Unable to configure the async minion with an external Keycloak

[ruromero]

For some reason I have not been able to provision the async feature connected to an external Kafka and an external Keycloak. It doesn't seem to work with an internal Keycloak either.

2021-07-22 12:29:16,169 INFO  [io.git.mic.min.asy.AsyncMinionApp] (main) Microcks Keycloak server url {https://keycloak-myproject.apps.example.com/auth} and realm {mercury}
2021-07-22 12:29:16,176 INFO  [io.git.mic.min.asy.AsyncMinionApp] (main) Use locally defined Keycloak Auth URL: Optional[http://keycloak-discovery.myproject.svc.cluster.local:8080]
2021-07-22 12:29:16,200 ERROR [io.git.mic.min.asy.cli.KeycloakConnector] (main) OAuth token cannot be retrieved for Keycloak server, check microcks.serviceaccount configuration
2021-07-22 12:29:16,201 ERROR [io.git.mic.min.asy.AsyncMinionApp] (main) Cannot authenticate to Keycloak server and thus enable to call Microcks APIto get Async APIs to mocks...: io.github.microcks.minion.async.client.ConnectorException: OAuth token cannot be retrieved for Microcks. Check microcks.serviceaccount.
    at io.github.microcks.minion.async.client.KeycloakConnector.connectAndGetOAuthToken(KeycloakConnector.java:103)
    at io.github.microcks.minion.async.client.KeycloakConnector_ClientProxy.connectAndGetOAuthToken(KeycloakConnector_ClientProxy.zig:157)

This is the configuration I used:

apiVersion: microcks.github.io/v1alpha1
kind: MicrocksInstall
metadata:
  name: bm
  labels:
    app: mercury
spec:
  features:
    async: 
      enabled: true
      defaultBinding: KAFKA
      defaultFrequency: 10
      kafka:
        install: false
        url: my-kafka-kafka-bootstrap:9092
  keycloak:
    install: false
    realm: mercury
    url: keycloak-myproject.apps.example.com
    privateUrl: http://keycloak-discovery.myproject.svc.cluster.local:8080
    serviceAccount: microcks-serviceaccount
    serviceAccountCredentials: super-secret
  microcks:
    replicas: 1
  mongodb:
    install: true
    persistent: true
    volumeSize: 2Gi
  name: bm
  postman:
    replicas: 1
  version: 1.3.0

The microcks-serviceaccount client exists in the realm and seems to be similar to the one provisioned by microcks itself (which is failing at the same point).

When accessing the pod for debug I can manually retrieve the token:

$ oc debug bm-async-minion-7558586b49-f66fw
$ export KC_URL=http://keycloak-discovery.myproject.svc.cluster.local:8080
$ curl -XPOST -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic bWljcm9ja3Mtc2VydmljZWFjY291bnQ6c3VwZXItc2VjcmV0" -d "grant_type=client_credentials" "$KC_URL/auth/realms/mercury/protocol/openid-connect/token"
{# JsonToken}

I have also tried with the https://keycloak.myproject.svc.cluster.local:8443 but I guess the problem in that case is that it doesn't trust the self-signed certificate.

Any hints of what can be missing? Besides that would it be possible to add more information to this stacktrace about what the server is responding for better troubleshooting?

Thanks in advance

[lbroudoux]

Hi @ruromero ! I've reproduced configuration and I am facing the same issue. Currently investigating...

[lbroudoux]

Hi @ruromero !

I fixed it by adding the/auth suffix in Keycloak privateUrl => http://keycloak-discovery.myproject.svc.cluster.local:8080/auth.

I agree that it's hard to guess you've got the wrong URL. I'll add more information in logs.

[ruromero]

Awesome, thanks @lbroudoux