Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KubernetesClientException: Failure executing: POST /api/v1/namespaces/**/secrets #34

Closed
patrickleet opened this issue Sep 9, 2020 · 0 comments
Closed

KubernetesClientException: Failure executing: POST /api/v1/namespaces/**/secrets #34

patrickleet opened this issue Sep 9, 2020 · 0 comments

Comments

@patrickleet
Copy link
Contributor

patrickleet commented Sep 9, 2020
edited
Loading

Is this a request for help?:

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

Bug Report

Version of Keycloak-controller:

Helm chart: 0.6.1
controller version: 3.0.0

Version of Keycloak:

11

Version of Kubernetes:

1.16

What happened:

Creating a new KeycloakClient results in an error which requires a manual restart of the keycloak-controller pod. The mappers for the client are not created until this restart happens.

{"timestampSeconds":1599684661,"timestampNanos":491000000,"severity":"ERROR","thread":"OkHttp https://172.20.0.1/...","logger":"com.kiwigrid.keycloak.controller.client.ClientController","message":"keycloak-jx-production/thecareerpathai/nsf-pathway-app-jx-production: KubernetesClientException: Failure executing: POST at: https://172.20.0.1/api/v1/namespaces/jx-production/secrets. Message: resourceVersion should not be set on objects to be created. Received status: Status(apiVersion=v1, code=500, details=null, kind=Status, message=resourceVersion should not be set on objects to be created, metadata=ListMeta(_continue=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=null, status=Failure, additionalProperties={}).","context":"default","serviceContext":{"version":"1.0","service":"keycloak-controller"}}

What you expected to happen:

Two things:

  1. I wouldn't expect there to be an error creating the secret, especially because the secret is actually created despite the error. Maybe it's trying to do it twice.
  2. If there is an error the process should crash hard so it restarts and then we don't need to restart it manually. While ideally the error wouldn't happen or would be handled appropriately, a hard crash would make the manual intervention unnecessary at least.

How to reproduce it (as minimally and precisely as possible):

Create a new client:

apiVersion: k8s.kiwigrid.com/v1beta1
kind: KeycloakClient
metadata:
  name: {{ template "keycloakclient" . }}
spec:
  keycloak: {{ .Values.keycloak.keycloak }}
  realm: {{ .Values.keycloak.realm }}
  clientId: {{ template "keycloakclient" . }}
  clientType: confidential
  defaultClientScopes:
  - email
  - profile
  - roles
  directAccessGrantsEnabled: true
  standardFlowEnabled: true
  implicitFlowEnabled: false
  redirectUris:
{{- if .Values.keycloak.redirectUris.allowAll }}
  - http://*
  - https://*
{{- end }}
{{- if .Values.keycloak.redirectUris.allowLocalhost }}
  - http://localhost*
{{- end }}
{{- if .Values.keycloak.redirectUris.includeNamespace }}
  - https://{{ .Values.keycloak.redirectUris.serviceName }}-{{ .Release.Namespace}}.{{ .Values.keycloak.redirectUris.domain }}/*
  - https://{{ .Values.keycloak.redirectUris.serviceName }}-{{ .Release.Namespace}}.{{ .Values.keycloak.redirectUris.domain }}
{{- else }}
  - https://{{ .Values.keycloak.redirectUris.serviceName }}.{{ .Values.keycloak.redirectUris.domain }}/*
  - https://{{ .Values.keycloak.redirectUris.serviceName }}.{{ .Values.keycloak.redirectUris.domain }}
{{- end }}
  mapper:
  - name: audience
    protocolMapper: oidc-audience-mapper
    config:
      claim.name: audience
      access.token.claim: "true"
      included.client.audience: {{ template "keycloakclient" . }}
  - name: username
    protocolMapper: oidc-usermodel-property-mapper
    config:
      access.token.claim: "true"
      claim.name: username
      jsonType.label: String
      user.attribute: username
  - name: clientRoles
    protocolMapper: oidc-usermodel-client-role-mapper
    config:
      access.token.claim: "true"
      claim.name: clientRoles
      jsonType.label: String
      multivalued: "true"
  - name: roles
    protocolMapper: oidc-usermodel-realm-role-mapper
    config:
      access.token.claim: "true"
      claim.name: roles
      jsonType.label: String
      multivalued: "true"

Anything else we need to know:

No
@patrickleet patrickleet mentioned this issue Sep 10, 2020
Closed
patrickleet added a commit to patrickleet/keycloak-controller that referenced this issue Oct 22, 2020
@patrickleet
fix: dont set resourceversion on new secrets - fixes kiwigrid#34
391ae79
@patrickleet patrickleet mentioned this issue Oct 22, 2020
Closed
patrickleet added a commit to patrickleet/keycloak-controller that referenced this issue Oct 24, 2020
@patrickleet
fix: ci refactor + fixes kiwigrid#34, fixes kiwigrid#40
d583fa4
patrickleet added a commit to patrickleet/keycloak-controller that referenced this issue Oct 24, 2020
@patrickleet
feat: new CI/Test process and secret creation bug fix
d9d305d 
fixes kiwigrid#34 and fixes kiwigrid#40

chore: update gitignore with files from VSCode

test: update test script

fix: ci refactor + fixes kiwigrid#34, fixes kiwigrid#40

chore: test more kube versions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@patrickleet