Keycloak quarkus
Package Merge Request
Package Changes
Migrate to Keycloak Quarkus and upgrade to Keycloak 20.0.2
Package MR
https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/merge_requests/87
https://repo1.dso.mil/platform-one/big-bang/apps/product-tools/keycloak-p1-auth-plugin/-/merge_requests/24
For Issue
Closes https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/issues/71
Release Notes
This release contains a major version upgrade to Keycloak 20.0.2 and a migration to the new Keycloak Quarkus deployment architecture. You should test in a staging/preprod environment before going to production. The migration was a 4 month long engineering effort by the Big Bang Team and the CNAP Team. Keycloak Legacy is now deprecated, unmaintained, and unsupported. What you need to know:
- There is no data migration needed.
- There are no client changes/migration needed.
- The deployment uses the Iron Bank image directly. There is no longer a custom P1 Keycloak image.
- The P1 plugin is now hosted in Iron Bank and gets injected into the Keycloak container on startup. You have the option of not using the P1 custom plugin if you want to use vanilla Keycloak and manually handle all authz and authn security controls yourself.
- The deployment configuration now allows you to inject your own custom theme and change the realm name to something other than "baby-yoda". If you rename an existing realm the clients will need to be configured for the new URL path.
- The environment variables for setting the default admin credentials have changed.
- There are significant (but not technically hard) configuration changes. Reference the example production config
- The Big Bang helm chart is backwards compatible with Keycloak Legacy. It is possible to upgrade to this Big Bang release and pin to the last Keycloak Legacy tag if you need more time to upgrade to the new Keycloak Quarkus.
Known Issues
- The Keycloak Admin Console is partially broken for SAML clients. Unable to import Nexus application certificate for "Signing keys config". Existing Nexus deployments are not affected. This only affects new Nexus deployments. The workaround is to temporarily change the "Admin Console Theme" in the "master" realm to the old "keycloak" theme instead of the new default theme "keycloak.v2".
https://github.com/keycloak/keycloak-ui/issues/4143
Merge request reports
Activity
added keycloak label
assigned to @kevin.wilder
changed milestone to %1.49.0
added 5 commits
-
c3869a8f...1ae3c674 - 2 commits from branch
master - bee66c00 - quarkus changes
- 8e944d31 - keep legacy ENVs
- 40d97d24 - comments
Toggle commit list-
c3869a8f...1ae3c674 - 2 commits from branch
Resolved by kevin.wilderNeed to update the plugin initContainer version in the ./tests/test-values.yaml when the official plugin release tag "3.0.0" has been cut.
Currently using image test8-3.0.0Edited by kevin.wilder- Last reply by kevin.wilder
added 2 commits
added 27 commits
-
d059d296...092eb66d - 18 commits from branch
master - 594f99e4 - quarkus changes
- 33b7ee8f - keep legacy ENVs
- 161e7276 - comments
- 125e3bd0 - test values
- c818bbb4 - bump resources
- 70274aab - fix for mattermost sso
- a8c5e075 - test without gatekeeper
- 34afe8f1 - backout MM for now
- ff1f98a5 - fully remove mattermost change
Toggle commit list-
d059d296...092eb66d - 18 commits from branch
- Resolved by kevin.wilder
Need to add Mattermost template change to fix SSO
mattermostEnvs: # required for KC >= 20.X to work with gitlab auth pointed to Keycloak MM_GITLABSETTINGS_SCOPE: openid - Last reply by kevin.wilder
added 73 commits
-
d273cf7b...5b2559f0 - 52 commits from branch
master - eb3090cd - quarkus changes
- de00f0bb - keep legacy ENVs
- 05c8d10d - comments
- e2256766 - test values
- bcbcb0c9 - bump resources
- bf720cc0 - fix for mattermost sso
- a6af94f7 - test without gatekeeper
- 21603748 - backout MM for now
- 33ed8c2a - fully remove mattermost change
- 13614cc0 - more fully remove mattermost change
- 172207e6 - try without plugin
- f7f8cc16 - try with no emptyDir volume mounts
- 2968f1b9 - re-add mattermost fix
- 6829e32c - add emptyDir volumes, no volume mounts
- 4728a814 - remove mattermost sso fix
- 6bd4f607 - try with one initCont emptyDir mount
- 27d4775a - try initContainer securityContext
- a206373b - remove fsGroup
- 66d24256 - try seLinuxOptions
- 70359621 - add fips support to init container
- 9152a04b - update test values
Toggle commit list-
d273cf7b...5b2559f0 - 52 commits from branch
changed milestone to %1.50.0
- Resolved by kevin.wilder
Need to switch to the Keycloak tag after the keycloak package is merged.
added 85 commits
-
8900266b...bd2ffa5f - 56 commits from branch
master - 924aa71d - quarkus changes
- 08918d59 - keep legacy ENVs
- 436fc1fa - comments
- a62ba960 - test values
- 5b481fc6 - bump resources
- 2817b2ae - fix for mattermost sso
- c1cab683 - test without gatekeeper
- 10b92ff4 - backout MM for now
- b0e70b7a - fully remove mattermost change
- d22b9e40 - more fully remove mattermost change
- 1621207e - try without plugin
- 6869d42e - try with no emptyDir volume mounts
- f0e4c4e2 - re-add mattermost fix
- 6c4140b5 - add emptyDir volumes, no volume mounts
- 625c7ba0 - remove mattermost sso fix
- 9e6badf8 - try with one initCont emptyDir mount
- 3268b5e9 - try initContainer securityContext
- 6b13094d - remove fsGroup
- 97118ccd - try seLinuxOptions
- df736ed6 - add fips support to init container
- 1c92b9aa - update test values
- 5557ff29 - update test values
- a8f10088 - docs
- b79f6fe0 - keycloak config examples
- ae67097a - re-enable clusterauditor and gatekeepr
- 69c4be5e - edit example config
- 875a3f82 - fix test values
- b84923c3 - fix test values
- 0a1a13f2 - fix test values
Toggle commit list-
8900266b...bd2ffa5f - 56 commits from branch