Group Membership are alternatly deleted and created on keycloak by crossplane
Summary
Frequently, the playwright tests fail with rancher displaying an empty list of cluster.
This is because sylva-admin is not part of the infra-admin group when the test is run.
2026-01-21 08:31:35,878 INFO [org.keycloak.events] (executor-thread-48) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="48fa07cc-2360-2dfd-6bd6-b47ce4bfa7a0", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:06ddb186-5690-cf8e-d522-e54b6e689448", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="f1faa9ba-3ff5-35b6-f01f-d102efadd66a", client_auth_method="client-secret", username="admin", authSessionParentId="48fa07cc-2360-2dfd-6bd6-b47ce4bfa7a0", auth
SessionTabId="BJkAgNUke3c"
2026-01-21 08:31:35,882 INFO [org.keycloak.events] (executor-thread-46) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="73ace8bb-6188-8606-d5e2-e7b051ff6906", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:1d08ce86-b2bd-b0af-59fe-662df12674d9", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="980cb3bc-d943-0d74-2067-d82efb39415d", client_auth_method="client-secret", username="admin", authSessionParentId="73ace8bb-6188-8606-d5e2-e7b051ff6906", auth
SessionTabId="xrUA9dMxc3A"
2026-01-21 08:31:35,957 INFO [org.keycloak.events] (executor-thread-36) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="61a12bb2-bb3f-2aa8-a42e-d2459e5ec960", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:98e6e7f4-3712-9616-46c5-33536984dcc2", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="1daa460e-8ec3-b8e1-e7fe-cc4a0224541f", client_auth_method="client-secret", username="admin", authSessionParentId="61a12bb2-bb3f-2aa8-a42e-d2459e5ec960", auth
SessionTabId="T4mfPXYbFIs"
2026-01-21 08:31:35,982 INFO [org.keycloak.events] (executor-thread-52) operationType="DELETE", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="7b00b003-6ab9-4ea4-9da2-c758b9f6ad79", userId="b99316d4-3574-4765-be86-b197040e634c", ipAddress="100.72.152.38", resourceType="GROUP_MEMBERSHIP"
, resourcePath="users/d209b219-2b7c-486c-8e13-22627f0ad2b6/groups/a32c08ad-7875-495a-bba6-21b4bb3d243d", email="sylva-admin@example.com", username="sylva-admin"
2026-01-21 08:31:35,998 INFO [org.keycloak.events] (executor-thread-49) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="0e8f3905-e7e3-9734-791c-3cbe19d4e928", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:f23c1d2b-4e57-af8d-e131-65887fe3d9a9", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="11909887-54bf-2ce1-5052-034b4d6d0f2c", client_auth_method="client-secret", username="admin", authSessionParentId="0e8f3905-e7e3-9734-791c-3cbe19d4e928", auth
SessionTabId="iWdIJa-DyZ0"
2026-01-21 08:31:36,001 INFO [org.keycloak.events] (executor-thread-47) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="276da019-dffa-e374-11e9-a04ccfa78b22", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:9f8e93f0-eca9-7e0e-311c-4e97bc62fc27", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="5e792c75-67c5-fcc8-fe25-a5fbba6a3ed2", client_auth_method="client-secret", username="admin", authSessionParentId="276da019-dffa-e374-11e9-a04ccfa78b22", auth
SessionTabId="sFHt1Mvd_xs"
2026-01-21 08:31:36,012 INFO [org.keycloak.events] (executor-thread-32) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="10b44409-2e7b-11dc-f363-5eb8b567a4fb", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:29ed110f-e6c0-173a-59c2-2635c74e4413", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="0cd5e9c9-aeae-96b4-aa16-13d0e5c9596e", client_auth_method="client-secret", username="admin", authSessionParentId="10b44409-2e7b-11dc-f363-5eb8b567a4fb", auth
SessionTabId="z2_75opmWxE"
2026-01-21 08:31:36,024 INFO [org.keycloak.events] (executor-thread-45) type="LOGIN", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="admin-cli", userId="b99316d4-3574-4765-be86-b197040e634c", sessionId="07899322-e81b-25f2-59ea-d060039b00e0", ipAddress="100.72.152.38", auth_method="openi
d-connect", token_id="onltro:486d0190-a8e1-b885-1470-f7b6e5ecf2b2", grant_type="password", refresh_token_type="Refresh", scope="email profile", refresh_token_id="0150e0da-1fa4-43d1-2bdb-9a48ae3353ba", client_auth_method="client-secret", username="admin", authSessionParentId="07899322-e81b-25f2-59ea-d060039b00e0", auth
SessionTabId="ZReJsQqbvJA"
2026-01-21 08:31:36,047 INFO [org.keycloak.events] (executor-thread-52) operationType="CREATE", realmId="97bfffa3-61d9-4aae-8c23-933cecde810a", realmName="master", clientId="7b00b003-6ab9-4ea4-9da2-c758b9f6ad79", userId="b99316d4-3574-4765-be86-b197040e634c", ipAddress="100.72.152.38", resourceType="GROUP_MEMBERSHIP"
, resourcePath="users/bb6abc1b-501e-41ba-8a18-ad54ea34d60e/groups/a32c08ad-7875-495a-bba6-21b4bb3d243d", username="test-user"This log come from keycloak pods. The group membership is deleted and created multiple times, by the crossplane provider.
the memberships.group.keycloak.m.crossplane.io object is present for a while.
crossplane logs are missing to understand better.
I was not able to reproduce locally