Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1948

RH SSO Operator is not allowed to create an "endpoints" object in OpenShift when using a ClusterIP address

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Minor Minor
    • None
    • RH-SSO-7.5.1
    • Distribution
    • False
    • None
    • False
    • Hide

      1. Create a new PostgreSQL instance on another project/namespace in OpenShift:

      $ oc get svc -n postgresql
NAME         TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
postgresql   ClusterIP   10.217.5.17   <none>        5432/TCP   19h

      2. Refer the IP Address above in the keycloak-db-secret:

      $ oc get secret keycloak-db-secret -o yaml | grep "POSTGRES_EXTERNAL_ADDRESS" | head -n 1
  POSTGRES_EXTERNAL_ADDRESS: MTAuMjE3LjUuMTc=

$ echo "MTAuMjE3LjUuMTc=" | base64 -d
10.217.5.17

      3. Notice the error in the Keycloak CRD:

      $ oc get Keycloak example-keycloak -o yaml | grep -i "endpoints"
  message: 'endpoints "keycloak-postgresql" is forbidden: endpoint address 10.217.5.17 is not allowed'
      Show
      1. Create a new PostgreSQL instance on another project/namespace in OpenShift: $ oc get svc -n postgresql NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE postgresql ClusterIP 10.217.5.17 <none> 5432/TCP 19h 2. Refer the IP Address above in the keycloak-db-secret: $ oc get secret keycloak-db-secret -o yaml | grep "POSTGRES_EXTERNAL_ADDRESS" | head -n 1 POSTGRES_EXTERNAL_ADDRESS: MTAuMjE3LjUuMTc= $ echo "MTAuMjE3LjUuMTc=" | base64 -d 10.217.5.17 3. Notice the error in the Keycloak CRD: $ oc get Keycloak example-keycloak -o yaml | grep -i "endpoints" message: 'endpoints "keycloak-postgresql" is forbidden: endpoint address 10.217.5.17 is not allowed'

      I believe we have found the root cause and Steps to Reproduce for the Jira KEYCLOAK-18602:

      • When you have a PostgreSQL Database in another project/namespace and you try to use the ClusterIP address, the RH SSO Operator is not allowed to change the endpoints object for keycloak-postgresql.
      • However if you use another IP address from outside the OCP cluster (e.g. a RHEL VM in the same Network with PostgreSQL installed) it allows the above.

      It's likely the root cause is the following extracted from the OCP 3.11 Documentation (which seems to apply to OCP 4.X as well):

      Note that OpenShift Container Platform will not let most users manually create an Endpoints object that points to an IP address in the network blocks reserved for pod and service IPs. Only cluster admins or other users with permission to create resources under endpoints/restricted can create such Endpoint objects.

      Suggestions:

      • Have the RH SSO Operator with the necessary permissions as the above.
      • If not possible or not desired, mention in the Documentation that for when externalizing to a PostgreSQL Database located in another project/namespace inside OpenShift, the format <POD>.<NAMESPACE>.svc.cluster.local should be used instead of the ClusterIP address.

              Unassigned Unassigned
              rhn-support-ekonecsn Estevao Konecsni
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: