Bug 2024841

Summary: test Keycloak with latest tag
Product: OpenShift Container Platform Reporter: Juan Antonio Osorio <josorior>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Yash Tripathi <ytripath>
Severity: high Docs Contact:
Priority: high    
Version: 4.10CC: aos-bugs, mfojtik, surbania, xxia
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:29:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Antonio Osorio 2021-11-19 09:02:26 UTC 
Description of problem:

The current latest tag (15.0.2) doesn't work on FIPS mode as described in the following links:

* https://issues.redhat.com/browse/KEYCLOAK-19771
* https://access.redhat.com/solutions/6484731

So, in order to have test coverage for keycloak, there is a temporary pin set to 15.0.1: https://github.com/openshift/cluster-authentication-operator/pull/512

This BZ is a reminder to move back to using the `latest` tag before the release.


How reproducible:

Only on FIPS mode

Steps to Reproduce:
1. Deploy a keycloak container on a FIPS-enabled cluster
2. try to set up an IdP

Actual results:

Keycloak fails with `PBKDF2 algorithm not found`

Expected results:

Keycloak should work and we should be able to use it in OCP as an IdP.
Additional info:
Comment 2 Standa Laznicka 2021-11-22 08:15:13 UTC 
The linked PR should actually be reverted before 4.10 release. I would like this to happen at least 2 weeks before the 4.10 final freeze.

Setting blocker+, we don't want the tests to be running with an outdated Keycloak version as the tests were partially written solely for the purpose of checking that our code works with the latest KC version.
Comment 3 Sergiusz Urbaniak 2021-11-26 07:25:27 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Comment 6 Yash Tripathi 2022-01-19 15:08:03 UTC 
As mentioned in https://github.com/openshift/cluster-authentication-operator/pull/534 this is issue is not fixed, BZ is just a reminder, so moving back to Assigned
Comment 7 Xingxing Xia 2022-01-20 03:53:06 UTC 
> (In reply to Yash Tripathi from comment #6)
> issue is not fixed
The unfixed issue is about KC (Keycloak), however the bug ID is about product OpenShift, they're two different products. If OpenShift issue is not fixed, you should move the bug back to Assigned. However, if only KC issue is not fixed, you should not do that.

> BZ is just a reminder
I think you have read what it wants to remind, please see comment 0's sentence; and check if the PR does the "move back" said there. And you can check the PR's top comment for what is considered "more important", which is the reason why the PR is raised/merged. If the PR DOES what comment 0 wants to remind, then the reminder bug is done and can be moved to Verified.
Comment 8 Yash Tripathi 2022-01-20 18:06:30 UTC 
Verified PR and code present in openshift:master
Comment 11 errata-xmlrpc 2022-03-10 16:29:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056