Skip to content

Unable to collect service account credentials from secret for SecretSource and external KeyCloak #241

New issue
New issue
Open
Open
Unable to collect service account credentials from secret for SecretSource and external KeyCloak#241
@tduniec

Description

@tduniec
tduniec
opened on Mar 5, 2026

Describe the bug

Hello,

I am facing an issue once creating the the SecretSource/ApiSource using microcks.io/service-account-secret.
I would like this to be configured in my microcks instance using operator.
I am getting 401 from Keycloak service ->

2026-03-05 12:42:42,334 WARN [org.keycloak.events] (executor-thread-59) type="CLIENT_LOGIN_ERROR", realmId="microcks", realmName="microcks", clientId="null", userId="null", ipAddress="10.38.0.61", error="client_not_found", grant_type="client_credentials"

It looks for a secret specfied with name in the annotaion collects the credentials.

and try to request auth to keycloack in order to provision the secret inside microcks but:

the request to keycloack is not having the credentials:

  "path": "/realms/microcks/protocol/openid-connect/token",
    "headers": {
        "content-type": "application/x-www-form-urlencoded",
        "accept": "application/json",
        "authorization": "Basic bnVsbDpudWxs", // here is null:null after decoding
        "content-length": "29",
        "host": "httpbin.microcks-operator.svc.cluster.local",
        "connection": "Keep-Alive",
        "user-agent": "Apache-HttpClient/4.5.14 (Java/21.0.10)",
        "accept-encoding": "gzip,deflate"
    },
    "method": "POST",
    "body": "grant_type=client_credentials",
    "fresh": false,
    "hostname": "httpbin.microcks-operator.svc.cluster.local",
    "ip": "::ffff:10.38.0.61",
    "ips": [],
    "protocol": "http",
    "query": {},
    "subdomains": [
        "svc",
        "microcks-operator",
        "httpbin"
    ],
    "xhr": false,
    "os": {
        "hostname": "httpbin-7b7c8c4f5f-4jx64"
    },
    "connection": {}
}

once using installed Keycloak it is looking for auth secrets in different way once specified the secret to be used it has problem and sends empty Auth header to keycloak.

My creds for auth with keycloak are correct since I am able to auth using curl.

microcks-operator/operator/src/main/java/io/github/microcks/operator/KeycloakHelper.java

Lines 152 to 158 in 9e8f10d

// We must read the service account name and credentials from the provided secret.
logger.infof("Using '%s' service account secret to access Keycloak '%s'", serviceAccountSecret, resourceMetadata.getName());
Secret saSecret = client.secrets().inNamespace(resourceMetadata.getNamespace())
.withName(serviceAccountSecret).get();
serviceAccountName = saSecret.getStringData().get("service-account-name");
serviceAccountCredentials = saSecret.getStringData().get("service-account-credentials");

secret:

apiVersion: v1
kind: Secret
metadata:
  name: test
  namespace: microcks-operator
spec: {}
data:
  service-account-credentials: test
  service-account-name: test1
type: Opaque

secret source:

apiVersion: microcks.io/v1alpha1
kind: SecretSource
metadata:
  annotations:
    microcks.io/instance: microcks
    microcks.io/service-account-secret: test
  name: tests-secrets-tduniec-1
  namespace: microcks-operator

spec:
  secrets:
    - description: Used for testing 
      name: g-QA-test
      token: dummy
      tokenHeader: PRIVATE-TOKEN

Expected behavior

It will read the creds from secret and pass them in auth header when external Keycloak

Actual behavior

Sending empty creds -> null:null in auth header

How to Reproduce?

described above

Microcks version or git rev

0.0.7

Install method (docker-compose, helm chart, operator, docker-desktop extension,...)

operator -> helm chart.

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions