✨ Update upstream keycloak to V26

konveyor · Feb 6, 2025 · 2b424d8 · 2b424d8
1 parent e161635
commit 2b424d8
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 17 deletions.
diff --git a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml
@@ -103,7 +103,7 @@ metadata:
     categories: Modernization & Migration
     certified: "false"
     containerImage: quay.io/konveyor/tackle2-operator:latest
-    createdAt: "2024-11-07T18:19:51Z"
+    createdAt: "2025-02-05T21:27:13Z"
     description: Konveyor is an open-source application modernization platform that
       helps organizations safely and predictably modernize applications to Kubernetes
       at scale.
@@ -279,7 +279,7 @@ spec:
                 - name: RELATED_IMAGE_TACKLE_POSTGRES
                   value: quay.io/sclorg/postgresql-15-c9s:latest
                 - name: RELATED_IMAGE_KEYCLOAK_SSO
-                  value: quay.io/keycloak/keycloak:18.0.2-legacy
+                  value: quay.io/keycloak/keycloak:26.1
                 - name: RELATED_IMAGE_KEYCLOAK_INIT
                   value: quay.io/konveyor/tackle-keycloak-init:latest
                 - name: RELATED_IMAGE_TACKLE_UI
@@ -474,7 +474,7 @@ spec:
     name: tackle-hub
   - image: quay.io/sclorg/postgresql-15-c9s:latest
     name: tackle-postgres
-  - image: quay.io/keycloak/keycloak:18.0.2-legacy
+  - image: quay.io/keycloak/keycloak:26.1
     name: keycloak-sso
   - image: quay.io/konveyor/tackle-keycloak-init:latest
     name: keycloak-init

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -15,7 +15,7 @@ images:
   oauth_proxy: quay.io/openshift/origin-oauth-proxy:latest
   tackle_hub: quay.io/konveyor/tackle2-hub:latest
   tackle_postgres: quay.io/sclorg/postgresql-15-c9s:latest
-  keycloak_sso: quay.io/keycloak/keycloak:18.0.2-legacy
+  keycloak_sso: quay.io/keycloak/keycloak:26.1
   keycloak_init: quay.io/konveyor/tackle-keycloak-init:latest
   tackle_ui: quay.io/konveyor/tackle2-ui:latest
   addon_analyzer: quay.io/konveyor/tackle2-addon-analyzer:latest

diff --git a/roles/tackle/defaults/main.yml b/roles/tackle/defaults/main.yml
@@ -113,7 +113,7 @@ keycloak_sso_java_opts: "-Dcom.redhat.fips=false"
 keycloak_sso_realm: "{{ app_name }}"
 keycloak_sso_req_passwd_update: true
 keycloak_sso_client_id: "{{ app_name }}-ui"
-keycloak_sso_tls_enabled: false
+keycloak_sso_tls_enabled: true
 keycloak_sso_tls_secret_name: "{{ keycloak_sso_service_name }}-serving-cert"
 keycloak_sso_port: "{{ '8443' if keycloak_sso_tls_enabled | bool else '8080' }}"
 keycloak_sso_proto: "{{ 'https' if keycloak_sso_tls_enabled | bool else 'http' }}"

diff --git a/roles/tackle/templates/deployment-keycloak-sso.yml.j2 b/roles/tackle/templates/deployment-keycloak-sso.yml.j2
@@ -42,14 +42,18 @@ spec:
       containers:
         - name: {{ keycloak_sso_container_name }}
           image: "{{ keycloak_sso_image_fqin }}"
+          args:
+          - -Djgroups.dns.query=mta-kc-discovery.openshift-mta
+          - --verbose
+          - start
           imagePullPolicy: "{{ image_pull_policy }}"
           env:
-            - name: KEYCLOAK_USER
+            - name: KC_BOOTSTRAP_ADMIN_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_sso_secret_name }}
                   key: admin-username
-            - name: KEYCLOAK_PASSWORD
+            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_sso_secret_name }}
@@ -58,25 +62,32 @@ spec:
               value: {{ keycloak_sso_java_opts }}
             - name: PROXY_ADDRESS_FORWARDING
               value: 'true'
-            - name: DB_VENDOR
+            - name: KC_DB
               value: postgres
-            - name: DB_ADDR
-              value: {{ keycloak_database_service_k8s_resource_name }}
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: {{ keycloak_database_secret_name }}
-                  key: database-name
-            - name: DB_USER
+            - name: KC_DB_URL
+              value: jdbc:postgresql://{{ keycloak_database_service_k8s_resource_name }}:5432/{{ keycloak_database_db_name }}
+            - name: KC_DB_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_database_secret_name }}
                   key: database-user
-            - name: DB_PASSWORD
+            - name: KC_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_database_secret_name }}
                   key: database-password
+            - name: KC_HTTP_RELATIVE_PATH
+              value: /auth
+            - name: KC_PROXY_HEADERS
+              value: xforwarded
+            - name: KC_HTTPS_CERTIFICATE_FILE
+              value: /service-crt/tls.crt
+            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+              value: /service-crt/tls.key
+            - name: KC_HOSTNAME_STRICT
+              value: "false"
+            - name: KC_HTTP_ENABLED
+              value: "true"
           ports:
             - name: http
               containerPort: 8080
@@ -114,6 +125,12 @@ spec:
           volumeMounts:
             - name: {{ keycloak_sso_service_name }}-theme
               mountPath: /opt/jboss/keycloak/standalone/deployments
+            - mountPath: "/service-crt"
+              name: service-crt
+              readOnly: true
       volumes:
         - name: {{ keycloak_sso_service_name }}-theme
           emptyDir: {}
+        - name: service-crt
+          secret:
+            secretName: sso-x509-https-secret