-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check operand StatefulSet is ready for realm import Job to run #24534
check operand StatefulSet is ready for realm import Job to run #24534
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @pgodowski this seems good - polling is simpler than getting the Keycloak CR events.
It should have a test though.
Also I know there always should be a status added when a statefulset is created, but the code is checking for null in one place, but not the other - it should at least be consistent.
Thanks for the review.
Fixed this part.
Will work on adding a test case in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pgodowski Thanks for the PR!
I believe this affects main
too where we don't check number of ready instances as well. We should create a parallel fix for it too to consider this fully fixed.
Yes, will work on the fix in |
Added unit test to check for the failed realm import when Keycloak operand is not available, still in |
@pgodowski looks good. Please rebase to a single commit and add your DCO signature - Keycloak has recently adopted a requirement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (once comment from @shawkins is resolved).
a1dda82
to
1aecef1
Compare
Signed-off-by: Piotr Godowski <piotr.godowski@pl.ibm.com>
1aecef1
to
6dd0531
Compare
@shawkins done - thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Once small nit, could there be a single crSelector.get() rather than 3 calls per polling.
Do you want me to add any changes here? |
Unreported flaky test detectedIf the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.ui.account2.WelcomeScreenTest#accountSecurityTestKeycloak CI - Account Console IT (firefox)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
It's optional. It can be cleaned up later if needed. |
Signed-off-by: Piotr Godowski <piotr.godowski@pl.ibm.com>
6dd0531
to
9c7519f
Compare
kc.getSpec().setInstances(0); | ||
|
||
// don't wait for Keycloak being available, since it has no instances | ||
deployKeycloak(k8sclient, getDefaultKeycloakDeployment(), false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should reference the kc instance created above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OMG, good catch @shawkins - fixed!
@pgodowski I hope you don't mind, I took the liberty of opening a forward port: #24720 There's still another small change needed here. |
…odowski/keycloak into fix/realm-import-prereq-check
Signed-off-by: Piotr Godowski <piotr.godowski@pl.ibm.com>
Thanks for the forward port - let me know you need any inputs on that. Updated the test case, yet, for some reason I cannot now squash commits, hope it is fine? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, don't worry about squashing, it will be done as part of the merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithCRLSignedWithIntermediateCA3FromTruststoreKeycloak CI - FIPS IT (non-strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromFileKeycloak CI - FIPS IT (non-strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithIntermediateRevocationListFromHttpKeycloak CI - FIPS IT (non-strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginFailedWithInvalidSignatureCRLKeycloak CI - FIPS IT (non-strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginWithMultipleRevocationListsKeycloak CI - FIPS IT (non-strict)
org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithEmptyRevocationListFromFileKeycloak CI - FIPS IT (non-strict)
|
Enabled auto-merge but 22 is frozen until 22.0.6 is released. |
As an FYI (because I'm expecting this one in 22.0.7 anyway), this is actually more dangerous than we thought. Its not just some failed pods, but there is a timing issue where I think the realm job can trigger a database initialisation at the same time as the first Keycloak pod, and the realm status can say its ready even though its not in the database. The cause is conjecture because I don't have logs from the first keycloak pod run, but on this cluster, the realm job completed successfully but the realm was not present. Log from a realm import pod:
|
Are you suggesting we shall check for other thing in the proposed fix than the operand StatefulSet, or it's just your notice saying that the impact is larger than we initially though? |
Just that the impact is more than just a UX snag - it can leave an installation in a broken state. I don't think we need more than a single pod ready check. |
1 failed and 2 flaky tests on run #9989 ↗︎Details:
|
Test | Artifacts | |
---|---|---|
Sessions test > revocation > Check if notBefore saved |
Screenshots
Video
|
clients_test.spec.ts • 1 flaky test • chrome
Test | Artifacts | |
---|---|---|
Clients test > Accessibility tests for clients > Check a11y violations on client registration/ authenticated access policies tab |
Screenshots
|
authentication_test.spec.ts • 1 flaky test • chrome
Test | Artifacts | |
---|---|---|
Authentication test > should add a condition |
Screenshots
|
Check whether the Keycloak operand
StatefulSet
has at least single replica ready before submitting the RealmImport Job.Closes #24526
cc @shawkins