Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 8.0 Update 8
Affects Version/s: None
Component/s: OpenShift, Security
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
?
Target Release:

8.0.z.GA
Git Pull Request:
https://github.com/wildfly/wildfly-cekit-modules/pull/412
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

[ENVIRONMENT]

JBoss EAP 8.0.7
registry.redhat.io/jboss-eap-8/eap8-openjdk17-builder-openshift-rhel8
Galleon Layers
s2i

[SUMMARY]
The Galleon Layer cloud-default-config is adding the script /opt/eap/bin/launch/keycloak.sh in the container image with commands referencing the incorrect module name of the Keycloak SAML adapter.
In EAP 8.0.7, the right name is:

              <custom-realm name="KeycloakSAMLRealm" module="org.keycloak.keycloak-saml-wildfly-elytron-jakarta-adapter" class-name="org.keycloak.adapters.saml.elytron.KeycloakSecurityRealm"/>

In /opt/eap/bin/launch/keycloak.sh we have:

$ podman run --rm localhost/eap8 grep org.keycloak.keycloak-saml-wildfly-elytron-adapter /opt/eap/bin/launch/keycloak.sh

    /subsystem=elytron/custom-realm=KeycloakSAMLRealm-$id:add(class-name=org.keycloak.adapters.saml.elytron.KeycloakSecurityRealm, module=org.keycloak.keycloak-saml-wildfly-elytron-adapter)
    /subsystem=elytron/service-loader-http-server-mechanism-factory=keycloak-saml-http-server-mechanism-factory-$id:add(module=org.keycloak.keycloak-saml-wildfly-elytron-adapter)

If only using the layer keycloak-client-saml without the cloud-default-config, no /opt/eap/bin/launch/keycloak.sh is added, this is why I suspect the cloud-default-config is the issue.

Customer reports this was working on EAP 8.0.6, so I believe Keycloak SAML adapter has renamed the module from org.keycloak.keycloak-saml-wildfly-elytron-adapter to org.keycloak.keycloak-saml-wildfly-elytron-jakarta-adapter

[HOW TO REPRODUCE]

via Dockerfile

$ cat Dockerfile 
FROM registry.redhat.io/jboss-eap-8/eap8-openjdk17-builder-openshift-rhel8 AS builder

ENV GALLEON_PROVISION_FEATURE_PACKS org.jboss.eap:wildfly-ee-galleon-pack,org.jboss.eap.cloud:eap-cloud-galleon-pack,org.keycloak:keycloak-saml-adapter-galleon-pack

ENV GALLEON_PROVISION_LAYERS cloud-default-config,keycloak-client-saml

ENV GALLEON_PROVISION_CHANNELS org.jboss.eap.channels:eap-8.0

RUN /usr/local/s2i/assemble

$ podman build -t eap8 -f Dockerfile 

$  podman run --rm localhost/eap8 grep org.keycloak.keycloak-saml-wildfly-elytron-adapter /opt/eap/bin/launch/keycloak.sh

    /subsystem=elytron/custom-realm=KeycloakSAMLRealm-$id:add(class-name=org.keycloak.adapters.saml.elytron.KeycloakSecurityRealm, module=org.keycloak.keycloak-saml-wildfly-elytron-adapter)
    /subsystem=elytron/service-loader-http-server-mechanism-factory=keycloak-saml-http-server-mechanism-factory-$id:add(module=org.keycloak.keycloak-saml-wildfly-elytron-adapter)

is blocked by

JBEAP-30149 [8.1.0.GA] - org.jboss.modules.ModuleNotFoundException: org.keycloak.keycloak-saml-wildfly-elytron-adapter

is incorporated by

JBEAP-30151 (8.0.z) Upgrade eap-cloud-galleon-pack 1.1.0.Final-redhat-dev-00001

Closed

relates to

JBEAP-29412 Deployments configured to autmatically register a SAML client fail to boot because of missing keycloak module

Verified

Assignee:: Jeff Mesnil

Reporter:: Jeff Mesnil

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/05/15 9:10 AM

Updated:: 2025/06/24 9:08 AM

Resolved:: 2025/05/16 6:55 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates