Description of problem: The current latest tag (15.0.2) doesn't work on FIPS mode as described in the following links: * https://issues.redhat.com/browse/KEYCLOAK-19771 * https://access.redhat.com/solutions/6484731 So, in order to have test coverage for keycloak, there is a temporary pin set to 15.0.1: https://github.com/openshift/cluster-authentication-operator/pull/512 This BZ is a reminder to move back to using the `latest` tag before the release. How reproducible: Only on FIPS mode Steps to Reproduce: 1. Deploy a keycloak container on a FIPS-enabled cluster 2. try to set up an IdP Actual results: Keycloak fails with `PBKDF2 algorithm not found` Expected results: Keycloak should work and we should be able to use it in OCP as an IdP. Additional info:
The linked PR should actually be reverted before 4.10 release. I would like this to happen at least 2 weeks before the 4.10 final freeze. Setting blocker+, we don't want the tests to be running with an outdated Keycloak version as the tests were partially written solely for the purpose of checking that our code works with the latest KC version.
Iām adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
As mentioned in https://github.com/openshift/cluster-authentication-operator/pull/534 this is issue is not fixed, BZ is just a reminder, so moving back to Assigned
> (In reply to Yash Tripathi from comment #6) > issue is not fixed The unfixed issue is about KC (Keycloak), however the bug ID is about product OpenShift, they're two different products. If OpenShift issue is not fixed, you should move the bug back to Assigned. However, if only KC issue is not fixed, you should not do that. > BZ is just a reminder I think you have read what it wants to remind, please see comment 0's sentence; and check if the PR does the "move back" said there. And you can check the PR's top comment for what is considered "more important", which is the reason why the PR is raised/merged. If the PR DOES what comment 0 wants to remind, then the reminder bug is done and can be moved to Verified.
Verified PR and code present in openshift:master
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056