Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bitnami/keycloak-config-cli] Importing Realm With Identity Provider Error #29851

Open
a-priestley opened this issue Oct 9, 2024 · 13 comments · May be fixed by #30840
Open

[bitnami/keycloak-config-cli] Importing Realm With Identity Provider Error #29851

a-priestley opened this issue Oct 9, 2024 · 13 comments · May be fixed by #30840
Assignees
Labels
keycloak tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@a-priestley
Copy link

Name and Version

bitnami/keycloak-config-cli:6.1.6-debian-12-r4

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. Using the bitnami/keycloak Helm chart version 24 (keycloak version 26)
  2. Configure keycloak-config-cli with a realm using an identity-provider:
keycloakConfigCli:
  configuration:
    test.json: |
      {
        "realm" : "test",
        "identityProviders": [
          {
            "alias": "my-idp"
            // rest of config
          }
        ]
      }
  1. Deploy using helm
  2. Note the following error in the config-cli logs:
2024-10-09T13:47:27.499Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : jakarta.ws.rs.ProcessingEx
ception: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "hideOnLogin" (class org.keycl
oak.representations.idm.IdentityProviderRepresentation), not marked as ignorable (15 known properties: "enabled", "firstBrok
erLoginFlowAlias", "trustEmail", "linkOnly", "providerId", "displayName", "alias", "postBrokerLoginFlowAlias", "addReadToken
RoleOnCreate", "authenticateByDefault", "internalId", "updateProfileFirstLogin", "updateProfileFirstLoginMode", "config", "s
toreToken"])                                                                                                                
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 317] (through reference ch
ain: java.util.ArrayList[0]->org.keycloak.representations.idm.IdentityProviderRepresentation["hideOnLogin"])                
2024-10-09T13:47:27.500Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : keycloak-config-cli ran in
 00:05.701.                                                                                                                 
  1. Also note that although the deployment status is marked as "failed", the realm import goes ahead.

What is the expected behavior?

When exporting a realm as json manually, we can see that hideOnLogin is included as a property of identityProviders.
keycloak-config-cli should identify hideOnLogin as a valid field for identityProviders.

What do you see instead?

The error above suggests that keycloak-config-cli does not currently have the correct definition for the property in question.

Additional information

Checking the upstream source, note that a similar definition exists, but it is nested within the config property, and possesses the name hideOnLoginPage.

@a-priestley a-priestley added the tech-issues The user has a technical issue about an application label Oct 9, 2024
@github-actions github-actions bot added the triage Triage is needed label Oct 9, 2024
@carrodher carrodher transferred this issue from bitnami/containers Oct 9, 2024
@carrodher
Copy link
Member

Thank you for bringing this issue to our attention. We appreciate your involvement! If you're interested in contributing a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

@rblaine95
Copy link
Contributor

rblaine95 commented Oct 11, 2024

This appears to be due to Keycloak Config CLI not currently supporting Keycloak 26 (adorsys/keycloak-config-cli#1160)

2024-10-11T09:05:15.634Z  WARN 1 --- [           main] d.a.k.config.provider.KeycloakProvider   : Local keycloak-config-cli (6.1.6-25.0.1) and remote Keycloak (26.0.0) may not compatible.
2024-10-11T09:05:16.147Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : jakarta.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "hideOnLogin" (class org.keycloak.representations.idm.IdentityProviderRepresentation), not marked as ignorable (15 known properties: "enabled", "firstBrokerLoginFlowAlias", "trustEmail", "linkOnly", "providerId", "displayName", "alias", "postBrokerLoginFlowAlias", "addReadTokenRoleOnCreate", "authenticateByDefault", "internalId", "updateProfileFirstLogin", "updateProfileFirstLoginMode", "config", "storeToken"])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 314] (through reference chain: java.util.ArrayList[0]->org.keycloak.representations.idm.IdentityProviderRepresentation["hideOnLogin"])

I am experiencing this in testing upgrading bitnami/keycloak 22 -> 23 -> 24.

$ k get job keycloak-keycloak-config-cli -o yaml | grep image
        image: docker.io/bitnami/keycloak-config-cli:6.1.6-debian-12-r4
$ k get job keycloak-keycloak-config-cli -o jsonpath='{.metadata.labels}' | jq
{
  "app.kubernetes.io/component": "keycloak-config-cli",
  "app.kubernetes.io/instance": "keycloak",
  "app.kubernetes.io/managed-by": "Helm",
  "app.kubernetes.io/name": "keycloak",
  "app.kubernetes.io/version": "26.0.0",
  "helm.sh/chart": "keycloak-24.0.0",
  "tags.datadoghq.com/env": "local",
  "tags.datadoghq.com/service": "keycloak",
  "tags.datadoghq.com/version": "26.0.0"
}

Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Oct 27, 2024
@rblaine95
Copy link
Contributor

rblaine95 commented Oct 31, 2024

I don't think this issue is stale, but I think it should be reworded to something along the lines of "Keycloak Config CLI doesn't currently support Keycloak 26 so bitnami/keycloak@24 is broken until Config CLI is updated. At least, only if you use the Config CLI."

But maybe a little more concise than that ^

@github-actions github-actions bot removed the stale 15 days without activity label Nov 1, 2024
@sidick
Copy link

sidick commented Nov 4, 2024

I'm finding the same issue now, but with 26.0.5 it means the job shows as Failed. Ideally this should be documented somewhere

2024-11-04T15:17:02.599Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : jakarta.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "bruteForceStrategy" (class org.keycloak.representations.idm.RealmRepresentation), not marked as ignorable (143 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1304] (through reference chain: org.keycloak.representations.idm.RealmRepresentation["bruteForceStrategy"])

@rblaine95
Copy link
Contributor

There's a PR open for updating Keycloak Config CLI to Keycloak 26.

adorsys/keycloak-config-cli#1162

@rblaine95
Copy link
Contributor

adorsys/keycloak-config-cli#1162 has been merged, now for the Bitnami container to be built 🙌

Copy link

github-actions bot commented Dec 1, 2024

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Dec 1, 2024
@rblaine95
Copy link
Contributor

I don't think this is stale.
I believe Bitnami is waiting for adorsys/keycloak-config-cli#1220 (a release or a tag) and then Bitnami will need to build their own image (https://github.com/bitnami/containers/tree/main/bitnami/keycloak-config-cli).

@github-actions github-actions bot removed the stale 15 days without activity label Dec 3, 2024
@tanadeau
Copy link

tanadeau commented Dec 3, 2024

The docker image isn't ready yet. See adorsys/keycloak-config-cli#1220 (comment).

@rblaine95
Copy link
Contributor

Looks like Bitnami has built their version of the Keycloak Config CLI - bitnami/containers#75511

Now we just need to wait for the Helm chart to be updated 🥳

@gage-russell
Copy link

gage-russell commented Dec 5, 2024

I have confirmed ability to create realms via the keycloakConfigCli section of the helm chart using the latest image tag 6.2.0-debian-12-r0. Here are the values used for local testing:

keycloak:
  enabled: true

  auth:
    adminUser: "admin"
    adminPassword: "admin"

  postgresql:
    enabled: true

  ingress:
    enabled: true
    ingressClassName: "nginx"
    pathType: ImplementationSpecific
    hostname: keycloak.local
    path: "/"
    annotations:
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/rewrite-target: /

  keycloakConfigCli:
    enabled: true
    image:
      tag: 6.2.0-debian-12-r0
    configuration:
      test.json: |
        {
          "realm": "test",
          "enabled": true,
          "clients": [
            {
              "clientId": "test-client",
              "secret": "test-client-secret",
              "protocol": "openid-connect",
              "redirectUris": ["http://test.local/*"],
              "publicClient": false,
              "directAccessGrantsEnabled": true
            }
          ]
        }

@rblaine95 rblaine95 linked a pull request Dec 9, 2024 that will close this issue
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
keycloak tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants