Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
operator
Describe the bug
On the latest v26.2.5 of keycloak-k8s-resources, operator and RedHat Build of Keycloak Server. Keycloak-Operator rolling updates are not working as expected. When spec.update.strategy=auto, the operator fails with error: keycloak-update-job is invalid, and when spec.update.strategy=Explicit, the operator will always replace the pod; rolling update is not observed.
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
- When Keycloak's CRD has
spec.update.strategy=auto, the operator should automatically determine the best strategy to deploy a new update of the Keycloak server, and default toRecreateOnImageChangeif the checks fail. - When Keycloak's CRD has
spec.update.strategy=Explicit, the operator should deploy a new update of the Keycloak server by rolling deployment, whenspec.update.revisi 7B80 onmatches the previous update.
Actual behavior
When Keycloak's CRD has spec.update.strategy=auto:
Operator throw the following error:
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: PATCH at: https://172.20.0.1:443/apis/batch/v1/namespaces/identity/jobs/keycloak-update-job?fieldManager=keycloakcontroller&force=true. Message: Job.batch "keycloak-update-job" is invalid: │
│ spec.template.spec.initContainers[0].lifecycle: Forbidden: may not be set for init containers without restartPolicy=Always. Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.template.spec.initContainers[0].lifecycle, mess │
│ age=Forbidden: may not be set for init containers without restartPolicy=Always, reason=FieldValueForbidden, additionalProperties={})], group=batch, kind=Job, name=keycloak-update-job, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=Job.batch │
│ "keycloak-update-job" is invalid: spec.template.spec.initContainers[0].lifecycle: Forbidden: may not be set for init containers without restartPolicy=Always, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalPropertie │
│ s={}), reason=Invalid, status=Failure, additionalProperties={}).When the error is thrown, the operator will not deploy a new version of the Keycloak Server Pod until spec.update is removed or the strategy is changed.
When Keycloak's CRD has spec.update.strategy=Explicit
The operator will always deploy a new Keycloak Server Pod by replacing it - no rolling update is ever observed.
How to Reproduce?
Deploy keycloak-k8s-resources: v26.2.5 as usual and start updating the Keycloak Server image property with new tags.
Anything else?
System Details:
keyclaok-operator version: v26.2.5
RedHat Build of Keycloak: v26.2.5
keycloak-k8s-resources: v26.2.5
AWS EKS Automode - Kubernetes: v1.32