Univention Bugzilla – Bug 57265
Keycloak healthcheck in 24.0.3 does not wait long enough to ensure API authentication can take place
Last modified: 2024-05-21 14:41:19 CEST
The Keylcoak upstream team has adjusted their container healthcheck in the 24.0.3 release. It appears to not be as long as it was before. We see an increased "falkiness" in the Keycloak installation in our nightly tests. From time to time, the joinscript fails after a new installation. Reason being, that the keycloak container is restarted in that joinscript. We are currently waiting for the container to be healthy, before we start to use univention-keycloak to create the UCS realm. Sometimes, the container is not ready yet to accept authentication. We get the following traceback: ^MRestarting keycloak ... done ^M Using bind-dn: Traceback (most recent call last): File "/usr/sbin/univention-keycloak", line 3101, in <module> sys.exit(main()) File "/usr/sbin/univention-keycloak", line 3097, in main return opt.func(opt) or 0 File "/usr/sbin/univention-keycloak", line 2782, in init_keycloak_ucs kc_admin = KeycloakAdmin(server_url=opt.keycloak_url, username=opt.binduser, password=opt.bindpwd, realm_name=opt.realm, user_realm_name=DEFAULT_REALM, verify=opt.no_ssl_verify) File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__ self.get_token() File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type) File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token return raise_error_from_response(data_raw, KeycloakGetError) File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response response_body=response.content) keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}' We should change our logic in the joinscript to also wait until proper authentication can take place.
The keycloak app 24.0.3-ucs1 was re-released with cdb4da00115364a60b30dbef2ab10926e90af0d3 which added the metrics endpoint to the app, as well as a check that univention-keycloak --binduser "${keycloak_admin_user:-admin}" realms get works without traceback