gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:31:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(oidc/testfixtures): set legacy KEYCLOAK_ADMIN* env vars for start-dev master-admin bootstrap

Browse Source 
Phase-10 live-IdP smoke (post-iss-param fix landing in 360e744) advanced
4 of 6 integration tests to green. The remaining 2 — the realm-key
rotation tests — failed with:

  admin-cli token: HTTP 401

at the master-realm token endpoint. Root cause: Keycloak 26.x has TWO
admin-bootstrap env-var pairs and the right pair depends on the launch
command:

  - 'start' (production):  KC_BOOTSTRAP_ADMIN_USERNAME +
                           KC_BOOTSTRAP_ADMIN_PASSWORD
  - 'start-dev':           KEYCLOAK_ADMIN + KEYCLOAK_ADMIN_PASSWORD

The fixture sets KC_BOOTSTRAP_ADMIN_USERNAME + KC_BOOTSTRAP_ADMIN_PASSWORD
but runs 'start-dev'. The bootstrap pair is silently ignored in dev-mode,
leaving the master realm with no admin user → admin-cli token endpoint
returns 401 → RotateRealmKeys can't authenticate to the Admin API.

The 4 auth-code flow tests passed because they authenticate the engineer /
viewer test users INSIDE the certctl realm (created by the realm import),
which doesn't need a master admin.

Fix: set BOTH pairs as belt-and-braces. The legacy KEYCLOAK_ADMIN pair
covers start-dev today; the KC_BOOTSTRAP_ADMIN_* pair keeps a future flip
to 'start' working. Inline comment in the fixture explains the why so a
future reader doesn't drop one back.

Verify (sandbox): go vet -tags=integration clean; gofmt clean. Workstation
re-runs 'make keycloak-integration-test' to confirm the 2 rotation tests
now reach + execute the Admin API successfully.
This commit is contained in:
shankar0123
2026-05-11 15:49:25 +00:00
parent 360e7449ad
commit aa1efd0676
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/oidc/testfixtures/keycloak.go
+17
View File
@@ -153,6 +153,23 @@ func StartKeycloak(t *testing.T) *KeycloakFixture {
Image: KeycloakImage,
ExposedPorts: []string{"8080/tcp"},
Env: map[string]string{
// Keycloak 26.x has TWO sets of admin-bootstrap env vars
// and the right pair depends on the launch command:
// - `start` (production): KC_BOOTSTRAP_ADMIN_USERNAME +
// KC_BOOTSTRAP_ADMIN_PASSWORD
// - `start-dev`: KEYCLOAK_ADMIN + KEYCLOAK_ADMIN_PASSWORD
//
// This fixture runs `start-dev` (see the Cmd line below).
// Pre-fix only the KC_BOOTSTRAP_ADMIN_* names were set —
// they're silently ignored in dev-mode, leaving the
// master-realm with no admin user. The auth-code flow tests
// passed (they authenticate test users in the certctl
// realm), but the RotateRealmKeys path 401's on the
// admin-cli token endpoint because there's no admin to
// authenticate as. Set BOTH pairs as belt-and-braces so a
// future flip to `start` doesn't re-introduce the same gap.
"KEYCLOAK_ADMIN": AdminUser,
"KEYCLOAK_ADMIN_PASSWORD": AdminPass,
"KC_BOOTSTRAP_ADMIN_USERNAME": AdminUser,
"KC_BOOTSTRAP_ADMIN_PASSWORD": AdminPass,
// Disable HTTPS in dev mode; the integration test runs