@sberyozkin @michalvavrik for your awareness, I will need some help at some point but I'll ping you when I have a better idea of the status.

@sberyozkin @michalvavrik for your awareness, I will need some help at some point but I'll ping you when I have a better idea of the status.

Sure, thanks for looking at it. FYI - RHSSO has another 2 years in EUS, so I don't know what @sberyozkin wants. I definitely think we should migrate because in product we only support RHBK anyway, we don't test RHSSO nor document it in supported configurations. Anyway, @sberyozkin is the one who must decide.

Well, tbh, I didn't start this work in a hurry for fun: the Keycloak legacy image is very old and plagued with a JDK bug that is highly problematic for us - the Docker image can't be started on RunsOn anymore and this has been highly problematic for CI. While @crohr from RunsOn might be able to kindly provide us with a temporary workaround, we need to move on.

We don't have any recent image to test things with. And we are not actually testing things with recent Keycloak versions, which is IMHO a mistake.

If we want to keep supporting old versions with extended support, I think it should be done downstream and not with the community bits where we don't have access to recent images.

🎊 PR Preview a04eb95 has been successfully built and deployed to https://quarkus-pr-main-49283-preview.surge.sh/version/main/guides/

• Images of blog posts older than 3 months are not available.
• Newsletters older than 3 months are not available.

@gsmet , ok, I think it is for better to migrate, I just felt obliged to warn you because I did proposed dropping legacy in past and Sergey wished to wait. I expect that your arguments are strong enough.

I didn't run oidc-tenancy in native, only in JVM. Let me check if io.quarkus.it.keycloak.BearerTokenAuthorizationInGraalITCase also fails for me.

@gsmet it's passing for me locally in native, maybe it would be worth to rerun just oidc-tenanty it module in native (or whatever you trigger by re-running only failed tests).

I actually can't see how oidc-tenancy native failure is related to this PR, because it only includes keycloak-server because of Keycloak test client. I retried thrice with JDK 17 & same commands as CI is using -Dtest-containers -Dstart-containers -Dquarkus.native.native-image-xmx=6g -Dnative -Dnative.surefire.skip -Dno-descriptor-tests clean install -DskipDocs and still can't reproducing :-(.

I think we would need to print out KC logs to decide what is happening in there, so far my only idea is resources.

It looks like it tries to connect to Keycloak on an incorrect port.

It looks like it tries to connect to Keycloak on an incorrect port.

I think this is probably right assessment, but I can't tell from logs. There isn't enough information, neither I can say how is it related to changes in this PR (I checked Develocity and it started failing now so probably it is, but I don't know how),

I have tried it again, this time I switched from Podman to Docker and still can't to reproduce, nor I can see how this failure is related to changes in this PR. I can see you are trying workaround #49291. I don't know how to debug it without using PR CI to debug, so my preferred way would be to disable the test and try to open a new PR right after this is merged to test enabling the test in question. I can't tell how else to debug it. We won't move forward without printing more information.

I'll go back on this again today, if I still can't reproduce it locally, I'll just open PR for CI experiments, because current logs makes me no smarter, the KC port looks fine.

@gsmet I rerun this PR with both 2022 and 2024 and cannot reproduce any of these failures #49410, please rebase this PR on current main, maybe drop debug and see if it pass; it's bit like hunting shadows 😃

I squashed and made you a coauthor. Let's see how it goes :).

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 6f6de16.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 6f6de16.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@sberyozkin so should we get this in?

@sberyozkin friendly ping?

@sberyozkin friendly ping?

I think it will have to wait another week or more considering the situation.