nebari icon indicating copy to clipboard operation
nebari copied to clipboard
verified publisher icon nebari-dev

Keycloak Upgrade

Open tylerpotts opened this issue 2 months ago • 1 comments

Reference Issues or PRs

Fixes https://github.com/nebari-dev/nebari/issues/2495

What does this implement/fix?

Put a x in the boxes that apply

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [] New feature (non-breaking change which adds a feature)
  • [ ] Breaking change (fix or feature that would cause existing features not to work as expected)
  • [ ] Documentation Update
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes, no API changes)
  • [ ] Build related changes
  • [x] Other (please describe): Software update for Keycloak

Documentation

  • [ ] For new features or enhancements, a corresponding PR has been opened in the documentation repository (if applicable)
    • Link to docs PR:

Testing

  • [x] Did you test the pull request locally?
  • [ ] Did you add new tests?

How to test this PR?

  • Deploy a cluster based on the 2025.10.1 version
  • Add a user to keycloak (to verify that there is a user to be backed up)
  • Run nebari upgrade -c <config_file> to automatically generate a backup of keycloak
  • Run nebari deploy -c <config_file and the keycloak database will be restored to the new database

Any other comments?

tylerpotts avatar Nov 05 '25 22:11 tylerpotts

That error is handled by us here: https://github.com/nebari-dev/nebari/blob/b63040b80be81235bd3c8846bd8a587bd20caf36/tests/tests_deployment/utils.py#L47-L62

I have a feeling the client API on the newer keycloak might have moved a few settings to other places, usually, I see those XSRF errors when there is a misconfiguration within the OAuth client. We are currently passing through that stage during deployment, but it might be beneficial to update the provider as well, depending on how the API is called under the hood.

I think something else is erroring out, and it ends up being picked by that try block. I would compare the keycloak clients configuration available on a deploy from this branch vs a current deployment to see if there is anything that pops up -- usually at the redirection URLs.

Since I see some errors with missing groups

tests/tests_deployment/test_conda_store_roles_loaded.py::test_conda_store_roles_loaded_from_keycloak[admin!namespace=analyst,developer!namespace=nebari-git-changed_scopes0] - KeyError: 'nebari-git/*'
FAILED tests/tests_deployment/test_conda_store_roles_loaded.py::test_conda_store_roles_loaded_from_keycloak[admin!namespace=analyst,developer!namespace=invalid-namespace-changed_scopes1] - KeyError: 'analyst/*'
FAILED

viniciusdc avatar Nov 06 '25 15:11 viniciusdc