nebari [ENH] - Upgrade Keycloak to 20.0.4

Feature description

We've been using Keycloak for a while now. However, we are still using the old version pinned to 15.0.2 , with the recent need for ARM builds and focusing on better support and reliability of Nebari, I suggest we start looking into the feasibility of this.

This might not be a straightforward move, as we can't yet guarantee that all those versions released so far are backward compatible or if the database would be the same. (Though, we could overcome this easily by developing further #1784 )

Value and/or benefit

Support for the latest changes and security fixes on keycloak
Support for ARM image builds without requiring extra maintenance burden on our side
More control on permissions and groups with the recent updates made to the UI

Anything else?

No response

May 29 '24 13:05 viniciusdc

As we use codecentric for the helm-chart provider of our keycloak images, the most available image right now is 18.4.4. There is a nice discussion around the available options (bitnami for example) here:

https://keycloak.discourse.group/t/keycloak-helm-chart-install-for-kubernetes/19187
https://keycloak.discourse.group/t/codecentric-vs-bitnami/24950/2

My opinion on this would be to first move to the latest available version in our current provider as testing (there are hints of a new maintainer to that repo as well), and then later, we will decide on other options. By then, we might have newer versions as well.

Jun 20 '24 16:06 viniciusdc

also, it might be possible to use the override variable to manually update the installed version fo keycloak after we use the latest helm-chart by passing the image.tag.

Jun 20 '24 16:06 viniciusdc

Currently, we download a jar file (https://github.com/nebari-dev/nebari/pull/2588). This jar file was necessary to export metrics for the keycloak dashboard. I'm not sure if it'll still be necessary after the upgrade. Something to check on.

Aug 01 '24 16:08 Adam-D-Lewis

This is also something to keep in mind, even though not the focal point of this issue https://www.keycloak.org/2023/07/keycloak-2200-released.html

Aug 05 '24 17:08 viniciusdc

Re-checking the current helm chart GitHub repo that we use for installing keycloak. We can move from 15.0.2 to 17.0.1 without much problem. I did a local deployment and overrides the value for the chart, and the keycloak pod was updates without issue, all services were kept running -- though it does required a complete double check, to make sure we don't end up breaking one internal integration that relies on the apis.

Also, while checking that helm chart, I noticed the same provider also ships the new keycloak that is based on Quarkus instead of wildly (our current), this means that we can start working on upgrading the deployment -- also, I found migrating guides for each version change (don't know how I missed this) : https://www.keycloak.org/docs/latest/upgrading/index.html#migration-changes

Feb 03 '25 14:02 viniciusdc

I want to start going into this direction, since our deployment of this is quite outdated already. Initially, let's move from 15.0.2 to 16.1.0, since that allows us to update the helm chart and also get new mappers that allow us to set group membership through the IDP config.

Jul 01 '25 16:07 viniciusdc

One thing we need to be extra careful about is that the client for keycloak has also changed from the 18.x to 20.x versions. This not only includes the main script but also the integration with jar files. So we should be alert with our modification explicitly under:

https://github.com/nebari-dev/nebari/blob/main/src/_nebari/stages/kubernetes_keycloak/template/modules/kubernetes/keycloak-helm/values.yaml

Oct 01 '25 19:10 viniciusdc