1 - Infra

• Openshift 4.x deployed on bare metal.
• RH-SSO operator 7.61
• External PostgreSQL database
• Dual stack IPv4/IPv6 configured OR IPV6 only, without IPv4 (This is only supported on bare metal).

Note:

Having IPv6 support only is a specificity of Openshift, when installed on bare metal.

See doc
https://docs.openshift.com/container-platform/4.13/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.html#installing-ocp-agent-boot_installing-with-agent-based-installer

2. Issue description

2.1) OCP/RH-SSO operator 7.6.1 is working with FINE dual stack IPv4/IPv6 configured, when connecting to an external PostgreSQL database.

2.2) When IPV4 is removed, and there is only IPv6 interface, keycloak-0 pod is not coming up and healthcheck probes (Liveness / Readiness) are failing.

~~~
~~~
oc get po
NAME READY STATUS RESTARTS AGE

keycloak-0 0/1 Running 1 (5m38s ago) 11m
~~~

and event messages

~~~
12m Normal Pulling pod/keycloak-0 Pulling image "registry.redhat.io/rh-sso-7/sso7-rhel8-init-container@sha256:89dd17de222ac44106e7a881cac48f7715721dd1eb9aeb6d1d74ff15a8d41ef5"
12m Normal Pulled pod/keycloak-0 Successfully pulled image "registry.redhat.io/rh-sso-7/sso7-rhel8-init-container@sha256:89dd17de222ac44106e7a881cac48f7715721dd1eb9aeb6d1d74ff15a8d41ef5" in 10.114006897s (10.114014439s including waiting)
12m Normal Pulling pod/keycloak-0 Pulling image "registry.redhat.io/rh-sso-7/sso76-openshift-rhel8@sha256:5841ed3857211f5b84b207ea01177fac1d2b68fdbac6178598ecd48936c1b3ab"
12m Normal Started pod/keycloak-0 Started container extensions-init
12m Normal Created pod/keycloak-0 Created container extensions-init
12m Normal Pulled pod/keycloak-0 Successfully pulled image "registry.redhat.io/rh-sso-7/sso76-openshift-rhel8@sha256:5841ed3857211f5b84b207ea01177fac1d2b68fdbac6178598ecd48936c1b3ab" in 105.598703ms (105.604615ms including waiting)
12m Normal Created pod/keycloak-0 Created container keycloak
12m Normal Started pod/keycloak-0 Started container keycloak
119s Warning Unhealthy pod/keycloak-0 Liveness probe failed:
7m2s Warning Unhealthy pod/keycloak-0 Readiness probe failed: {...
~~~

2.3) When the IPv4 is enabled back again, keycloak-0 pod is able to come up successfully.

3) Synthesis

This shows that OCP/RH-SSO is not able to connect to the PostgreSQL database if only IPv6 interface (and IPv4 disabled) is configured on Openshift (installed on bare metal).

As soon as IPV4 is reenabled to have dual stack support (IPv4, IPv6), Keycloak-0 pod is able to come up successfully.

It means that there is an underlying network communication issue when IPv4 is disabled, as RH-SSO is not able to communicate with the PostgreSQL database.