chore(deps)!: Upgrade to Keycloak 26 (#3304)

--------- Co-authored-by: Cornelius Roemer <[email protected]>
loculus-project · Dec 3, 2024 · f8c4048 · f8c4048
1 parent 8a22aa8
commit f8c4048
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 13 deletions.
diff --git a/backend/build.gradle b/backend/build.gradle
@@ -44,7 +44,7 @@ dependencies {
     implementation "org.jetbrains.exposed:exposed-kotlin-datetime:0.56.0"
     implementation "org.jetbrains.kotlinx:kotlinx-datetime:0.6.1"
     implementation "org.hibernate.validator:hibernate-validator:8.0.1.Final"
-    implementation "org.keycloak:keycloak-admin-client:23.0.7"
+    implementation "org.keycloak:keycloak-admin-client:26.0.3"
 
     implementation "org.springframework.boot:spring-boot-starter-oauth2-resource-server"
     implementation "org.springframework.boot:spring-boot-starter-security"

diff --git a/keycloak/keycloakify/Dockerfile b/keycloak/keycloakify/Dockerfile
@@ -2,7 +2,7 @@ ARG NODE_VERSION=22
 FROM node:${NODE_VERSION}-bookworm AS builder
 
 ARG KEYCLOAK_ORCID_VERSION=1.3.0
-ARG KEYCLOAK_MAJOR_VERSION=24
+ARG KEYCLOAK_MAJOR_VERSION=26
 
 USER root
 

diff --git a/kubernetes/loculus/templates/keycloak-deployment.yaml b/kubernetes/loculus/templates/keycloak-deployment.yaml
@@ -9,6 +9,8 @@ metadata:
     reloader.stakater.com/auto: "true"
 spec:
   replicas: 1
+  strategy:
+    type: Recreate # So we don't get a rolling update
   selector:
     matchLabels:
       app: loculus
@@ -37,7 +39,7 @@ spec:
       containers:
         - name: keycloak
           # TODO #1221
-          image: quay.io/keycloak/keycloak:23.0
+          image: quay.io/keycloak/keycloak:26.0
           {{- include "loculus.resources" (list "keycloak" $.Values) | nindent 10 }}
           env:
             - name: REGISTRATION_TERMS_MESSAGE
@@ -55,7 +57,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: keycloak-database
-                  key: port        
+                  key: port
             - name: KC_DB_URL_DATABASE
               valueFrom:
                 secretKeyRef:
@@ -78,25 +80,29 @@ spec:
                 secretKeyRef:
                   name: keycloak-admin
                   key: initialAdminPassword
-            - name: KC_PROXY
-              value: "edge"
             - name: PROXY_ADDRESS_FORWARDING
               value: "true"
             - name: KC_HEALTH_ENABLED
               value: "true"
-            - name: KC_HOSTNAME_URL
+            - name: KC_HOSTNAME
               value: "{{ include "loculus.keycloakUrl" . }}"
-            - name: KC_HOSTNAME_ADMIN_URL
+            - name: KC_HOSTNAME_ADMIN
               value: "{{ include "loculus.keycloakUrl" . }}"
-            - name: KC_FEATURES
-              value: "declarative-user-profile"
             # see https://github.com/keycloak/keycloak/blob/77b58275ca06d1cbe430c51db74479a7e1b409b5/quarkus/dist/src/main/content/bin/kc.sh#L95-L150
             - name: KC_RUN_IN_CONTAINER
               value: "true"
+            - name: KC_PROXY_HEADERS
+              value: "xforwarded"
+            - name: KC_HTTP_ENABLED
+              value: "true"
+            - name: KC_HOSTNAME_BACKCHANNEL_DYNAMIC
+              value: "true"
+            # Use local cache, otherwise KC tries to form a cache across all preview instances and causes chaos
+            - name: KC_CACHE
+              value: "local"
           args:
             - "start"
             - "--import-realm"
-            - "--cache=local"
           ports:
             - containerPort: 8080
           volumeMounts:
@@ -107,14 +113,14 @@ spec:
           startupProbe:
             httpGet:
               path: /health/ready
-              port: 8080
+              port: 9000
             timeoutSeconds: 3
             failureThreshold: 150
             periodSeconds: 5
           livenessProbe:
             httpGet:
               path: /health/ready
-              port: 8080
+              port: 9000
             timeoutSeconds: 3
             periodSeconds: 10
             failureThreshold: 2