search

jharmison-redhat / openshift-devsecops

The merger of the CI/CD demos, provisioning, and DevSecOps workshop content into a single repo, built on OCP 4.x
17 stars 15 forks source link

Creating users in CRW's Keycloak instance starts failing around users 3-5 and won't recover #61

Closed jharmison-redhat closed 4 years ago

jharmison-redhat commented 4 years ago

During hotloading of CRW identities in Keycloak, sometimes the process will fail and you will begin to get 401's

TASK [codeready-workspaces : Add user3 to CRW] ********************************************************************************************************************************
Wednesday 05 August 2020  22:39:30 +0000 (0:00:02.812)       0:35:16.120 ****** 
changed: [localhost]

The above is the expected output for the task for every user, however:

TASK [codeready-workspaces : Add user4 to CRW] ********************************************************************************************************************************
Wednesday 05 August 2020  22:39:45 +0000 (0:00:02.881)       0:35:31.441 ****** 
FAILED - RETRYING: Add user4 to CRW (10 retries left).
FAILED - RETRYING: Add user4 to CRW (9 retries left).
FAILED - RETRYING: Add user4 to CRW (8 retries left).
FAILED - RETRYING: Add user4 to CRW (7 retries left).
FAILED - RETRYING: Add user4 to CRW (6 retries left).
FAILED - RETRYING: Add user4 to CRW (5 retries left).
FAILED - RETRYING: Add user4 to CRW (4 retries left).
FAILED - RETRYING: Add user4 to CRW (3 retries left).
FAILED - RETRYING: Add user4 to CRW (2 retries left).
FAILED - RETRYING: Add user4 to CRW (1 retries left).
fatal: [localhost]: FAILED! => {
    "attempts": 10,
    "changed": false,
    "connection": "close",
    "content": "{\"error\":\"HTTP 401 Unauthorized\"}",
    "content_length": "33",
    "content_type": "application/json",
    "date": "Wed, 05 Aug 2020 22:41:30 GMT",
    "elapsed": 0,
    "json": {
        "error": "HTTP 401 Unauthorized"
    },
    "redirected": false,
    "set_cookie": "beeaee451cf622971118557e0711b865=7f899b86c5ca4a9858e5f3e2e63760c1; path=/; HttpOnly; Secure",
    "status": 401,
    "strict_transport_security": "max-age=31536000; includeSubDomains",
    "url": "https://keycloak-devsecops.apps.openshift.jharmison.net/auth/admin/realms/codeready/users",
    "x_content_type_options": "nosniff",
    "x_frame_options": "SAMEORIGIN",
    "x_xss_protection": "1; mode=block"
}

MSG:

Status code was 401 and not [201, 409]: HTTP Error 401: Unauthorized

You will end up with this and a failed deployment after this stage.

I believe that it's due to the fact that the JWT retrieved for the admin user here is short-lived and expires at some point in the loop started here before being attempted to use as authorization here.