Skip to content

[BUG] - Why is the keycloak client name hard-coded to grafana for all services? #2428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
krassowski opened this issue Apr 28, 2024 · 1 comment
Open

[BUG] - Why is the keycloak client name hard-coded to grafana for all services? #2428

krassowski opened this issue Apr 28, 2024 · 1 comment
Labels
area: integration/keycloak area: monitoring 🔍 needs: investigation 🔍 Someone in the team needs to find the root cause and replicate this bug type: bug 🐛 Something isn't working

Comments

@krassowski
Copy link
Member

Describe the bug

The client name for all services is currently hard-coded to grafana:

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/keycloak-client/main.tf

Lines 7 to 13 in 2f85ece

resource "keycloak_openid_client" "main" {
realm_id = var.realm_id
client_id = var.client_id
client_secret = random_password.client_secret.result
name = "grafana"
enabled = true

Querying the clients list returns a list like:

[{'id': 'c2eeb1e0-a1bb-42eb-92a2-aebb197db7cd',
  'clientId': 'argo-server-sso',
  'name': 'grafana',
  'description': '',
  // (more properties)
  },
 {'id': '3f28662b-83d9-4e83-b633-ad3a80ad015d',
  'clientId': 'broker',
  'name': '${client_broker}',
  'surrogateAuthRequired': False,
  // (more properties)
},
 {'id': '003a0497-30d6-49a0-92aa-01573fc878d4',
  'clientId': 'conda_store',
  'name': 'grafana',
  'description': '',
  // (more properties)
},
 {'id': 'b37c5ba3-4f61-4bc3-a8f3-ddc58586951e',
  'clientId': 'forwardauth',
  'name': 'grafana',
  'description': '',  
  // (more properties)
},
 {'id': '1640b17e-bf0b-4c15-a351-c38a7cfa24ba',
  'clientId': 'grafana',
  'name': 'grafana',
  'description': '',  
  // (more properties)
},
 {'id': '47d8e54d-d4ab-42e1-af7c-753cc888da51',
  'clientId': 'jupyterhub',
  'name': 'grafana',
  'description': '',  
  // (more properties)
}]

This was introduced 2 years ago in #1003.

Expected behavior

Either:

  • var.client_id is used if it does not have to hard-coded to grafana
  • a comment explaining the reason for it is added if it does have to be hard-coded to grafana

OS and architecture in which you are running Nebari

main branch

How to Reproduce the problem?

Query keycloak REAST API /auth/admin/realms/nebari/clients/ endpoint (with appropriate token).

Command output

No response

Versions and dependencies used.

No response

Compute environment

None

Integrations

No response

Anything else?

Spotted when working on #2308
@krassowski krassowski added type: bug 🐛 Something isn't working needs: triage 🚦 Someone needs to have a look at this issue and triage labels Apr 28, 2024
@dcmcand dcmcand added area: monitoring 🔍 area: integration/keycloak needs: investigation 🔍 Someone in the team needs to find the root cause and replicate this bug and removed needs: triage 🚦 Someone needs to have a look at this issue and triage labels Apr 29, 2024
@viniciusdc
Copy link
Contributor

viniciusdc commented Apr 29, 2024
edited
Loading

As you can see, this was initially implemented as part of that PR, most probably due to testing Keycloaks management clients, and was overlooked when it was merged. Client names, if I am not mistaken, are mutable, so we should be able to rename them without affecting any previous versions.

@krassowski krassowski mentioned this issue Jul 18, 2024
Closed
10 tasks
@krassowski krassowski linked a pull request Jul 18, 2024 that will close this issue
Add RBAC for NFS shared group creation/loading #2563
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: integration/keycloak area: monitoring 🔍 needs: investigation 🔍 Someone in the team needs to find the root cause and replicate this bug type: bug 🐛 Something isn't working
Projects
🪴 Nebari Project Management
Status: New 🚦
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add RBAC for NFS shared group creation/loading viniciusdc/nebari
3 participants
@krassowski @dcmcand @viniciusdc