KubernetesClientException: Failure executing: POST /api/v1/namespaces/**/secrets
patrickleet opened this issue · 0 comments
patrickleet commented
Is this a request for help?:
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Bug Report
Version of Keycloak-controller:
Helm chart: 0.6.1
controller version: 3.0.0
Version of Keycloak:
11
Version of Kubernetes:
1.16
What happened:
Creating a new KeycloakClient results in an error which requires a manual restart of the keycloak-controller pod. The mappers for the client are not created until this restart happens.
{"timestampSeconds":1599684661,"timestampNanos":491000000,"severity":"ERROR","thread":"OkHttp https://172.20.0.1/...","logger":"com.kiwigrid.keycloak.controller.client.ClientController","message":"keycloak-jx-production/thecareerpathai/nsf-pathway-app-jx-production: KubernetesClientException: Failure executing: POST at: https://172.20.0.1/api/v1/namespaces/jx-production/secrets. Message: resourceVersion should not be set on objects to be created. Received status: Status(apiVersion=v1, code=500, details=null, kind=Status, message=resourceVersion should not be set on objects to be created, metadata=ListMeta(_continue=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=null, status=Failure, additionalProperties={}).","context":"default","serviceContext":{"version":"1.0","service":"keycloak-controller"}}
What you expected to happen:
Two things:
- I wouldn't expect there to be an error creating the secret, especially because the secret is actually created despite the error. Maybe it's trying to do it twice.
- If there is an error the process should crash hard so it restarts and then we don't need to restart it manually. While ideally the error wouldn't happen or would be handled appropriately, a hard crash would make the manual intervention unnecessary at least.
How to reproduce it (as minimally and precisely as possible):
Create a new client:
apiVersion: k8s.kiwigrid.com/v1beta1
kind: KeycloakClient
metadata:
name: {{ template "keycloakclient" . }}
spec:
keycloak: {{ .Values.keycloak.keycloak }}
realm: {{ .Values.keycloak.realm }}
clientId: {{ template "keycloakclient" . }}
clientType: confidential
defaultClientScopes:
- email
- profile
- roles
directAccessGrantsEnabled: true
standardFlowEnabled: true
implicitFlowEnabled: false
redirectUris:
{{- if .Values.keycloak.redirectUris.allowAll }}
- http://*
- https://*
{{- end }}
{{- if .Values.keycloak.redirectUris.allowLocalhost }}
- http://localhost*
{{- end }}
{{- if .Values.keycloak.redirectUris.includeNamespace }}
- https://{{ .Values.keycloak.redirectUris.serviceName }}-{{ .Release.Namespace}}.{{ .Values.keycloak.redirectUris.domain }}/*
- https://{{ .Values.keycloak.redirectUris.serviceName }}-{{ .Release.Namespace}}.{{ .Values.keycloak.redirectUris.domain }}
{{- else }}
- https://{{ .Values.keycloak.redirectUris.serviceName }}.{{ .Values.keycloak.redirectUris.domain }}/*
- https://{{ .Values.keycloak.redirectUris.serviceName }}.{{ .Values.keycloak.redirectUris.domain }}
{{- end }}
mapper:
- name: audience
protocolMapper: oidc-audience-mapper
config:
claim.name: audience
access.token.claim: "true"
included.client.audience: {{ template "keycloakclient" . }}
- name: username
protocolMapper: oidc-usermodel-property-mapper
config:
access.token.claim: "true"
claim.name: username
jsonType.label: String
user.attribute: username
- name: clientRoles
protocolMapper: oidc-usermodel-client-role-mapper
config:
access.token.claim: "true"
claim.name: clientRoles
jsonType.label: String
multivalued: "true"
- name: roles
protocolMapper: oidc-usermodel-realm-role-mapper
config:
access.token.claim: "true"
claim.name: roles
jsonType.label: String
multivalued: "true"
Anything else we need to know:
No