Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14411

[7.4.z] Unable to remove keycloak CRs during uninstallation

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: RH-SSO-7.4.0
    • Fix Version/s: RH-SSO-7.4.1
    • Component/s: None
    • Labels:
      None
    • Epic Link:
    • Story Points:
      3
    • Steps to Reproduce:
      Hide

      2 ways of reproducing:
      1. Uninstall RHMI (Longer)

      • Install RHMI
      • Run ./scripts/setup-sso-idp.sh
      • Uninstall RHMI
      • RHMI uninstallation will get stuck due to remaining Keycloak users/clients CR

      2. Remove a realm before deleting a user (Quicker)

      • Install RHMI
      • Run ./scripts/setup-sso-idp.sh
      • Remove the testing-idp realm
      • Remove a test-user KeycloakUser CR associated with the testing-idp realm
      • The KeycloakUser will not get removed as it cannot find the realm associated with it.
      Show
      2 ways of reproducing: 1. Uninstall RHMI (Longer) Install RHMI Run ./scripts/setup-sso-idp.sh Uninstall RHMI RHMI uninstallation will get stuck due to remaining Keycloak users/clients CR 2. Remove a realm before deleting a user (Quicker) Install RHMI Run ./scripts/setup-sso-idp.sh Remove the testing-idp realm Remove a test-user KeycloakUser CR associated with the testing-idp realm The KeycloakUser will not get removed as it cannot find the realm associated with it.

      Description

      What

      Uninstallation of RHSSO gets stuck due to the following issue:

      RHSSO uninstallation removes the users and clients first before removing the realm. We currently do not wait for the user/clients to be deleted first before attempting to remove the realms. There are cases where the users/clients are still being deleted when the realm gets removed.

      If the realm was deleted first, users/clients will gets stuck on deletion as the realms associated with it has been removed. This is caused by the validateList function called by GetMatchingRealms() which is called during the user and client reconcile. Keycloak operator logs can be found here

      When you ensure that clients and users gets deleted first and wait for the next reconcile to remove the rest of the Keycloak custom resources, the cloud resource operator will remove the Keycloak postgres which breaks the keycloak pods. Realms gets stuck on deletion because it can no longer access Keycloak. The following error can be seen in the KeycloakRealm CR:

      Need to confirm e2e tests will work with these changes also.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  peter.braun Peter Braun
                  Reporter:
                  sguilhen Stefan Guilhen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: