Bug 2024841 - test Keycloak with latest tag
Summary: test Keycloak with latest tag
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: Standa Laznicka
QA Contact: Yash Tripathi
Depends On:
TreeView+ depends on / blocked
Reported: 2021-11-19 09:02 UTC by Juan Antonio Osorio
Modified: 2022-03-10 16:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-03-10 16:29:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 512 0 None Merged Bug 2024841: test/library: Pin keycloak contianer label to 15.0.1 2021-11-22 06:51:47 UTC
Github openshift cluster-authentication-operator pull 534 0 None open Bug 2024841: use latest keycloak for testing 2022-01-17 08:39:18 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:30:04 UTC

Description Juan Antonio Osorio 2021-11-19 09:02:26 UTC
Description of problem:

The current latest tag (15.0.2) doesn't work on FIPS mode as described in the following links:

* https://issues.redhat.com/browse/KEYCLOAK-19771
* https://access.redhat.com/solutions/6484731

So, in order to have test coverage for keycloak, there is a temporary pin set to 15.0.1: https://github.com/openshift/cluster-authentication-operator/pull/512

This BZ is a reminder to move back to using the `latest` tag before the release.

How reproducible:

Only on FIPS mode

Steps to Reproduce:
1. Deploy a keycloak container on a FIPS-enabled cluster
2. try to set up an IdP

Actual results:

Keycloak fails with `PBKDF2 algorithm not found`

Expected results:

Keycloak should work and we should be able to use it in OCP as an IdP.
Additional info:

Comment 2 Standa Laznicka 2021-11-22 08:15:13 UTC
The linked PR should actually be reverted before 4.10 release. I would like this to happen at least 2 weeks before the 4.10 final freeze.

Setting blocker+, we don't want the tests to be running with an outdated Keycloak version as the tests were partially written solely for the purpose of checking that our code works with the latest KC version.

Comment 3 Sergiusz Urbaniak 2021-11-26 07:25:27 UTC
Iā€™m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 6 Yash Tripathi 2022-01-19 15:08:03 UTC
As mentioned in https://github.com/openshift/cluster-authentication-operator/pull/534 this is issue is not fixed, BZ is just a reminder, so moving back to Assigned

Comment 7 Xingxing Xia 2022-01-20 03:53:06 UTC
> (In reply to Yash Tripathi from comment #6)
> issue is not fixed
The unfixed issue is about KC (Keycloak), however the bug ID is about product OpenShift, they're two different products. If OpenShift issue is not fixed, you should move the bug back to Assigned. However, if only KC issue is not fixed, you should not do that.

> BZ is just a reminder
I think you have read what it wants to remind, please see comment 0's sentence; and check if the PR does the "move back" said there. And you can check the PR's top comment for what is considered "more important", which is the reason why the PR is raised/merged. If the PR DOES what comment 0 wants to remind, then the reminder bug is done and can be moved to Verified.

Comment 8 Yash Tripathi 2022-01-20 18:06:30 UTC
Verified PR and code present in openshift:master

Comment 11 errata-xmlrpc 2022-03-10 16:29:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.