, kantra, kai-ide)"
-  k8s:
-    state: present
-    definition: "{{ lookup('template', 'customresource-idpclients.yml.j2') }}"
-  register: idpclients_result
-  failed_when: idpclients_result.failed
+- name: "Create operator-managed IdpClients"
+  include_tasks: idpclient-create.yml
+  loop:
+    - { name: web-ui, template: customresource-idpclient-webui.yml.j2 }
+    - { name: kantra, template: customresource-idpclient-kantra.yml.j2 }
+    - { name: kai-ide, template: customresource-idpclient-kai.yml.j2 }
+  loop_control:
+    loop_var: idpclient
 
 - name: "Detect existing Keycloak deployment"
   block:
@@ -73,10 +75,22 @@
         keycloak_service_url: "{{ 'https://' + app_name + '-rhbk-service.' + app_namespace + '.svc:8443' if keycloak_is_rhbk else 'http://' + app_name + '-keycloak-sso.' + app_namespace + '.svc:8080' }}"
       when: keycloak_detected|bool
 
+- name: "Check for existing IdentityProvider"
+  when:
+    - feature_auth_required|bool
+    - keycloak_detected|bool
+  k8s_info:
+    api_version: tackle.konveyor.io/v1alpha1
+    kind: IdentityProvider
+    name: keycloak
+    namespace: "{{ app_namespace }}"
+  register: idp_status
+
 - name: "Create IdentityProvider CR for detected Keycloak"
   when:
     - feature_auth_required|bool
     - keycloak_detected|bool
+    - (idp_status.resources | length) == 0 or ((idp_status.resources[0].metadata.labels | default({})).get('app.kubernetes.io/part-of', '') == app_name)
   k8s:
     state: present
     definition: "{{ lookup('template', 'customresource-identityprovider.yml.j2') }}"
@@ -160,6 +174,30 @@
         state: present
         definition: "{{ lookup('template', 'secret-hub.yml.j2') }}"
 
+- name: "Add apikey-secret to existing Hub secret if missing (upgrade scenario)"
+  when: (hub_secret_status.resources | length) > 0
+  block:
+    - name: "Check if apikey-secret exists in Hub secret"
+      set_fact:
+        apikey_exists: "{{ 'apikey-secret' in hub_secret_status.resources[0].data }}"
+
+    - name: "Generate and add apikey-secret to existing Hub secret"
+      when: not apikey_exists
+      block:
+        - name: "Generate Hub API key secret for upgrade"
+          set_fact:
+            hub_apikey_secret_upgrade: "{{ lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=32') }}"
+
+        - name: "Add apikey-secret key to existing Hub secret"
+          kubernetes.core.k8s:
+            state: patched
+            kind: Secret
+            name: "{{ hub_secret_name }}"
+            namespace: "{{ app_namespace }}"
+            definition:
+              data:
+                apikey-secret: "{{ hub_apikey_secret_upgrade | b64encode }}"
+
 # Create all the neccessary CR's before the hub deployment is created
 - name: "Remove Admin Addon CR"
   k8s:

roles/tackle/templates/customresource-identityprovider.yml.j2

@@ -10,11 +10,11 @@ metadata:
     app.kubernetes.io/part-of: {{ app_name }}
 spec:
   name: keycloak
-  issuer: {{ keycloak_service_url }}/auth/realms/{{ app_name }}
+  issuer: ${issuer.proto}://${issuer.host}/auth/realms/{{ app_name }}
   tls:
     insecure: true
   clientId: {{ app_name }}-ui
-  redirectURI: {{ hub_url }}/oidc/idp/callback
+  redirectURI: ${issuer.proto}://${issuer.host}/oidc/idp/callback
   scopes:
   - openid
   - profile

roles/tackle/templates/customresource-idpclient-kai.yml.j2

@@ -0,0 +1,28 @@
+---
+
+# kai-ide client (public client - no secret needed)
+apiVersion: tackle.konveyor.io/v1alpha1
+kind: IdpClient
+metadata:
+  name: kai-ide
+  namespace: {{ app_namespace }}
+  labels:
+    app.kubernetes.io/name: kai-ide
+    app.kubernetes.io/component: idp-client
+    app.kubernetes.io/part-of: {{ app_name }}
+spec:
+  id: 3
+  clientId: kai-ide
+  applicationType: native
+  grants:
+  - urn:ietf:params:oauth:grant-type:jwt-bearer
+  - authorization_code
+  - refresh_token
+  redirectURIs:
+  - vscode://konveyor.konveyor-core/auth
+  - http://127.0.0.1/callback
+  scopes:
+  - offline_access
+  - openid
+  - profile
+  - email

roles/tackle/templates/customresource-idpclient-kantra.yml.j2

@@ -0,0 +1,26 @@
+---
+
+# kantra client (public client - no secret needed)
+apiVersion: tackle.konveyor.io/v1alpha1
+kind: IdpClient
+metadata:
+  name: kantra
+  namespace: {{ app_namespace }}
+  labels:
+    app.kubernetes.io/name: kantra
+    app.kubernetes.io/component: idp-client
+    app.kubernetes.io/part-of: {{ app_name }}
+spec:
+  id: 2
+  clientId: kantra
+  applicationType: native
+  grants:
+  - urn:ietf:params:oauth:grant-type:device_code
+  - authorization_code
+  - refresh_token
+  scopes:
+  - offline_access
+  - openid
+  - profile
+  - email
+

roles/tackle/templates/customresource-idpclient-webui.yml.j2

@@ -0,0 +1,28 @@
+---
+
+# web-ui client
+apiVersion: tackle.konveyor.io/v1alpha1
+kind: IdpClient
+metadata:
+  name: web-ui
+  namespace: {{ app_namespace }}
+  labels:
+    app.kubernetes.io/name: web-ui
+    app.kubernetes.io/component: idp-client
+    app.kubernetes.io/part-of: {{ app_name }}
+spec:
+  id: 1
+  clientId: web-ui
+  applicationType: web
+  grants:
+  - urn:ietf:params:oauth:grant-type:jwt-bearer
+  - authorization_code
+  - refresh_token
+  redirectURIs:
+  - "${issuer.proto}://${issuer.host}{,*}/**"
+  scopes:
+  - offline_access
+  - openid
+  - profile
+  - email
+