Description Julia Bremer 2024-05-08 10:51:29 CEST

The Keylcoak upstream team has adjusted their container healthcheck in the 24.0.3 release.
It appears to not be as long as it was before. 
We see an increased "falkiness" in the Keycloak installation in our nightly tests. 
From time to time, the joinscript fails after a new installation.
Reason being, that the keycloak container is restarted in that joinscript.
We are currently waiting for the container to be healthy, before we start to use  univention-keycloak to create the UCS realm.
Sometimes, the container is not ready yet to accept authentication.
We get the following traceback: 

  ^MRestarting keycloak ...  done ^M
Using bind-dn:
Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 3101, in <module>
    sys.exit(main())
  File "/usr/sbin/univention-keycloak", line 3097, in main
    return opt.func(opt) or 0
  File "/usr/sbin/univention-keycloak", line 2782, in init_keycloak_ucs
    kc_admin = KeycloakAdmin(server_url=opt.keycloak_url, username=opt.binduser, password=opt.bindpwd, realm_name=opt.realm, user_realm_name=DEFAULT_REALM, verify=opt.no_ssl_verify)
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__
    self.get_token()
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token
    self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)
  File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token
    return raise_error_from_response(data_raw, KeycloakGetError)
  File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response
    response_body=response.content)
keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}'

We should change our logic in the joinscript to also wait until proper authentication can take place.