Sometimes, when installing the platform, the Keycloak certificate has not been issued yet before the Keycloak instance starts, but Keycloak starts anyway and does not present a valid certificate.
For now, the resolution is to simply delete the Keycloak pod and allow it to be replaced. Long term, it would be nice to prevent this condition somehow.
Sometimes, when installing the platform, the Keycloak certificate has not been issued yet before the Keycloak instance starts, but Keycloak starts anyway and does not present a valid certificate.
The problem is that when a certificate secret name is configured in the Keycloak CR, like this: https://github.com/contract-first-idp/platform-components/blob/main/charts/keycloak/templates/keycloak.yaml#L13 The Keycloak instance does not wait for that secret to exist. Depending on how fast cert-manager issues the certificate, Keycloak may start up without the secret data.
For now, the resolution is to simply delete the Keycloak pod and allow it to be replaced. Long term, it would be nice to prevent this condition somehow.