Keycloak Operator 9.0.0 does not work

Looks like the current version of the Operator fails to install when using the CRC 1.7 or 1.5 version. Once after the install the default example-keycloak ends up with

/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json (Permission denied)

Can we get the image updated perhaps that fixes the issue?

Ramesh…

1 Like

Installing the latest k8s deployment manifests (i.e., CRDS, rbac stuff, deployment) for keycloak operator 9.0.0 yields a keycloak operator pod that will not accept the RBAC settings described in the install README. Operator pod logs are as folllows.

Everything (ie, SA, role, rolebinding, are properly install in “keycloak” namespace and keycloak operator is correctly using the “keycloak operator” service account. This feels like there is some sort of hardcoding in operator app’s codebase that creating this issue.

Any suggestions?

{"level":"info","ts":1585421323.0078278,"logger":"leader","msg":"Trying to become the leader."}
{"level":"error","ts":1585421325.9147482,"logger":"k8sutil","msg":"Failed to get Pod","Pod.Namespace":"keycloak","Pod.Name":"keycloak-operator-6bddc67bc9-lqksg","error":"pods \"keycloak-operator-6bddc67bc9-lqksg\" is forbidden: User \"system:serviceaccount:keycloak:keycloak-operator\" cannot get resource \"pods\" in API group \"\" in the namespace \"keycloak\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/src/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/operator-framework/operator-sdk/pkg/k8sutil.GetPod\n\t/src/vendor/github.com/operator-framework/operator-sdk/pkg/k8sutil/k8sutil.go:128\ngithub.com/operator-framework/operator-sdk/pkg/leader.myOwnerRef\n\t/src/vendor/github.com/operator-framework/operator-sdk/pkg/leader/leader.go:160\ngithub.com/operator-framework/operator-sdk/pkg/leader.Become\n\t/src/vendor/github.com/operator-framework/operator-sdk/pkg/leader/leader.go:67\nmain.main\n\t/src/cmd/manager/main.go:96\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:200"}
{"level":"error","ts":1585421325.9148312,"logger":"cmd","msg":"","error":"pods \"keycloak-operator-6bddc67bc9-lqksg\" is forbidden: User \"system:serviceaccount:keycloak:keycloak-operator\" cannot get resource \"pods\" in API group \"\" in the namespace \"keycloak\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/src/vendor/github.com/go-logr/zapr/zapr.go:128\nmain.main\n\t/src/cmd/manager/main.go:98\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:200"}

Disregard! The failure was in fact due to a fat-finger RBAC setting on my part. I had explicitly namespaced both the SA and the role to the keycloak namespace but forgot to do the same for the rolebinding. Doh!

The rbac manifest I used to correct things is pasted below

apiVersion: v1
kind: ServiceAccount
metadata:
  name: keycloak-operator
  namespace: keycloak
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: keycloak-operator
  namespace: keycloak
subjects:
  - kind: ServiceAccount
    name: keycloak-operator
    namespace: keycloak
roleRef:
  kind: Role
  name: keycloak-operator
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: keycloak-operator
  namespace: keycloak
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - services/finalizers
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
    verbs:
      - list
      - get
      - create
      - patch
      - update
      - watch
      - delete
  - apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - replicasets
      - statefulsets
    verbs:
      - list
      - get
      - create
      - update
      - watch
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - list
      - get
      - create
      - update
      - watch
  - apiGroups:
      - route.openshift.io
    resources:
      - routes
    verbs:
      - list
      - get
      - create
      - update
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - list
      - get
      - create
      - update
      - watch
  - apiGroups:
      - monitoring.coreos.com
    resources:
      - servicemonitors
      - prometheusrules
      - podmonitors
    verbs:
      - list
      - get
      - create
      - update
      - watch
  - apiGroups:
      - integreatly.org
    resources:
      - grafanadashboards
    verbs:
      - get
      - list
      - create
      - update
      - watch
  - apiGroups:
      - apps
    resourceNames:
      - keycloak-operator
    resources:
      - deployments/finalizers
    verbs:
      - update
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
    verbs:
      - get
      - list
      - create
      - update
      - watch
  - apiGroups:
      - keycloak.org
    resources:
      - keycloaks
      - keycloaks/status
      - keycloaks/finalizers
      - keycloakrealms
      - keycloakrealms/status
      - keycloakrealms/finalizers
      - keycloakclients
      - keycloakclients/status
      - keycloakclients/finalizers
      - keycloakbackups
      - keycloakbackups/status
      - keycloakbackups/finalizers
      - keycloakusers
      - keycloakusers/status
      - keycloakusers/finalizers
    verbs:
      - get
      - list
      - update
      - watch

Are you installing from OperatorHub?

The fix for this particular problem should be released in 9.0.2. See https://issues.redhat.com/browse/KEYCLOAK-13057

Any idea when 9.0.2 hits the OperatorHub?