feat(upgrade): change to keycloak v22.0.3

.github/workflows/centralidp-chart-test.yaml

@@ -31,14 +31,14 @@ on:
     inputs:
       node_image:
         description: 'kindest/node image for k8s kind cluster'
-        # k8s version from 3.1 release
-        default: 'kindest/node:v1.24.6'
+        # k8s version to support
+        default: 'kindest/node:v1.26.6'
         required: false
         type: string
       upgrade_from:
         description: 'portal chart version to upgrade from'
-        # centralidp version from 3.1 release
-        default: '1.1.0'
+        # centralidp version from 23.09 release
+        default: '1.2.0'
         required: false
         type: string
 
@@ -55,7 +55,7 @@ jobs:
         uses: container-tools/kind-action@v2
         with:
           version: v0.19.0
-          node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.24.6' }}
+          node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.26.6' }}
 
       - name: Set up Helm
         uses: azure/setup-helm@v3
@@ -93,7 +93,7 @@ jobs:
         run: |
           helm repo add bitnami-full-index https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
           helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
-          helm install centralidp tractusx-dev/centralidp --version ${{ github.event.inputs.upgrade_from || '1.1.0' }}
+          helm install centralidp tractusx-dev/centralidp --version ${{ github.event.inputs.upgrade_from || '1.2.0' }}
           helm dependency update charts/centralidp
           helm upgrade centralidp charts/centralidp
         if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'

.github/workflows/sharedidp-chart-test.yaml

@@ -31,14 +31,14 @@ on:
     inputs:
       node_image:
         description: 'kindest/node image for k8s kind cluster'
-        # k8s version from 3.1 release
-        default: 'kindest/node:v1.24.6'
+        # k8s version to support
+        default: 'kindest/node:v1.26.6'
         required: false
         type: string
       upgrade_from:
         description: 'portal chart version to upgrade from'
-        # sharedidp version from 3.1 release
-        default: '1.1.0'
+        # sharedidp version from 23.09 release
+        default: '1.2.0'
         required: false
         type: string
 
@@ -55,7 +55,7 @@ jobs:
         uses: container-tools/kind-action@v2
         with:
           version: v0.19.0
-          node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.24.6' }}
+          node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.26.6' }}
 
       - name: Set up Helm
         uses: azure/setup-helm@v3
@@ -93,7 +93,7 @@ jobs:
         run: |
           helm repo add bitnami-full-index https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
           helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
-          helm install sharedidp tractusx-dev/sharedidp --version ${{ github.event.inputs.upgrade_from || '1.1.0' }}
+          helm install sharedidp tractusx-dev/sharedidp --version ${{ github.event.inputs.upgrade_from || '1.2.0' }}
           helm dependency update charts/sharedidp
           helm upgrade sharedidp charts/sharedidp
         if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'

README.md

@@ -4,7 +4,7 @@
 
 This repository contains the reference configuration to deploy the Catena-X (CX) specific Keycloak instances.
 
-The instances depend on the [helm chart from Bitnami](https://artifacthub.io/packages/helm/bitnami/keycloak) (chart version 7.1.18, app version 16.1.1).
+The instances depend on the [helm chart from Bitnami](https://artifacthub.io/packages/helm/bitnami/keycloak) (chart version 16.1.6, app version 22.0.3).
 
 The repository is split up in:
 
@@ -17,12 +17,13 @@ For further information please refer to the chart specific README files, availab
 
 * charts/centralidp
   * [Installation](./charts/centralidp/README.md#installation)
-  * [Upgrade](./charts/centralidp/values.yaml#L155)
   * [Post-Install Configuration](./charts/centralidp/README.md#post-install-configuration)
+  * [Upgrade](./charts/centralidp/README.md#upgrade)
   * [Post-Upgrade Configuration](./charts/centralidp/README.md#post-upgrade-configuration)
 * charts/sharedidp
   * [Installation](./charts/sharedidp/README.md#installation)
   * [Post-Install Configuration](./charts/sharedidp/README.md#post-install-configuration)
+  * [Upgrade](./charts/sharedidp/README.md#upgrade)
 
 ## Notice for Docker images
 

charts/centralidp/Chart.yaml

@@ -20,13 +20,13 @@
 apiVersion: v2
 name: centralidp
 type: application
-version: 1.2.0
-appVersion: 1.2.0
+version: 2.0.0-alpha
+appVersion: 22.0.3
 description: Helm chart for Catena-X Central Keycloak Instance
 home: https://github.com/eclipse-tractusx/portal-iam
 sources:
   - https://github.com/eclipse-tractusx/portal-iam
 dependencies:
   - name: keycloak
     repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
-    version: 7.1.18
+    version: 16.1.6

charts/centralidp/README.md

@@ -1,6 +1,6 @@
 # Helm chart for Catena-X Central Keycloak Instance
 
-![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square)
+![Version: 2.0.0-alpha](https://img.shields.io/badge/Version-2.0.0--alpha-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.3](https://img.shields.io/badge/AppVersion-22.0.3-informational?style=flat-square)
 
 This helm chart installs the Helm chart for Catena-X Central Keycloak Instance.
 
@@ -29,35 +29,26 @@ To use the helm chart as a dependency:
 dependencies:
   - name: centralidp
     repository: https://eclipse-tractusx.github.io/charts/dev
-    version: 1.2.0
+    version: 2.0.0-alpha
 ```
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | keycloak | 7.1.18 |
+| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | keycloak | 16.1.6 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| keycloak.image.tag | string | `"16.1.1-debian-10-r103"` |  |
 | keycloak.auth.adminUser | string | `"admin"` |  |
 | keycloak.auth.existingSecret | string | `"centralidp-keycloak"` | Secret containing the passwords for admin username 'admin' and management username 'manager'. |
-| keycloak.proxyAddressForwarding | bool | `true` |  |
-| keycloak.serviceDiscovery.enabled | bool | `true` |  |
-| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_USER"` |  |
-| keycloak.extraEnvVars[0].value | string | `"admin"` |  |
-| keycloak.extraEnvVars[1].name | string | `"KEYCLOAK_PASSWORD"` |  |
-| keycloak.extraEnvVars[1].valueFrom.secretKeyRef.name | string | `"centralidp-keycloak"` |  |
-| keycloak.extraEnvVars[1].valueFrom.secretKeyRef.key | string | `"admin-password"` |  |
-| keycloak.extraEnvVars[2].name | string | `"CACHE_OWNERS_COUNT"` |  |
-| keycloak.extraEnvVars[2].value | string | `"3"` |  |
-| keycloak.extraEnvVars[3].name | string | `"CACHE_OWNERS_AUTH_SESSIONS_COUNT"` |  |
-| keycloak.extraEnvVars[3].value | string | `"3"` |  |
-| keycloak.extraEnvVars[4].name | string | `"KEYCLOAK_EXTRA_ARGS"` |  |
-| keycloak.extraEnvVars[4].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realms/CX-Central-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING"` |  |
+| keycloak.production | bool | `false` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. |
+| keycloak.proxy | string | `"passthrough"` | reverse Proxy mode edge, reencrypt, passthrough or none; ref: https://www.keycloak.org/server/reverseproxy; If your ingress controller has the SSL Termination, you should set proxy to edge. |
+| keycloak.httpRelativePath | string | `"/auth/"` | Setting the path relative to '/' for serving resources: as we're migrating from 16.1.1 version which was using the trailing 'auth', we're setting it to '/auth/'. ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed |
+| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_EXTRA_ARGS"` |  |
+| keycloak.extraEnvVars[0].value | string | `"-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realms/CX-Central-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING"` |  |
 | keycloak.replicaCount | int | `3` |  |
 | keycloak.extraVolumes[0].name | string | `"themes"` |  |
 | keycloak.extraVolumes[0].emptyDir | object | `{}` |  |
@@ -77,7 +68,6 @@ dependencies:
 | keycloak.initContainers[0].volumeMounts[0].mountPath | string | `"/themes"` |  |
 | keycloak.initContainers[0].volumeMounts[1].name | string | `"realms"` |  |
 | keycloak.initContainers[0].volumeMounts[1].mountPath | string | `"/realms"` |  |
-| keycloak.service.type | string | `"ClusterIP"` |  |
 | keycloak.service.sessionAffinity | string | `"ClientIP"` |  |
 | keycloak.ingress.enabled | bool | `false` |  |
 | keycloak.ingress.ingressClassName | string | `"nginx"` |  |
@@ -114,7 +104,7 @@ dependencies:
 | secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. |
 | secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'kccentral'. Secret-key 'password'. |
 | secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. |
-| seeding.enabled | bool | `false` | Seeding job to upgrade CX_Central realm: enable to upgrade the configuration of the CX-Central realm from v1.1.0 to v1.2.0; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job |
+| seeding.enabled | bool | `false` | Seeding job to upgrade CX_Central realm: enable to upgrade the configuration of the CX-Central realm from previous version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job |
 | seeding.name | string | `"cx-central-realm-upgrade"` |  |
 | seeding.image | string | `"tractusx/portal-iam-seeding:v1.2.0-iam"` |  |
 | seeding.portContainer | int | `8080` |  |
@@ -152,7 +142,24 @@ This is done by setting the 'example.org' placeholder in the CX-Operator' Identi
 
 ## Upgrade
 
-Please see notes at [Values.seeding](values.yaml#L155).
+Please see notes at [Values.seeding](values.yaml#L148).
+
+### To 2.0.0
+
+WIP as currently still in alpha phase.
+
+This major changes from Keycloak version 16.1.1 to version 22.0.3.
+
+Please have a look into changelog for a more detailed description.
+
+We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html)
+
+To be mentioned explicitly: this major adds 'production' mode with default value false and reverse 'proxy' mode with default value 'passthrough'.
+Please check the description of those parameters and decide if they're suitable for you.
+
+This major version changes the PostgreSQL version from 14.2.0 to 15.4.0. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.
+
+Accordingly,this major also updates the PostgreSQL subchart from Bitnami from 11.1.22 to 12.12.9.
 
 ## Post-Upgrade Configuration
 
@@ -226,3 +233,7 @@ The following clients and service accounts are obsolete in version 1.2.0 and can
 
 * Cl4-CX-DigitalTwin
 * sa-cl6-cx-01
+
+### Upgrading from version 1.2.0 to 2.0.0
+
+WIP as currently still in alpha phase.

charts/centralidp/README.md.gotmpl

@@ -53,7 +53,24 @@ This is done by setting the 'example.org' placeholder in the CX-Operator' Identi
 
 ## Upgrade
 
-Please see notes at [Values.seeding](values.yaml#L155).
+Please see notes at [Values.seeding](values.yaml#L148).
+
+### To 2.0.0
+
+WIP as currently still in alpha phase.
+
+This major changes from Keycloak version 16.1.1 to version 22.0.3.
+
+Please have a look into changelog for a more detailed description.
+
+We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html)
+
+To be mentioned explicitly: this major adds 'production' mode with default value false and reverse 'proxy' mode with default value 'passthrough'.
+Please check the description of those parameters and decide if they're suitable for you.
+
+This major version changes the PostgreSQL version from 14.2.0 to 15.4.0. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.
+
+Accordingly,this major also updates the PostgreSQL subchart from Bitnami from 11.1.22 to 12.12.9.
 
 ## Post-Upgrade Configuration
 
@@ -127,3 +144,7 @@ The following clients and service accounts are obsolete in version 1.2.0 and can
 
 * Cl4-CX-DigitalTwin
 * sa-cl6-cx-01
+
+### Upgrading from version 1.2.0 to 2.0.0
+
+WIP as currently still in alpha phase.

charts/centralidp/templates/_helpers.tpl

@@ -16,18 +16,18 @@
 *
 * SPDX-License-Identifier: Apache-2.0
 
-Define "keycloak.fullname" in addition to the definition in the bitnami keycloak chart to set ".Chart.Name" to "keycloak".
+Define "keycloak.service.name" like ""common.names.fullname" in the bitnami common chart but setting ".Chart.Name" to "keycloak".
 This is necessary to retrieve the keycloak service name for the execution of the seeding job.
 */}}
-{{- define "keycloak.fullname" -}}
+{{- define "keycloak.service.name" -}}
 {{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default "keycloak" .Values.nameOverride -}}
 {{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 20 | trimSuffix "-" -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}

charts/centralidp/templates/job-seeding.yaml

@@ -45,7 +45,7 @@ spec:
         imagePullPolicy: "Always"
         env:
           - name: "KEYCLOAK__CENTRAL__CONNECTIONSTRING"
-            value: "http://{{ template "keycloak.fullname" . }}"
+            value: "http://{{ template "keycloak.service.name" . }}"
           - name: "KEYCLOAK__CENTRAL__USER"
             value: "{{ .Values.keycloak.auth.adminUser }}"
           - name: "KEYCLOAK__CENTRAL__PASSWORD"

charts/centralidp/templates/secret-centralidp.yaml

@@ -30,11 +30,9 @@ data:
   # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret
   # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
   # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
-  admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) }}
-  management-password: {{ ( .Values.secrets.auth.existingSecret.managementpassword | b64enc ) | default ( index $secret.data "management-password" ) }}
+  admin-password: {{ ( .Values.secrets.auth.existingSecret.adminpassword | b64enc ) | default ( index $secret.data "admin-password" ) | quote }}
 {{ else -}}
 stringData:
   # if secret doesn't exist, use provided value from values file or generate a random one
-  admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 | quote ) }}
-  management-password: {{ .Values.secrets.auth.existingSecret.managementpassword | default ( randAlphaNum 32 | quote ) }}
+  admin-password: {{ .Values.secrets.auth.existingSecret.adminpassword | default ( randAlphaNum 32 ) | quote }}
 {{ end }}

charts/centralidp/templates/secret-external-db.yaml

@@ -30,10 +30,10 @@ type: Opaque
 data:
   # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret
   # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
-  password: {{ ( .Values.keycloak.externalDatabase.password | b64enc ) | default $secret.data.password }}
+  password: {{ ( .Values.keycloak.externalDatabase.password | b64enc ) | default $secret.data.password  | quote }}
 {{ else -}}
 stringData:
   # if secret doesn't exist, use provided value from values file or generate a random one
-  password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 | quote ) }}
+  password: {{ .Values.keycloak.externalDatabase.password | default ( randAlphaNum 32 ) | quote }}
 {{ end }}
 {{- end -}}

charts/centralidp/templates/secret-postgres-init.yaml

@@ -31,14 +31,14 @@ data:
   # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret
   # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
   # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
-  postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc )  | default ( index $secret.data "postgres-password" ) }}
-  password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password }}
-  replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc )  | default ( index $secret.data "replication-password" ) }}
+  postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc )  | default ( index $secret.data "postgres-password" ) | quote }}
+  password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password | quote }}
+  replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc )  | default ( index $secret.data "replication-password" ) | quote}}
 {{ else -}}
 stringData:
   # if secret doesn't exist, use provided value from values file or generate a random one
-  postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 | quote ) }}
-  password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 | quote ) }}
-  replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 | quote ) }}
+  postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 ) | quote }}
+  password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 ) | quote }}
+  replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 ) | quote }}
 {{ end }}
 {{- end -}}