[BUG] - Realm not found

[Adam-D-Lewis]

Describe the bug

Occasionally when deploying I've seen the error

[terraform]: │ Error: error sending GET request to /auth/admin/realms/nebari/default-groups: 404 Not Found. Response body: {"error":"Realm not found."}

from Keycloak. I believe I've seen this when terraform fails during a deploy then I redeploy. I think it has something to do with terraform thinking the nebari realm should already exist, but it wasn't created yet.

I am able to get around the error most of the time by manually creating the realm.
I've gotten around this by manually adding the "nebari" realm in Keycloak then redeploying.

We should add this to the docs.

[viniciusdc]

keycloak deployment occurs in two different stages, kuberntes_keycloak and kubernetes_keycloak_configuration

• The first stage is responsible for setting up the pod and running the service, and creates the master realm. At the end of the state, we make a request using the keycloak python lib to validate the realm exists.
  

  nebari/src/_nebari/stages/kubernetes_keycloak/__init__.py

  Line 246 in b2afe1a

  def _attempt_keycloak_connection(

• The second stage heavily depends on HTTPS requests, as its uses a custom provider that leverages terraform into API requests. (that't where the above error is coming from), this stage similar to the one above, also have a final deploy check:
  

  nebari/src/_nebari/stages/kubernetes_keycloak_configuration/__init__.py

  Lines 93 to 107 in b2afe1a

  	if not _attempt_keycloak_connection(
  	keycloak_url,
  	stage_outputs[directory]["keycloak_credentials"]["value"]["username"],
  	stage_outputs[directory]["keycloak_credentials"]["value"]["password"],
  	stage_outputs[directory]["keycloak_credentials"]["value"]["realm"],
  	stage_outputs[directory]["keycloak_credentials"]["value"]["client_id"],
  	nebari_realm=stage_outputs["stages/06-kubernetes-keycloak-configuration"][
  	"realm_id"
  	]["value"],
  	verify=False,
  	):
  	print(
  	"ERROR: unable to connect to keycloak master realm and ensure that nebari realm exists"
  	)
  	sys.exit(1)

Though, the error you are seen is coming from this part:

nebari/src/_nebari/stages/kubernetes_keycloak_configuration/template/main.tf

Lines 84 to 90 in b2afe1a

	resource "keycloak_default_groups" "default" {
	realm_id = keycloak_realm.main.id
	group_ids = [
	for g in var.default_groups :
	keycloak_group.groups[g].id
	]
	}

While the workaround above is a good short-term fix it would be important for us to understand why the realm is not created when the resource assumes so... one suggestion is to start by check the keycloak logs for any warnings/errors (they do appear in case a request is incorrectly made)