Skip to content

fix: always read Keycloak admin credentials fresh from secret#39

Merged
viniciusdc merged 3 commits intomainfrom
fix/keycloak-credential-refresh
Mar 5, 2026
Merged

fix: always read Keycloak admin credentials fresh from secret#39
viniciusdc merged 3 commits intomainfrom
fix/keycloak-credential-refresh

Conversation

@dcmcand
Copy link
Contributor

@dcmcand dcmcand commented Feb 16, 2026

Summary

  • Fixes a bug where loadCredentials() cached Keycloak admin credentials permanently after the first read, preventing secret rotation without pod restarts
  • When AdminSecretName is configured, credentials are now always read fresh from the Kubernetes secret
  • When no secret is configured, falls back to direct credentials (env vars) with a clear error if missing
  • Adds comprehensive test coverage for loadCredentials() including a test that proves secret rotation is picked up

Fixes #28

Test plan

  • New table-driven tests cover: standard keys, admin-prefixed keys, direct credentials, missing secret, missing keys
  • Dedicated test (TestKeycloakProvider_LoadCredentials_RefreshesOnSecretChange) proves credentials are refreshed after secret rotation
  • All existing tests continue to pass (8 packages, 0 failures)
  • E2E: deploy operator, rotate Keycloak admin secret, verify auth reconciliation continues working without pod restart

@dcmcand
Add .worktrees/ to .gitignore
c8f143d
@dcmcand
fix: always read Keycloak admin credentials fresh from secret
62ddc25 
loadCredentials() previously cached credentials permanently after the
first read. If the Kubernetes secret was rotated, the operator would
continue using stale credentials until the pod was restarted.

Now credentials are always read fresh from the secret when
AdminSecretName is configured. When no secret is configured, direct
credentials (env vars) are used as a fallback.

Fixes #28
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🐳 Docker Image Built

Image pushed to Quay.io for branch fix-keycloak-credential-refresh:

  • quay.io/nebari/nebari-operator:fix-keycloak-credential-refresh (linux/amd64 + linux/arm64)

You can test this PR by deploying:

kubectl apply -f https://raw.githubusercontent.com/nebari-dev/nebari-operator/fix/keycloak-credential-refresh/config/default/
kubectl set image deployment/nebari-operator-controller-manager manager=quay.io/nebari/nebari-operator:fix-keycloak-credential-refresh -n nebari-operator-system

@dcmcand
Merge main into fix/keycloak-credential-refresh
d5e1d62 
Resolve conflict in keycloak_test.go by keeping both the
LoadCredentials tests from this branch and the SyncClientScopes
tests added on main.
@github-actions
Copy link

github-actions bot commented Feb 26, 2026

Docker Image Built

Image pushed to Quay.io for branch fix-keycloak-credential-refresh:

  • quay.io/nebari/nebari-operator:fix-keycloak-credential-refresh (linux/amd64 + linux/arm64)

You can test this PR by deploying:

kubectl apply -f https://raw.githubusercontent.com/nebari-dev/nebari-operator/fix/keycloak-credential-refresh/config/default/
kubectl set image deployment/nebari-operator-controller-manager manager=quay.io/nebari/nebari-operator:fix-keycloak-credential-refresh -n nebari-operator-system

@viniciusdc viniciusdc merged commit 4ab6b8d into main Mar 5, 2026
7 checks passed
@viniciusdc viniciusdc deleted the fix/keycloak-credential-refresh branch March 5, 2026 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@viniciusdc viniciusdc viniciusdc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Keycloak admin credentials cached permanently, never refreshed on secret rotation

2 participants

@dcmcand @viniciusdc