Skip to content

fix: Backporting RHBK changes to release-1.3#1639

Open
tommyd450 wants to merge 8 commits intorelease-1.3from
tdalton/1.3KeycloakCIChangesBackport
Open

fix: Backporting RHBK changes to release-1.3#1639
tommyd450 wants to merge 8 commits intorelease-1.3from
tdalton/1.3KeycloakCIChangesBackport

Conversation

@tommyd450
Copy link
Contributor

@tommyd450 tommyd450 commented Mar 5, 2026

No description provided.

@qodo-code-review
Copy link

qodo-code-review bot commented Mar 5, 2026

Review Summary by Qodo

Refactor Keycloak installation and remove stale resources

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Refactor Keycloak installation into reusable script
• Remove stale CI resources and configuration files
• Simplify kind cluster setup workflow

Grey Divider

File Changes

1. ci/openshift/sign-test.sh Miscellaneous +0/-75

Remove OpenShift signing test script

• Removed entire OpenShift test script for signing and verification
• Script contained deployment setup, job configuration, and cosign operations
• Functionality likely migrated to other CI workflows or scripts

ci/openshift/sign-test.sh

2. .github/actions/kind-cluster/action.yml ✨ Enhancement +1/-36

Extract Keycloak installation to external script

• Replaced inline Keycloak installation logic with external script call
• Removed manual operator and resource deployment steps
• Removed custom Ingress configuration for Keycloak
• Simplified to single bash script invocation: bash ci/keycloak/tas-keycloak-install.sh kind

.github/actions/kind-cluster/action.yml

3. ci/keycloak/operator/base/subscription.yaml Miscellaneous +0/-20

Remove Keycloak operator subscription manifest

• Removed Subscription and OperatorGroup manifests for RHSSO operator
• These resources are now managed elsewhere or consolidated

ci/keycloak/operator/base/subscription.yaml

View more (2)
4. config/env/kubernetes/kustomization.yaml Miscellaneous +0/-5

Remove Kubernetes environment kustomization file

• Removed entire Kustomization file
• File contained reference to default configuration resources

config/env/kubernetes/kustomization.yaml

5. ci/keycloak/tas-keycloak-install.sh Additional files +0/-0

...

ci/keycloak/tas-keycloak-install.sh

Grey Divider

Qodo Logo

@qodo-code-review
Copy link

qodo-code-review bot commented Mar 5, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (4) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. oc CLI breaks Kind CI🐞 Bug ⛯ Reliability
Description 
The Kind composite action now runs a Keycloak install script that uses oc, but the GitHub Kind
workflows don’t install the OpenShift CLI. This will fail the Keycloak install step immediately and
block all downstream e2e tests.
Code

.github/actions/kind-cluster/action.yml[80]

+        bash ci/keycloak/tas-keycloak-install.sh kind
Evidence 
The composite action calls the script, and the script exclusively uses oc for apply/get
operations. The workflow installs Kind and uses kubectl, but there is no evidence of installing oc
anywhere in workflows, so the script will fail with oc: command not found.

.github/actions/kind-cluster/action.yml[75-82]
ci/keycloak/tas-keycloak-install.sh[35-49]
ci/keycloak/tas-keycloak-install.sh[13-18]
.github/workflows/main.yml[562-570]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`tas-keycloak-install.sh` uses the OpenShift CLI (`oc`) but the Kind GitHub Actions environment uses `kubectl` and does not install `oc`, causing the Keycloak install step to fail.
### Issue Context
The Kind composite action now runs `bash ci/keycloak/tas-keycloak-install.sh kind`.
### Fix Focus Areas
- .github/actions/kind-cluster/action.yml[75-82]
- ci/keycloak/tas-keycloak-install.sh[1-55]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Kind overlays no longer applied 🐞 Bug ✓ Correctness
Description 
The new script applies the ci/keycloak/**/base kustomizations rather than the overlay/kind
kustomizations previously used for Kind. This skips Kind-specific patches/resources (e.g., disabling
externalAccess, creating the keycloak-internal Service), making the emitted oidc_host and test
defaults inconsistent with what is actually installed.
Code

.github/actions/kind-cluster/action.yml[R80-81]

+        bash ci/keycloak/tas-keycloak-install.sh kind
       echo "oidc_host=keycloak-internal.keycloak-system.svc" >> $GITHUB_OUTPUT
Evidence 
The workflow and e2e defaults assume the issuer is reachable at
http://keycloak-internal.keycloak-system.svc/.... That host relies on Kind overlay resources
(e.g., keycloak-internal Service) and (previously) an Ingress hack. The new script applies only
base resources and never applies the Kind overlays, so the assumed service/behavior is not
guaranteed to exist.

ci/keycloak/tas-keycloak-install.sh[35-55]
ci/keycloak/resources/overlay/kind/kustomization.yaml[1-12]
ci/keycloak/resources/overlay/kind/keycloak_patch.yaml[1-8]
ci/keycloak/resources/overlay/kind/keycloak-svc.yaml[1-12]
.github/workflows/main.yml[596-603]
.github/workflows/main.yml[605-608]
test/e2e/support/oidc.go[23-25]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Keycloak installation for Kind no longer applies Kind overlays, but CI outputs/tests still assume Kind overlay behavior (notably `keycloak-internal` service/host and overlay patches).
### Issue Context
The composite action still exports `oidc_host=keycloak-internal.keycloak-system.svc`.
### Fix Focus Areas
- .github/actions/kind-cluster/action.yml[75-82]
- ci/keycloak/tas-keycloak-install.sh[35-55]
- ci/keycloak/resources/overlay/kind/kustomization.yaml[1-12]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

3. Operator kustomize references missing file 🐞 Bug ✓ Correctness
Description 
ci/keycloak/operator/base/kustomization.yaml references subscription.yaml, but that file is not
present under ci/keycloak/operator/base/ in this branch. As a result, the script’s `oc/kubectl
apply --kustomize ci/keycloak/operator/base` will fail and the operator will never install.
Code

.github/actions/kind-cluster/action.yml[80]

+        bash ci/keycloak/tas-keycloak-install.sh kind
Evidence 
The script applies ci/keycloak/operator/base, whose kustomization lists subscription.yaml. In
the checked-out PR branch code, that manifest is absent, so Kustomize cannot build/apply the
operator base.

ci/keycloak/tas-keycloak-install.sh[35-38]
ci/keycloak/operator/base/kustomization.yaml[1-8]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Kustomize base references a `subscription.yaml` that is not present, which causes operator installation to fail.
### Issue Context
The Kind action now relies on `tas-keycloak-install.sh`, which applies `ci/keycloak/operator/base`.
### Fix Focus Areas
- ci/keycloak/operator/base/kustomization.yaml[1-8]
- ci/keycloak/tas-keycloak-install.sh[35-43]
- ci/keycloak/operator/overlay/kind/kustomization.yaml[1-10]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

4. Script shell mismatch 🐞 Bug ⛯ Reliability
Description 
tas-keycloak-install.sh declares #!/usr/bin/env sh but uses bash-specific [[ ... ]] and ==.
It currently works only because the action runs it with bash, but it’s fragile and will fail if
executed directly (or by sh).
Code

.github/actions/kind-cluster/action.yml[80]

+        bash ci/keycloak/tas-keycloak-install.sh kind
Evidence 
The script’s interpreter declaration contradicts its syntax, making it non-portable and easy to
break when reused outside this action.

ci/keycloak/tas-keycloak-install.sh[1-5]
ci/keycloak/tas-keycloak-install.sh[13-18]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The script claims POSIX `sh` but uses bash-specific syntax.
### Issue Context
The action currently invokes it via `bash`, but the script may be reused elsewhere.
### Fix Focus Areas
- ci/keycloak/tas-keycloak-install.sh[1-33]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

qodo-code-review[bot]
qodo-code-review bot reviewed Mar 5, 2026
View reviewed changes
@tommyd450 tommyd450 force-pushed the tdalton/1.3KeycloakCIChangesBackport branch 4 times, most recently from 8bd4ad4 to 30bf275 Compare March 5, 2026 14:06
SequeI added 3 commits March 5, 2026 14:09
@SequeI @tommyd450
Unify keycloak provider to RHKB (#1583)
1f22321 
* Consolidate Keycloak CI configs into single kustomize structure

Merge ci/keycloak/ and ci/rhbk/ into a unified ci/keycloak/ directory
with kustomize base/overlay layout for Kind and OpenShift environments.
Shared Keycloak CR, RealmImport, and namespace definitions live in base,
while environment-specific resources (PostgreSQL, ingress, hostname,
operator installation) are handled via overlays. Remove the redundant
ci/rhbk/ directory entirely. Update tas-keycloak-install.sh to support
openshift and kind modes using the new overlay path.

Signed-off-by: SequeI <asiek@redhat.com>

* fix

Signed-off-by: SequeI <asiek@redhat.com>

* fix

Signed-off-by: SequeI <asiek@redhat.com>

---------

Signed-off-by: SequeI <asiek@redhat.com>
@SequeI @tommyd450
ci: extend openshift keycloak deployment timeout (#1592)
ca2c16a 
* ci: extend openshift keycloak deployment timeout

Signed-off-by: SequeI <asiek@redhat.com>

* ci: stop race condition between keycloak CR and realmImport

Signed-off-by: SequeI <asiek@redhat.com>

* cel expr

Signed-off-by: SequeI <asiek@redhat.com>

* test: debug logs

Signed-off-by: SequeI <asiek@redhat.com>

---------

Signed-off-by: SequeI <asiek@redhat.com>
@SequeI @tommyd450
fix: add sub claim to RHKB; remove stale resources (#1620)
f3f9af8 
Signed-off-by: SequeI <asiek@redhat.com>
@tommyd450 tommyd450 force-pushed the tdalton/1.3KeycloakCIChangesBackport branch from 30bf275 to f3f9af8 Compare March 5, 2026 14:11
@tommyd450 tommyd450 force-pushed the tdalton/1.3KeycloakCIChangesBackport branch 3 times, most recently from 39f9e8e to 4f8653b Compare March 5, 2026 16:50
@tommyd450
Copy link
Contributor Author

tommyd450 commented Mar 5, 2026

/ok-to-test

@tommyd450 tommyd450 force-pushed the tdalton/1.3KeycloakCIChangesBackport branch 2 times, most recently from 8951767 to e7c579a Compare March 5, 2026 18:41
@tommyd450 tommyd450 changed the title fix: add sub claim to RHKB; remove stale resources (#1620) fix: Backporting RHBK changes to release-1.3 Mar 5, 2026
@tommyd450 tommyd450 force-pushed the tdalton/1.3KeycloakCIChangesBackport branch 2 times, most recently from 0646b97 to e7995ff Compare March 6, 2026 13:58
@tommyd450
Copy link
Contributor Author

tommyd450 commented Mar 9, 2026

/retest

@tommyd450 tommyd450 force-pushed the tdalton/1.3KeycloakCIChangesBackport branch from 5b1e166 to b430243 Compare March 9, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qodo-code-review qodo-code-review[bot] qodo-code-review[bot] left review comments

@SequeI SequeI SequeI approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tommyd450 @SequeI