Skip to content

Keycloak Upgrade #3179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tylerpotts wants to merge 44 commits into
base: main
Choose a base branch
from
Open

Keycloak Upgrade #3179

tylerpotts wants to merge 44 commits into from

Conversation

@tylerpotts
Copy link
Contributor

@tylerpotts tylerpotts commented Nov 5, 2025

Reference Issues or PRs

Fixes #2495

What does this implement/fix?

Put a x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • [] New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features not to work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe):
    Software update for Keycloak

Documentation

  • For new features or enhancements, a corresponding PR has been opened in the documentation repository (if applicable)
    • Link to docs PR:

Testing

  • Did you test the pull request locally?
  • Did you add new tests?

How to test this PR?

  • Deploy a cluster based on the 2025.10.1 version
  • Add a user to keycloak (to verify that there is a user to be backed up)
  • Run nebari upgrade -c <config_file> to automatically generate a backup of keycloak
  • Run nebari deploy -c <config_file and the keycloak database will be restored to the new database

Any other comments?

@tylerpotts tylerpotts requested a review from a team as a code owner November 5, 2025 22:07
@tylerpotts tylerpotts requested review from dcmcand and marcelovilla and removed request for a team November 5, 2025 22:07
@tylerpotts tylerpotts changed the title Keycloak Upgrade [WIP] Keycloak Upgrade Nov 5, 2025
@viniciusdc
Copy link
Contributor

viniciusdc commented Nov 6, 2025

That error is handled by us here:

nebari/tests/tests_deployment/utils.py

Lines 47 to 62 in b63040b

def create_jupyterhub_token(note):
session = get_jupyterhub_session()
try:
# Retrieve the XSRF token from session cookies
xsrf_token = session.cookies.get("_xsrf")
except requests.cookies.CookieConflictError:
xsrf_token = session.cookies.get("_xsrf", path="/hub/")
if not xsrf_token:
raise ValueError("XSRF token not found in session cookies.")
headers = {
"Referer": f"https://{constants.NEBARI_HOSTNAME}/hub/token",
"X-XSRFToken": xsrf_token,
}

I have a feeling the client API on the newer keycloak might have moved a few settings to other places, usually, I see those XSRF errors when there is a misconfiguration within the OAuth client. We are currently passing through that stage during deployment, but it might be beneficial to update the provider as well, depending on how the API is called under the hood.

I think something else is erroring out, and it ends up being picked by that try block. I would compare the keycloak clients configuration available on a deploy from this branch vs a current deployment to see if there is anything that pops up -- usually at the redirection URLs.

Since I see some errors with missing groups

tests/tests_deployment/test_conda_store_roles_loaded.py::test_conda_store_roles_loaded_from_keycloak[admin!namespace=analyst,developer!namespace=nebari-git-changed_scopes0] - KeyError: 'nebari-git/*'
FAILED tests/tests_deployment/test_conda_store_roles_loaded.py::test_conda_store_roles_loaded_from_keycloak[admin!namespace=analyst,developer!namespace=invalid-namespace-changed_scopes1] - KeyError: 'analyst/*'
FAILED

@tylerpotts tylerpotts changed the title [WIP] Keycloak Upgrade Keycloak Upgrade Nov 13, 2025
@tylerpotts tylerpotts mentioned this pull request Nov 13, 2025
Open
11 tasks
Tyler Potts added 20 commits November 17, 2025 15:34
keycloak deploying. API endpoints not working
a2b5e37
startup script was deprecated. Add nebari-bot in python
8c0ca6c
nebari deploying fully now. Auth not working for apps
29348f6
add openid scope to fix jhub keycloak
ba57293
add openid to fix grafana
e2f142d
updates for conda-store to access keycloak
60976bd
add retry mechanism for nebari bot
954a0fd
remove force replacement that was used for dev
7e74f58
add database configuration into values for keycloak
3c4e90d
add standalone postgres because new keycloak doesn't bundle
cede549
Release 2025.10.1: Major Keycloak upgrade with PostgreSQL migration
04b7094 
- Upgrade from keycloak chart (15.0.2) to keycloakx chart (7.1.3)
- Move PostgreSQL from subchart to standalone deployment
- Add Upgrade_2025_10_1 step with database backup prompt
- Add UPGRADE_STEPS.md with detailed migration guide
- Update RELEASE.md with breaking changes and upgrade instructions
bump helm provider version, add standalone postgres
042c736
add upgrade command leveraging python-kubernetes
8f24426
use python kubernetes for keycloak backup instead of kubectl
a165286
add code to automatically restore database in post_deploy
e1264fa
update upgrade step version
a4c2416
copy sql restore file as tar instead of standard in
2c56491
clean up unneeded notes and documentation
c4c1ead
add templating for keycloak external URL
d3cf6e3
Clean up step naming in restore function
c394eb5
Tyler Potts and others added 14 commits November 17, 2025 15:34
dcmcand
dcmcand requested changes Nov 25, 2025
View reviewed changes
@github-project-automation github-project-automation bot moved this from New 🚦 to Changes requested 🧱 in 🪴 Nebari Project Management Nov 25, 2025
@tylerpotts tylerpotts requested a review from dcmcand November 26, 2025 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcelovilla marcelovilla Awaiting requested review from marcelovilla marcelovilla is a code owner automatically assigned from nebari-dev/maintenance-team

@dcmcand dcmcand Awaiting requested review from dcmcand

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

🪴 Nebari Project Management
Status: Changes requested 🧱

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ENH] - Upgrade Keycloak to 20.0.4

4 participants

@tylerpotts @viniciusdc @dcmcand