Keycloak quarkus

Package Merge Request

Package Changes

Migrate to Keycloak Quarkus and upgrade to Keycloak 20.0.2

Package MR

https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/merge_requests/87
https://repo1.dso.mil/platform-one/big-bang/apps/product-tools/keycloak-p1-auth-plugin/-/merge_requests/24

For Issue

Closes https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/issues/71

Release Notes

This release contains a major version upgrade to Keycloak 20.0.2 and a migration to the new Keycloak Quarkus deployment architecture. You should test in a staging/preprod environment before going to production. The migration was a 4 month long engineering effort by the Big Bang Team and the CNAP Team. Keycloak Legacy is now deprecated, unmaintained, and unsupported. What you need to know:

• There is no data migration needed.
• There are no client changes/migration needed.
• The deployment uses the Iron Bank image directly. There is no longer a custom P1 Keycloak image.
• The P1 plugin is now hosted in Iron Bank and gets injected into the Keycloak container on startup. You have the option of not using the P1 custom plugin if you want to use vanilla Keycloak and manually handle all authz and authn security controls yourself.
• The deployment configuration now allows you to inject your own custom theme and change the realm name to something other than "baby-yoda". If you rename an existing realm the clients will need to be configured for the new URL path.
• The environment variables for setting the default admin credentials have changed.
• There are significant (but not technically hard) configuration changes. Reference the example production config
• The Big Bang helm chart is backwards compatible with Keycloak Legacy. It is possible to upgrade to this Big Bang release and pin to the last Keycloak Legacy tag if you need more time to upgrade to the new Keycloak Quarkus.

Known Issues

• The Keycloak Admin Console is partially broken for SAML clients. Unable to import Nexus application certificate for "Signing keys config". Existing Nexus deployments are not affected. This only affects new Nexus deployments. The workaround is to temporarily change the "Admin Console Theme" in the "master" realm to the old "keycloak" theme instead of the new default theme "keycloak.v2".
  https://github.com/keycloak/keycloak-ui/issues/4143

chart/templates/argocd/values.yaml

@@ -159,7 +159,8 @@ configs:
 sso:
   enabled: {{ .Values.addons.argocd.sso.enabled }}
   rbac:
-    policy.csv: {{- toYaml .Values.addons.argocd.sso.groups | nindent 4 }}
+    policy.csv: |
+      {{- .Values.addons.argocd.sso.groups | nindent 6 }}
   keycloakClientSecret: {{ .Values.addons.argocd.sso.client_secret }}
   config:
     oidc.config: |