Looks like the current version of the Operator fails to install when using the CRC 1.7 or 1.5 version. Once after the install the default example-keycloak
ends up with
/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json (Permission denied)
Can we get the image updated perhaps that fixes the issue?
Ramesh…
1 Like
Installing the latest k8s deployment manifests (i.e., CRDS, rbac stuff, deployment) for keycloak operator 9.0.0 yields a keycloak operator pod that will not accept the RBAC settings described in the install README. Operator pod logs are as folllows.
Everything (ie, SA, role, rolebinding, are properly install in “keycloak” namespace and keycloak operator is correctly using the “keycloak operator” service account. This feels like there is some sort of hardcoding in operator app’s codebase that creating this issue.
Any suggestions?
{"level":"info","ts":1585421323.0078278,"logger":"leader","msg":"Trying to become the leader."}
{"level":"error","ts":1585421325.9147482,"logger":"k8sutil","msg":"Failed to get Pod","Pod.Namespace":"keycloak","Pod.Name":"keycloak-operator-6bddc67bc9-lqksg","error":"pods \"keycloak-operator-6bddc67bc9-lqksg\" is forbidden: User \"system:serviceaccount:keycloak:keycloak-operator\" cannot get resource \"pods\" in API group \"\" in the namespace \"keycloak\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/src/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/operator-framework/operator-sdk/pkg/k8sutil.GetPod\n\t/src/vendor/github.com/operator-framework/operator-sdk/pkg/k8sutil/k8sutil.go:128\ngithub.com/operator-framework/operator-sdk/pkg/leader.myOwnerRef\n\t/src/vendor/github.com/operator-framework/operator-sdk/pkg/leader/leader.go:160\ngithub.com/operator-framework/operator-sdk/pkg/leader.Become\n\t/src/vendor/github.com/operator-framework/operator-sdk/pkg/leader/leader.go:67\nmain.main\n\t/src/cmd/manager/main.go:96\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:200"}
{"level":"error","ts":1585421325.9148312,"logger":"cmd","msg":"","error":"pods \"keycloak-operator-6bddc67bc9-lqksg\" is forbidden: User \"system:serviceaccount:keycloak:keycloak-operator\" cannot get resource \"pods\" in API group \"\" in the namespace \"keycloak\"","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/src/vendor/github.com/go-logr/zapr/zapr.go:128\nmain.main\n\t/src/cmd/manager/main.go:98\nruntime.main\n\t/usr/lib/golang/src/runtime/proc.go:200"}
Disregard! The failure was in fact due to a fat-finger RBAC setting on my part. I had explicitly namespaced both the SA and the role to the keycloak namespace but forgot to do the same for the rolebinding. Doh!
The rbac manifest I used to correct things is pasted below
apiVersion: v1
kind: ServiceAccount
metadata:
name: keycloak-operator
namespace: keycloak
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: keycloak-operator
namespace: keycloak
subjects:
- kind: ServiceAccount
name: keycloak-operator
namespace: keycloak
roleRef:
kind: Role
name: keycloak-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: keycloak-operator
namespace: keycloak
rules:
- apiGroups:
- ""
resources:
- pods
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- list
- get
- create
- patch
- update
- watch
- delete
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- list
- get
- create
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- list
- get
- create
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- list
- get
- create
- update
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- get
- create
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
- podmonitors
verbs:
- list
- get
- create
- update
- watch
- apiGroups:
- integreatly.org
resources:
- grafanadashboards
verbs:
- get
- list
- create
- update
- watch
- apiGroups:
- apps
resourceNames:
- keycloak-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- create
- update
- watch
- apiGroups:
- keycloak.org
resources:
- keycloaks
- keycloaks/status
- keycloaks/finalizers
- keycloakrealms
- keycloakrealms/status
- keycloakrealms/finalizers
- keycloakclients
- keycloakclients/status
- keycloakclients/finalizers
- keycloakbackups
- keycloakbackups/status
- keycloakbackups/finalizers
- keycloakusers
- keycloakusers/status
- keycloakusers/finalizers
verbs:
- get
- list
- update
- watch
Are you installing from OperatorHub?
The fix for this particular problem should be released in 9.0.2. See https://issues.redhat.com/browse/KEYCLOAK-13057
Any idea when 9.0.2 hits the OperatorHub?