SKIP UPGRADE CHECK keycloak update to 7.0.1-bb.1
Package Merge Request
Package Changes
https://repo1.dso.mil/big-bang/product/packages/keycloak/-/blob/7.0.1-bb.1/CHANGELOG.md
Package MR
big-bang/product/packages/keycloak!294 (merged)
For Issue
Closes big-bang/product/packages/keycloak#243 (closed)
Upgrade Notices
This release of Keycloak completely migrates the chart to the passthrough pattern. With that migration come considerations for Big Bang users that rely on the Keycloak chart.
Shifting values
Values that traditionally have been used to configure the keycloak components of the chart are now available under the upstream key:
- resources:
- requests:
- cpu: "1"
- memory: "1Gi"
- limits:
- memory: "1Gi"
+ upstream:
+ resources:
+ requests:
+ cpu: "1"
+ memory: "1Gi"
+ limits:
+ memory: "1Gi"
Removal of the *BigBang values
The old chart had big-bang-specific values fields (like extraVolumeMountsBigBang and extraVolumesBigBang) that were created to smooth over a limitation of the upstream chart's extraVolumeMounts and extraVolumes.
Those two fields are expected to be strings and are templated in the upstream chart and converted to yaml. This allows things like:
extraVolumes: |-
- name: tlscert
secret:
secretName: {{ include "keycloak.fullname" . }}-tlscert
- name: tlskey
secret:
secretName: {{ include "keycloak.fullname" . }}-tlskeyto be created in the actual pod spec as:
- name: tlscert
secret:
defaultMode: 420
secretName: keycloak-upstream-tlscert
- name: tlskey
secret:
defaultMode: 420
secretName: keycloak-upstream-tlskeyThe problem that was being solved is these strings don't overlay correctly. The final overlay that set extraVolumes was always the "winner" and only its configuration would make it into the final templates.
Since the passthrough pattern no longer affords us the ability to affect the final templates for the keycloak StatefulSet, consumers of this package must take care to ensure the final of any of these "yaml string literal" values include all the desired contents.
Major Version Change for Bundled Postgres
The bundled postgres chart has been upgraded to the latest bitnami chart. For consumers using the bundled postgres chart, be advised this is not a supported configuration in production. If you are using the bundled chart, take steps to migrate to an external database implementation prior to attempting this upgrade.
Removal of the wide-open postgres egress NetworkPolicy
Previously, the keycloak package had a bundled postgres egress policy that essentially allowed keycloak to connect outbound to any IP address on port 5432 for the purpose of establishing database connections. This policy has been removed as it does not align with Big Bang's wider security posture. For consumers of the keycloak package, be advised you may need to configure networkPolicies.additionalPolicies with an entry like below to enable outbound database access:
addons:
keycloak:
values:
networkPolicies:
additionalPolicies:
- name: keycloak-database-egress
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: upstream
egress:
- to:
# Repeat the ipBlock for each subnet
- ipBlock:
cidr: <your-db-subnet-cidr>
- ipBlock:
cidr: <your-db-subnet-cidr>
ports:
- port: 5432
protocol: TCP
policyTypes:
- Egress