Describe the bug

The main branch contains old code

Version

main

Expected behavior

To work as any github repo

Actual behavior

It doesn't

How to Reproduce?

open github

Anything else?

Just an automation issue I think

Description

It would be great if we could get a higher log level from the operator upon deployment to k8s.

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

this link results in 404
https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/18.0.2/kubernetes/keycloaks.k8s.keycloak.org-v1.yml

from this guide keycloak/keycloak/main/docs/guides/src/main/operator/installation.adoc
= https://www.keycloak.org/operator/installation

Version

18.0.2

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

I deployed the version 24.0.0 version of the keycloak-operator the same day that it was released following the guide from https://www.keycloak.org/operator/installation (not using OLM). Today, when firing up the minikube cluster, I noticed that the keycloak operator was not starting up and getting Image pullback. So I saw in Quay, and the github repository that the 24.0.0 release has been removed and purged.

This was quite confusing to me especially as there are release notes https://www.keycloak.org/docs/24.0.0/release_notes/ for this 24.0.0 release.

If its a patch, perhaps a new release with 24.0.0-1, Or in this repository reference images to the major.minor tag?

Version

24.0.0

Expected behavior

Any old images/releases should not be deleted.

Actual behavior

Image is removed and no longer pullable

How to Reproduce?

Can't reproduce it now since you've dont keep the branches and just have "releases"

Anything else?

No response

Describe the bug

disableDefaultIngress

My keycloack-deployment:

---
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: keycloak
  namespace: keycloak
spec:
  instances: 1
  disableDefaultIngress: true
...
...

Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "disableDefaultIngress" (class org.keycloak.operator.v2alpha1.crds.KeycloakSpec), not marked as ignorable (7 known properties: "defaultIngressDisabled", "serverConfiguration", "unsupported", "image", "instances", "hostname", "tlsSecret"])
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.keycloak.operator.v2alpha1.crds.Keycloak["spec"]->org.keycloak.operator.v2alpha1.crds.KeycloakSpec["disableDefaultIngress"])

Version

18.0.0

Expected behavior

Disable Default Nginx-Ingress

Actual behavior

Error-log in keycloack-operator:
(7 known properties: "defaultIngressDisabled", "serverConfiguration", "unsupported", "image", "instances", "hostname", "tlsSecret"])

How to Reproduce?

No response

Anything else?

No response

Describe the bug

keycloak version: 24.0.2
We did a Trivy scan on our cluster.
It reported HIGH vulnerability fixes for below roles.

• keycloak-operator-role

in the keycloak-operator-role network resource described as below

the networking resource like ingresses are only allowed get, list and watch

Questions:

1. As we can also see networking resources in the keycloakcontroller-cluster-role, are the networking resource like ingresses at all need for both the role keycloakcontroller-cluster-role and keycloak-operator-role ?

2. If yes, can we limit the verbs to get, list and watch ? What could be the possible impact of it or is it doable without breaking the service ? Can it be corrected or changed in the future releases.

Version

24.0.2

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Description

Feature request
Currently, the README.md is an empty page, in short, describe what this repository is about and what problems it is created to fix.

Background
I was looking if Keycloak has CRDs to automatically create application tokens in kubernetes secrets, had to go through code to see if this repository matches that solution

What will it fix

• Wrong expectations
• Clear introduction and scope of the repository

Discussion

No response

Motivation

No response

Details

No response

Description

I would like to add a container sidecar to Keycloack deployment. Is it possible to create this sidecar with the Keycloak CR?

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

I tried the following three paths for readiness probe:

1. Health check endpoints are available at https://localhost:8443/health, https://localhost:8443/health/ready and https://localhost:8443/health/live defined in official documentation https://www.keycloak.org/server/containers. Even for port 8080, that is localhost:8080/health/ready - returned a 404
2. https://github.com/keycloak/keycloak-k8s-resources/blob/main/kubernetes/kubernetes.yml#L228 - returned a 404
3. https://github.com/lukaszbudnik/keycloak-kubernetes/blob/main/keycloak.yaml#L75 - returned a 404

Kind of similar responses for all the three scenarios

sh-4.4$ curl --verbose localhost:8080/health/ready 
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /health/ready HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< content-length: 0
< 
* Connection #0 to host localhost left intact
sh-4.4$ curl --verbose localhost:8080/health/live
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /health/live HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< content-length: 0
< 
* Connection #0 to host localhost left intact

Version

Latest

Expected behavior

The readiness probe should succeed.

Does is not succeed when we run in dev mode (using start-dev)?

Can you please point out to the right path for readiness probe?

Actual behavior

Tail of events of the pod

 Normal   Started    11m                 kubelet            Started container keycloak
  Normal   Pulled     11m                 kubelet            Container image "674283286888.dkr.ecr.us-east-1.amazonaws.com/gitlab/arcesium/internal/infra/linux-compute/smtp-redirection-sidecar:0.3.0" already present on machine
  Normal   Created    11m                 kubelet            Created container smtp-redirection-sidecar
  Normal   Started    11m                 kubelet            Started container smtp-redirection-sidecar
  Warning  Unhealthy  11m (x3 over 11m)   kubelet            Readiness probe failed: HTTP probe failed with statuscode: 502
  Warning  Unhealthy  97s (x59 over 11m)  kubelet            Readiness probe failed: HTTP probe failed with statuscode: 404

How to Reproduce?

I did try hitting the path http://localhost:8080/health/ready after spinning up a container using docker on my local machine as well, but I got a 404 again.
Have attached the deployment manifest below.

Anything else?

Deployment manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: infra-keycloak
  labels:
    app: infra-keycloak
    app.kubernetes.io/version: 1.0.0
    monitor_deployment: "no"
spec:
  replicas: 2
  selector:
    matchLabels:
      app: infra-keycloak
      app.kubernetes.io/name: infra-keycloak
  template:
    metadata:
      labels:
        app: infra-keycloak
        app.kubernetes.io/name: infra-keycloak
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:latest
          args: ["start-dev"]
          env:
            - name: KEYCLOAK_USER
              value: "admin"
            - name: KEYCLOAK_PASSWORD
              value: "admin"
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"
            - name: DB_ADDR
              value: dbpgsqlinfra_keycloak.shared-dev.i.ia55.net
            - name: DB_DATABASE
              value: postgres
            - name: DB_USER
              value: infra_keycloak_app
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: vault-secret-infra-keycloak-secret
                  key: secret
            - name: DB_SCHEMA
              value: public
            - name: DB_VENDOR
              value: POSTGRES
            - name: JGROUPS_DISCOVERY_PROTOCOL
              value: dns.DNS_PING
            - name: JGROUPS_DISCOVERY_PROPERTIES
              value: "dns_query=keycloak"
            - name: CACHE_OWNERS_COUNT
              value: "2"
            - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
              value: "2"
          securityContext:
            allowPrivilegeEscalation: false
            runAsGroup: 1000
            runAsUser: 1000
            runAsNonRoot: true
          ports:
            - name: jgroups
              containerPort: 7600
            - name: http
              containerPort: 8080
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              path: /health/ready
              port: 8080

Any suggestions to improve the deployment manifest appreciated.

Describe the bug

The deployment uses the version of keycloak in the pod selector. However, this prevents an upgrade of the operator, as the pod selector is immutable:

The Deployment "keycloak-operator" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/name":"keycloak-operator", "app.kubernetes.io/version":"18.0.1"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

Version

18.0.0

Expected behavior

It should be possible to upgrade the operator using standard Kubernetes tools (kubectl apply).

Actual behavior

The operator is not upgradable.

How to Reproduce?

• Install operator 18.0.0
• Try to upgrade by applying the new (18.0.1) version

Anything else?

No response

Description

Currently if need to hard code many values in the Keycloak CRD spec like db host, port, db name etc. I think it would be very useful to add option to reference some secret with all requred values like it was in the old operator for wildfly version. This is useful in ci/cd where you can dynamically deploy iunstances with different databases which can be provided from outside.

Discussion

No response

Motivation

Make the deployment more dynamic in regard to DB settings.

Details

Like there is now "usernameSecret" it can be also "externalDbSecret" with only the name where operator can expect strictly defined keys. Other way would be adding the option to give all values for "db" section as references to secrets or configmaps.

Description

The previous operator provided YAML files, which could be referenced directly via Kustomize, that installed the operator in the provided namespace.

This repository again provides such YAML files, but installs the operator cluster wide. Which requires ClusterRoles and impacts the full cluster.

I think it would be helpful to have the old behavior again (one namespace only), as this also seems to be default for the OLM based installation of the operator.

Discussion

No response

Motivation

Especially in a multi-user environment, it might be beneficial to have multiple versions of the operator confined to different namespaces.

Details

No response

Description

This is a workaround for the missing CRs.

Discussion

No response

Motivation

No response

Details

No response

Description

I have not found any offical Install methode without OLM.

I'm working with Flux for Infrastructure and Argocd for other Applications. For me the best case is a officel helm chart.

The minimal I need a Stable branch I can use in flux with a semantic version without breaking changes. And a Readme do tell this.

Best Reguard
Patsys

Discussion

No response

Motivation

Make Keyloak Operator as standard not only use OLM

Details

• Officel Helmchart
• Readme

Describe the bug

I'm unable to upgrade my openshift.yml based operator to 23.0.0

Version

22.0.5

Expected behavior

Be able to download the new openshift.yml from the repo

Actual behavior

I can't download it because it doesn't exists

How to Reproduce?

Run the following command

wget https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/23.0.1/kubernetes/openshift.yml

And see that it gets a 404 error message

Anything else?

I have tried to look in the changelog for any documentation on wheather or not it har been deprecated or not

Description

Attributes like lastUpdatedDate, createdTimestamp, etc are defined as simple integer

createdTimestamp -> https://github.com/keycloak/keycloak-k8s-resources/blob/23.0.4/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml#L112C5-L112C5
lastUpdatedDate -> https://github.com/keycloak/keycloak-k8s-resources/blob/23.0.4/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml#L45

That doesnt match to the keycloak java model
https://github.com/keycloak/keycloak/blob/release/23.0/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java#L40

It would be good to be consistent here and use also the openapi long format (format: int64)

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

facing this problem when setting a GitRepository
failed to checkout and determine revision: unable to clone 'https://github.com/keycloak/keycloak-k8s-resources': Get "https://github.com/keycloak/keycloak-k8s-resources/info/refs?service=git-upload-pack": x509: certificate is valid for ingress.local, not github.com

since release of 19.0.3 version

Version

19.0.3

Expected behavior

normal downloads to a GitRepository

Actual behavior

No response

How to Reproduce?

No response

Anything else?

using minikube v1.22.0
No response