Bug 2059515
Summary: | e2e-operator presubmit permafailing with: FAIL: TestKeycloakAsOIDCPasswordGrantCheck | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Pierre Prinetti <pprinett> | |
Component: | apiserver-auth | Assignee: | Pierre Prinetti <pprinett> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Pierre Prinetti <pprinett> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 4.8 | CC: | aos-bugs, mfojtik, surbania, wking | |
Target Milestone: | --- | Keywords: | TestBlocker | |
Target Release: | 4.11.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2060473 (view as bug list) | Environment: | ||
Last Closed: | 2022-03-21 10:32:10 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2060473 |
Description
Pierre Prinetti
2022-03-01 09:10:26 UTC
It was raised in keycloak/keycloak-quickstarts#300 but no update yet, FYI. > It was raised in keycloak/keycloak-quickstarts#300 but no update yet, FYI.
After a conversation with Alex Szczuczko and Dominik Guhr from the RH SSO (Keycloak) team, I suspect that the mismatch between API and docs will be solved by fixing the docs.
The patch that I propose (attached to this BZ) entails pinning our code to the "legacy" variant of Keycloak's 17.0.0 image, which exhibits the old behaviour. This patch is designed to be backported down to at least 4.8 to unblock the corresponding presubmit tests in the cluster-authentication-operator repository.
I believe that a valid follow-up will be to change the code to use the non-legacy variant: that is, issuing a "start" or "start-dev" command in the container startup.
The action plan: 1. Fix 4.11 by adapting the test logic to Keycloak v17 (see https://github.com/openshift/cluster-authentication-operator/pull/554) 2. Fix previous cluster-authentication-operator releases by pinning Keycloak to the "legacy" (WildFly) variant of v17 closing CURRENTRELEASE as the tests are now successful, and there is no need for this test-only change to hit the release notes. |