search

keycloak / keycloak-operator

ARCHIVED Kubernetes Operator for the no longer supported WildFly distribution of Keycloak
Apache License 2.0
429 stars 283 forks source link

Fails to deploy with version 18.0.0 #547

Closed ctron closed 1 year ago

ctron commented 2 years ago

Describe the bug

A deployment which works just fine with the 17.0.0 operator, fails with the 18.0.0 operator:

The Keycloak and KeycloakRealm resource itself deploy, but the KeycloakClient resource fails with:

status:
  message: 'failed to create realm role composites: (404) 404 Not Found'
  phase: failing
  ready: false
  secondaryResources:
    Secret:
    - keycloak-client-secret-client

In the logs of the operator I can see:

{"level":"info","ts":1652267097.304865,"logger":"action_runner","msg":"(    3)     FAILED add default client roles drogue-iot/drogue: &[{map[] <nil> <nil> <nil>    drogue-user}] : failed to create realm role composites: (404) 404 Not Found"}

Version

18.0.0

Expected behavior

Either it should work as it did in 17, or there should be some instructions on how to migrate to 18.

Actual behavior

Just fails with an non-helpful message.

How to Reproduce?

Create the CR:

apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: client
spec:
  client:
    clientAuthenticatorType: client-secret
    clientId: drogue
    defaultClientScopes:
    - email
    - profile
    - roles
    - web-origins
    defaultRoles:
    - drogue-user
    directAccessGrantsEnabled: false
    enabled: true
    fullScopeAllowed: true
    implicitFlowEnabled: true
    optionalClientScopes:
    - address
    - microprofile-jwt
    - offline_access
    - phone
    protocolMappers:
    - config:
        access.token.claim: "true"
        id.token.claim: "false"
        included.client.audience: drogue
      name: add-audience
      protocol: openid-connect
      protocolMapper: oidc-audience-mapper
    publicClient: true
    redirectUris:
    - http://console.192.168.39.140.nip.io
    - http://console.192.168.39.140.nip.io/*
    - http://localhost:*
    standardFlowEnabled: true
    webOrigins:
    - '*'
  realmSelector:
    matchLabels:
      app.kubernetes.io/component: sso
      app.kubernetes.io/instance: drogue-iot
      app.kubernetes.io/name: drogue
  scopeMappings: {}

Anything else?

No response

andreaTP commented 2 years ago

Hi @ctron , thanks for this issue, I'm failing to reproduce it, would you mind sharing a demo realm similar to the one you are importing?

stianst commented 1 year ago

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!