Symptoms
After upgrade the IDP component to latest version 4.0.x, the access to KC is not working, and steps to enable it from public doc here: Accessing the Keycloak Administration Panel, is not working anymore:
root@oa-mn:~ # kubectl exec -it $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- sh /opt/jboss/keycloak/bin/jboss-cli.sh --connect Defaulted container "idp-backend" out of: idp-backend, idp-spi sh: /opt/jboss/keycloak/bin/jboss-cli.sh: No such file or directory command terminated with exit code 127
The script is under different location now:
[jboss@idp-backend-7c8c569ff9-b97v9 /]$ find / -name jboss-cli.sh /opt/jboss/wildfly/bin/jboss-cli.sh
but trying to execute it from the new location is not working neither:
[jboss@idp-backend-7c8c569ff9-b97v9 /]$ /opt/jboss/wildfly/bin/jboss-cli.sh --connect Picked up JAVA_TOOL_OPTIONS: -javaagent:/opentelemetry-javaagent.jar OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended [otel.javaagent 2023-10-12 11:12:29:195 +0200] [main] INFO io.opentelemetry.javaagent.tooling.VersionLogger - opentelemetry-javaagent - version: 1.25.0 [standalone@localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/filter-ref=IM_adminPanel:remove() { "outcome" => "failed", "failure-description" => "WFLYCTL0216: Management resource '[ (\"subsystem\" => \"undertow\"), (\"server\" => \"default-server\"), (\"host\" => \"default-host\"), (\"filter-ref\" => \"IM_adminPanel\") ]' not found", "rolled-back" => true }[standalone@localhost:9990 /]
And the restart of IDP pod is not helping neither.
Cause
By default, the keycloak admin web interface is only available if you try to access the web interface inside the containers idp-backend or idp-spi.
Resolution
To be able to access this web interface outside these containers in an kubernetes environment you need to run the following command:
kubectl exec `kubectl get pods -l app=idp-backend -o jsonpath={.items[0].metadata.name}` -c idp-spi -- curl -k -v http://localhost:8082/auth/realms/master/maintenance-api/enableRestrictedApis -X POST --data '{"enable":"false"}' --header "Content-Type: application/json"
This the the doc bug created DOC-3361