2060473 – e2e-operator presubmit permafailing with: FAIL: TestKeycloakAsOIDCPasswordGrantCheck

Bug 2060473 - e2e-operator presubmit permafailing with: FAIL: TestKeycloakAsOIDCPasswordGrantCheck

Summary: e2e-operator presubmit permafailing with: FAIL: TestKeycloakAsOIDCPasswordGra...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Pierre Prinetti
QA Contact:	Pierre Prinetti
Docs Contact:
URL:
Whiteboard:
Depends On:	2059515
Blocks:	2062292
TreeView+	depends on / blocked

Reported:	2022-03-03 15:18 UTC by Pierre Prinetti
Modified:	2022-03-11 20:11 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	2059515
Environment:
Last Closed:	2022-03-11 20:11:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-authentication-operator pull 555	0	None	Merged	Bug 2060473: e2e: Pin Keycloack to the legacy variant	2022-03-11 18:51:45 UTC

Description Pierre Prinetti 2022-03-03 15:18:04 UTC

+++ This bug was initially created as a clone of Bug #2059515 +++

Description of the problem:

e2e-operator pre-submit e2e jobs are failing on all releases (down to at least 4.8) due to a failure of the test `TestKeycloakAsOIDCPasswordGrantCheckAndGroupSync` (called `TestKeycloakAsOIDCPasswordGrantCheck` 4.9 and older releases).

* Debug PR triggering tests against master yields: https://prow.ci.openshift.org/pr-history/?org=openshift&repo=cluster-authentication-operator&pr=549

* Debug PR triggering tests against release-4.9 yields: https://prow.ci.openshift.org/pr-history/?org=openshift&repo=cluster-authentication-operator&pr=547

* Debug PR triggering tests against release-4.8 yields: https://prow.ci.openshift.org/pr-history/?org=openshift&repo=cluster-authentication-operator&pr=550

--- Additional comment from Xingxing Xia on 2022-03-02 02:50:11 UTC ---

It was raised in keycloak/keycloak-quickstarts#300 but no update yet, FYI.

--- Additional comment from Pierre Prinetti on 2022-03-02 08:35:20 UTC ---

> It was raised in keycloak/keycloak-quickstarts#300 but no update yet, FYI.

After a conversation with Alex Szczuczko and Dominik Guhr from the RH SSO (Keycloak) team, I suspect that the mismatch between API and docs will be solved by fixing the docs.

The patch that I propose (attached to this BZ) entails pinning our code to the "legacy" variant of Keycloak's 17.0.0 image, which exhibits the old behaviour. This patch is designed to be backported down to at least 4.8 to unblock the corresponding presubmit tests in the cluster-authentication-operator repository.

I believe that a valid follow-up will be to change the code to use the non-legacy variant: that is, issuing a "start" or "start-dev" command in the container startup.

--- Additional comment from Pierre Prinetti on 2022-03-03 15:17:28 UTC ---

The action plan:

1. Fix 4.11 by adapting the test logic to Keycloak v17 (see https://github.com/openshift/cluster-authentication-operator/pull/554)
2. Fix previous cluster-authentication-operator releases by pinning Keycloak to the "legacy" (WildFly) variant of v17

Comment 2 Pierre Prinetti 2022-03-09 13:47:21 UTC

Self-marking as VERIFIED as the change only involves test code and tests now pass.

Note You need to log in before you can comment on or make changes to this bug.