Symptoms


After upgrade the IDP component to latest version 4.0.x, the access to KC is not working, and steps to enable it from public doc here: Accessing the Keycloak Administration Panel,  is not working anymore:


root@oa-mn:~ # kubectl exec -it $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- sh /opt/jboss/keycloak/bin/jboss-cli.sh --connect                                  
Defaulted container "idp-backend" out of: idp-backend, idp-spi
sh: /opt/jboss/keycloak/bin/jboss-cli.sh: No such file or directory
command terminated with exit code 127

The script is under different location now:

[jboss@idp-backend-7c8c569ff9-b97v9 /]$ find / -name jboss-cli.sh
/opt/jboss/wildfly/bin/jboss-cli.sh


but trying to execute it from the new location is not working neither:

[jboss@idp-backend-7c8c569ff9-b97v9 /]$ /opt/jboss/wildfly/bin/jboss-cli.sh --connect
Picked up JAVA_TOOL_OPTIONS: -javaagent:/opentelemetry-javaagent.jar
OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
[otel.javaagent 2023-10-12 11:12:29:195 +0200] [main] INFO io.opentelemetry.javaagent.tooling.VersionLogger - opentelemetry-javaagent - version: 1.25.0
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/host=default-host/filter-ref=IM_adminPanel:remove()
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0216: Management resource '[
    (\"subsystem\" => \"undertow\"),
    (\"server\" => \"default-server\"),
    (\"host\" => \"default-host\"),
    (\"filter-ref\" => \"IM_adminPanel\")
]' not found",
    "rolled-back" => true
}[standalone@localhost:9990 /]

And the restart of IDP pod is not helping neither.


Cause


By default, the keycloak admin web interface is only available if you try to access the web interface inside the containers idp-backend or idp-spi.


Resolution


To be able to access this web interface outside these containers in an kubernetes environment you need to run the following command: 


kubectl exec `kubectl get pods -l app=idp-backend -o jsonpath={.items[0].metadata.name}` -c idp-spi -- curl -k -v http://localhost:8082/auth/realms/master/maintenance-api/enableRestrictedApis -X POST --data '{"enable":"false"}' --header "Content-Type: application/json"


This the the doc bug created DOC-3361