From 2869f0b9a3c1816dd633f3cb95637ade4210ff76 Mon Sep 17 00:00:00 2001 From: theosanderson-agent Date: Wed, 13 May 2026 18:31:00 +0100 Subject: [PATCH] fix(deployment): restart keycloak on every deploy when dev DB is wiped MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Preview/dev deploys reset the keycloak DB on each Helm sync (the keycloak-database-standin pod has a `timestamp: now` annotation, and without persistence the pod has no PVC so its data is lost on every restart). The keycloak pod itself however only restarted when the docker tag changed (via the `LOCULUS_VERSION` env var). When a redeploy happened without a version bump the DB was wiped but keycloak kept running with stale internal state, causing the "Unexpected error when handling authentication request to identity provider" errors users were seeing on dev instances (#6431). Add a `timestamp: now` pod annotation to the keycloak Deployment, gated on `runDevelopmentKeycloakDatabase` AND NOT `developmentDatabasePersistence`, so keycloak is recreated on every Helm sync exactly when its DB is. We deliberately do NOT add the timestamp in prod or in persistent dev mode — #4326 removed an unconditional timestamp here because it was logging users out every 24h. Co-Authored-By: Claude Opus 4.7 (1M context) --- kubernetes/loculus/templates/keycloak-deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kubernetes/loculus/templates/keycloak-deployment.yaml b/kubernetes/loculus/templates/keycloak-deployment.yaml index 78bd59233f..45e788c7bc 100644 --- a/kubernetes/loculus/templates/keycloak-deployment.yaml +++ b/kubernetes/loculus/templates/keycloak-deployment.yaml @@ -14,6 +14,10 @@ spec: component: keycloak template: metadata: + {{- if and .Values.runDevelopmentKeycloakDatabase (not .Values.developmentDatabasePersistence) }} + annotations: + timestamp: {{ now | quote }} + {{- end }} labels: app: loculus component: keycloak