From b2295586b27c8c989097efd95638aae2cc8c466f Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Mon, 4 Dec 2023 21:42:50 +0100 Subject: [PATCH 1/5] docs(v2.0.0): add upgrade approach for Keycloak and PostgreSQL --- charts/centralidp/README.md | 59 +++++++++++++++++++++++++----- charts/centralidp/README.md.gotmpl | 50 +++++++++++++++++++++---- charts/sharedidp/README.md | 41 ++++++++++++++++++--- charts/sharedidp/README.md.gotmpl | 39 +++++++++++++++++--- 4 files changed, 161 insertions(+), 28 deletions(-) diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index 7e1194b7..7b4df1b0 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -59,7 +59,7 @@ dependencies: | keycloak.extraVolumeMounts[1].name | string | `"realms"` | | | keycloak.extraVolumeMounts[1].mountPath | string | `"/realms"` | | | keycloak.initContainers[0].name | string | `"import"` | | -| keycloak.initContainers[0].image | string | `"tractusx/portal-iam:v2.0.0-alpha"` | | +| keycloak.initContainers[0].image | string | `"tractusx/portal-iam:pr38"` | | | keycloak.initContainers[0].imagePullPolicy | string | `"Always"` | | | keycloak.initContainers[0].command[0] | string | `"sh"` | | | keycloak.initContainers[0].args[0] | string | `"-c"` | | @@ -105,18 +105,21 @@ dependencies: | secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | | seeding.enabled | bool | `false` | Seeding job to upgrade CX_Central realm: enable to upgrade the configuration of the CX-Central realm from previous version; Please also refer to the 'Post-Upgrade Configuration' section in the README.md for configuration possibly not covered by the seeding job | | seeding.name | string | `"cx-central-realm-upgrade"` | | -| seeding.image | string | `"tractusx/portal-iam-seeding:v1.2.0-iam"` | | +| seeding.image | string | `"tractusx/portal-iam-seeding:rc"` | | | seeding.portContainer | int | `8080` | | | seeding.authRealm | string | `"master"` | | +| seeding.useAuthTrail | string | `"true"` | | | seeding.dataPaths.dataPath0 | string | `"realms/CX-Central-realm.json"` | | | seeding.instanceName | string | `"central"` | | +| seeding.excludedUserAttributes.attribute0 | string | `"bpn"` | | +| seeding.excludedUserAttributes.attribute1 | string | `"organisation"` | | | seeding.resources | object | `{}` | We recommend not to specify default resources and to leave this as a conscious choice for the user. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. | | seeding.extraVolumes[0].name | string | `"realms"` | | | seeding.extraVolumes[0].emptyDir | object | `{}` | | | seeding.extraVolumeMounts[0].name | string | `"realms"` | | | seeding.extraVolumeMounts[0].mountPath | string | `"app/realms"` | | | seeding.initContainers[0].name | string | `"init-cx-central"` | | -| seeding.initContainers[0].image | string | `"tractusx/portal-iam:v2.0.0-alpha"` | | +| seeding.initContainers[0].image | string | `"tractusx/portal-iam:pr38"` | | | seeding.initContainers[0].imagePullPolicy | string | `"Always"` | | | seeding.initContainers[0].command[0] | string | `"sh"` | | | seeding.initContainers[0].args[0] | string | `"-c"` | | @@ -141,23 +144,53 @@ This is done by setting the 'example.org' placeholder in the CX-Operator' Identi ## Upgrade -Please see notes at [Values.seeding](values.yaml#L148). +Please see notes at [Values.seeding](values.yaml#L146) for upgrading the configuration of the CX-Central realm. ### To 2.0.0 -WIP as currently still in alpha phase. - This major changes from Keycloak version 16.1.1 to version 22.0.3. -Please have a look into changelog for a more detailed description. +Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. -Please be aware that this major changes the version of the PostgreSQL dependency by Bitnami from 14.2.0 to 15.4.0 (subchart updated from version 11.1.22 to 12.12.9). -The database upgrade for the subchart by Bitnami isn't supported. +#### Upgrade approach + +For the overall process of migrating from version 16.1.1 to version 22.0.3., we recommend to follow a blue-green deployment approach. In the following, you find a rough outline of the necessary steps: + +1. Scale down current the Keycloak services (blue deployment) +2. Backup the current data +3. Deploy the new Keycloak instance (green deployment e.g: `-green`, `-kc22`, ...) in another namespace than the blue instance +4. Restore the data of the blue instance to the green instance +5. Start the new Keycloak services +6. Make sure that the configuration of the CX-Central realm is upgraded by the seeding job defined as post-upgrade hook (Values.seeding.enabled) +7. Once the new/green instance is validated, switch the user traffic to it + +#### Upgrade PostgreSQL + +Please be aware that this major changes the version of the PostgreSQL subchart by Bitnami from 14.x.x to 15.x.x (subchart updated from version 11.x.x to 12.x.x). + +In case you are using an external PostgreSQL instance and would like to upgrade to 15.x, please follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html). + +In case you would like to upgrade the PostgreSQL subchart from Bitnami, we recommend blue-green deployment approach, like described [above](#upgrade-approach). +For restoring the data of the blue instance to the green instance (step 4), execute the following statement using [pg-dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html): + +On the cluster: + +```shell + kubectl exec -it green-postgresql-primary-0 -n green-namespace -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' + ``` + +Or on the primary pod of the new/green PostgreSQL instance: + +```shell +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +``` + +Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. ## Post-Upgrade Configuration @@ -234,4 +267,10 @@ The following clients and service accounts are obsolete in version 1.2.0 and can ### Upgrading from version 1.2.0 to 2.0.0 -WIP as currently still in alpha phase. +By enabling the seeding (Values.seeding.enabled), the CX-Central realm is upgraded by a job defined as a post-upgrade hook. + +As part of an optional housekeeping, the following clients are obsolete in version 2.0.0 and can be deleted: + +* Cl6-CX-DAPS (was already obsolete with v1.2.0) +* Cl20-CX-IRS +* Cl16-CX-BPDMGate-Portal diff --git a/charts/centralidp/README.md.gotmpl b/charts/centralidp/README.md.gotmpl index 3e0344ee..af149c21 100644 --- a/charts/centralidp/README.md.gotmpl +++ b/charts/centralidp/README.md.gotmpl @@ -53,23 +53,53 @@ This is done by setting the 'example.org' placeholder in the CX-Operator' Identi ## Upgrade -Please see notes at [Values.seeding](values.yaml#L148). +Please see notes at [Values.seeding](values.yaml#L146) for upgrading the configuration of the CX-Central realm. ### To 2.0.0 -WIP as currently still in alpha phase. - This major changes from Keycloak version 16.1.1 to version 22.0.3. -Please have a look into changelog for a more detailed description. +Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. -Please be aware that this major changes the version of the PostgreSQL dependency by Bitnami from 14.2.0 to 15.4.0 (subchart updated from version 11.1.22 to 12.12.9). -The database upgrade for the subchart by Bitnami isn't supported. +#### Upgrade approach + +For the overall process of migrating from version 16.1.1 to version 22.0.3., we recommend to follow a blue-green deployment approach. In the following, you find a rough outline of the necessary steps: + +1. Scale down current the Keycloak services (blue deployment) +2. Backup the current data +3. Deploy the new Keycloak instance (green deployment e.g: `-green`, `-kc22`, ...) in another namespace than the blue instance +4. Restore the data of the blue instance to the green instance +5. Start the new Keycloak services +6. Make sure that the configuration of the CX-Central realm is upgraded by the seeding job defined as post-upgrade hook (Values.seeding.enabled) +7. Once the new/green instance is validated, switch the user traffic to it + +#### Upgrade PostgreSQL + +Please be aware that this major changes the version of the PostgreSQL subchart by Bitnami from 14.x.x to 15.x.x (subchart updated from version 11.x.x to 12.x.x). + +In case you are using an external PostgreSQL instance and would like to upgrade to 15.x, please follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html). + +In case you would like to upgrade the PostgreSQL subchart from Bitnami, we recommend blue-green deployment approach, like described [above](#upgrade-approach). +For restoring the data of the blue instance to the green instance (step 4), execute the following statement using [pg-dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html): + +On the cluster: + +```shell + kubectl exec -it green-postgresql-primary-0 -n green-namespace -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' + ``` + +Or on the primary pod of the new/green PostgreSQL instance: + +```shell +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +``` + +Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. ## Post-Upgrade Configuration @@ -146,4 +176,10 @@ The following clients and service accounts are obsolete in version 1.2.0 and can ### Upgrading from version 1.2.0 to 2.0.0 -WIP as currently still in alpha phase. +By enabling the seeding (Values.seeding.enabled), the CX-Central realm is upgraded by a job defined as a post-upgrade hook. + +As part of an optional housekeeping, the following clients are obsolete in version 2.0.0 and can be deleted: + +* Cl6-CX-DAPS (was already obsolete with v1.2.0) +* Cl20-CX-IRS +* Cl16-CX-BPDMGate-Portal diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index ee8187eb..52e73d24 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -63,7 +63,7 @@ dependencies: | keycloak.extraVolumeMounts[2].name | string | `"realms"` | | | keycloak.extraVolumeMounts[2].mountPath | string | `"/realms"` | | | keycloak.initContainers[0].name | string | `"import"` | | -| keycloak.initContainers[0].image | string | `"tractusx/portal-iam:v2.0.0-alpha"` | | +| keycloak.initContainers[0].image | string | `"tractusx/portal-iam:pr38"` | | | keycloak.initContainers[0].imagePullPolicy | string | `"Always"` | | | keycloak.initContainers[0].command[0] | string | `"sh"` | | | keycloak.initContainers[0].args[0] | string | `"-c"` | | @@ -138,16 +138,45 @@ Generate client-secrets for the service account with access type 'confidential'. ### To 2.0.0 -WIP as currently still in alpha phase. - This major changes from Keycloak version 16.1.1 to version 22.0.3. -Please have a look into changelog for a more detailed description. +Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. -Please be aware that this major changes the version of the PostgreSQL dependency by Bitnami from 14.2.0 to 15.4.0 (subchart updated from version 11.1.22 to 12.12.9). -The database upgrade for the subchart by Bitnami isn't supported. +#### Upgrade approach + +For the overall process of migrating from version 16.1.1 to version 22.0.3., we recommend to follow a blue-green deployment approach. In the following, you find a rough outline of the necessary steps: + +1. Scale down current the Keycloak services (blue deployment) +2. Backup the current data +3. Deploy the new Keycloak instance (green deployment e.g: `-green`, `-kc22`, ...) in another namespace than the blue instance +4. Restore the data of the blue instance to the green instance +5. Start the new Keycloak services +6. Once the new/green instance is validated, switch the user traffic to it + +#### Upgrade PostgreSQL + +Please be aware that this major changes the version of the PostgreSQL subchart by Bitnami from 14.x.x to 15.x.x (subchart updated from version 11.x.x to 12.x.x). + +In case you are using an external PostgreSQL instance and would like to upgrade to 15.x, please follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html). + +In case you would like to upgrade the PostgreSQL subchart from Bitnami, we recommend blue-green deployment approach, like described [above](#upgrade-approach). +For restoring the data of the blue instance to the green instance (step 4), execute the following statement using [pg-dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html): + +On the cluster: + +```shell + kubectl exec -it green-postgresql-primary-0 -n green-namespace -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' + ``` + +Or on the primary pod of the new/green PostgreSQL instance: + +```shell +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +``` + +Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. diff --git a/charts/sharedidp/README.md.gotmpl b/charts/sharedidp/README.md.gotmpl index 3ad3c0e5..c9eb6ca1 100644 --- a/charts/sharedidp/README.md.gotmpl +++ b/charts/sharedidp/README.md.gotmpl @@ -63,16 +63,45 @@ Generate client-secrets for the service account with access type 'confidential'. ### To 2.0.0 -WIP as currently still in alpha phase. - This major changes from Keycloak version 16.1.1 to version 22.0.3. -Please have a look into changelog for a more detailed description. +Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. -Please be aware that this major changes the version of the PostgreSQL dependency by Bitnami from 14.2.0 to 15.4.0 (subchart updated from version 11.1.22 to 12.12.9). -The database upgrade for the subchart by Bitnami isn't supported. +#### Upgrade approach + +For the overall process of migrating from version 16.1.1 to version 22.0.3., we recommend to follow a blue-green deployment approach. In the following, you find a rough outline of the necessary steps: + +1. Scale down current the Keycloak services (blue deployment) +2. Backup the current data +3. Deploy the new Keycloak instance (green deployment e.g: `-green`, `-kc22`, ...) in another namespace than the blue instance +4. Restore the data of the blue instance to the green instance +5. Start the new Keycloak services +6. Once the new/green instance is validated, switch the user traffic to it + +#### Upgrade PostgreSQL + +Please be aware that this major changes the version of the PostgreSQL subchart by Bitnami from 14.x.x to 15.x.x (subchart updated from version 11.x.x to 12.x.x). + +In case you are using an external PostgreSQL instance and would like to upgrade to 15.x, please follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html). + +In case you would like to upgrade the PostgreSQL subchart from Bitnami, we recommend blue-green deployment approach, like described [above](#upgrade-approach). +For restoring the data of the blue instance to the green instance (step 4), execute the following statement using [pg-dumpall](https://www.postgresql.org/docs/current/app-pg-dumpall.html): + +On the cluster: + +```shell + kubectl exec -it green-postgresql-primary-0 -n green-namespace -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' + ``` + +Or on the primary pod of the new/green PostgreSQL instance: + +```shell +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +``` + +Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. From 4eee9ae62dd3b9e5f4390cd486e9fc071526480c Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Mon, 4 Dec 2023 21:57:45 +0100 Subject: [PATCH 2/5] chore: clean up --- charts/centralidp/README.md | 4 ++-- charts/centralidp/README.md.gotmpl | 4 ++-- charts/sharedidp/README.md | 4 ++-- charts/sharedidp/README.md.gotmpl | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/centralidp/README.md b/charts/centralidp/README.md index 7b4df1b0..f82e7d2c 100644 --- a/charts/centralidp/README.md +++ b/charts/centralidp/README.md @@ -152,7 +152,7 @@ This major changes from Keycloak version 16.1.1 to version 22.0.3. Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. -We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) +We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html). To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. @@ -187,7 +187,7 @@ On the cluster: Or on the primary pod of the new/green PostgreSQL instance: ```shell -/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' ``` Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. diff --git a/charts/centralidp/README.md.gotmpl b/charts/centralidp/README.md.gotmpl index af149c21..ecc9e150 100644 --- a/charts/centralidp/README.md.gotmpl +++ b/charts/centralidp/README.md.gotmpl @@ -61,7 +61,7 @@ This major changes from Keycloak version 16.1.1 to version 22.0.3. Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. -We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) +We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html). To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. @@ -96,7 +96,7 @@ On the cluster: Or on the primary pod of the new/green PostgreSQL instance: ```shell -/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' ``` Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. diff --git a/charts/sharedidp/README.md b/charts/sharedidp/README.md index 52e73d24..77002dcb 100644 --- a/charts/sharedidp/README.md +++ b/charts/sharedidp/README.md @@ -142,7 +142,7 @@ This major changes from Keycloak version 16.1.1 to version 22.0.3. Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. -We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) +We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html). To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. @@ -176,7 +176,7 @@ On the cluster: Or on the primary pod of the new/green PostgreSQL instance: ```shell -/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' ``` Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. diff --git a/charts/sharedidp/README.md.gotmpl b/charts/sharedidp/README.md.gotmpl index c9eb6ca1..100c70fc 100644 --- a/charts/sharedidp/README.md.gotmpl +++ b/charts/sharedidp/README.md.gotmpl @@ -67,7 +67,7 @@ This major changes from Keycloak version 16.1.1 to version 22.0.3. Please have a look at the [CHANGELOG](../../CHANGELOG.md#200) for a more detailed description. -We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html) +We also recommend checking out the [Keycloak Upgrading Guide](https://www.keycloak.org/docs/latest/upgrading/index.html). To be explicitly mentioned: this major adds the production mode with default value false and the reverse proxy mode with default value passthrough. Please check the description of those parameters and decide if they're suitable for you. @@ -101,7 +101,7 @@ On the cluster: Or on the primary pod of the new/green PostgreSQL instance: ```shell -/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace..pod.cluster.local -U postgres | psql -U postgres' +/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash -c 'export PGPASSWORD=""; echo "local all postgres trust" > /opt/bitnami/postgresql/conf/pg_hba.conf; pg_ctl reload; time pg_dumpall -c -h 10-123-45-67.blue-namespace.pod.cluster.local -U postgres | psql -U postgres' ``` Where '10-123-45-67' is the cluster IP of the old/blue PostgreSQL instance. From ccb603fb59a19fca0c517ea0c2555b84a5b2f126 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 5 Dec 2023 11:18:54 +0100 Subject: [PATCH 3/5] docs: update changelog --- CHANGELOG.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f094ed7..83264017 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,12 +6,12 @@ New features, fixed bugs, known defects and other noteworthy changes to each rel ### Change -* changed to v22.0.3 ([bitnami chart version: 16.1.6](https://artifacthub.io/packages/helm/bitnami/keycloak/16.1.6)) +* changed to v22.0.3 ([Bitnami chart version: 16.1.6](https://artifacthub.io/packages/helm/bitnami/keycloak/16.1.6)) * bumped chart version to to major 2.0.0 (alpha) * changed appVersion from 1.2.0 to 22.0.3 to align with Keycloak version as that's more intuitive * added production mode with default false * added reverse proxy mode with default passthrough - * removed service type: default value is ClusterIP in new bitnami chart version + * removed service type: default value is ClusterIP in new Bitnami chart version * removed proxyAddressForwarding * removed serviceDiscovery * set httpRelativePath to '/auth/', as we're migrating from 16.1.1 version which was using the trailing 'auth' @@ -34,6 +34,15 @@ New features, fixed bugs, known defects and other noteworthy changes to each rel * deleted the composite roles "App Tech User", "Connector User" and "Service Management" from client technical_roles_management * deleted clients "Cl6-CX-DAPS", "Cl20-CX-IRS" and "Cl16-CX-BPDMGate-Portal" * deleted all redirects from Cl2-CX-Portal client other than portal itself +* updated seeding job to upgrade the configuration of the CX-Central realm (centralidp) + * adjusted seeding to exclude the following properties if already existing + * firstname, lastname, email and configurable attributes for users + * idp config urls + * client urls + * smtp server settings + * added configuration to exclude bpn and organisation from user attributes while seeding + * extended seeding to seed ClientScopeMappers +* moved IAM specific documentation from [portal-assets](https://github.com/eclipse-tractusx/portal-assets) to [portal-iam](https://github.com/eclipse-tractusx/portal-iam) ### Bugfix @@ -54,6 +63,15 @@ New features, fixed bugs, known defects and other noteworthy changes to each rel * updated k8s version and version to upgrade from for helm test workflows * updated SECURITY.md +* Trivy scan: changed to no failure on high findings, as it should only fail if there is an error/misconfiguration +* Trivy and KICS scan: excluded docs directory from scan + +### Known Knowns + +The following issues were recently discovered: + +* Refresh token rotation causes page reload in frontend apps when using multiple tabs, see [User Token Lifespan](docs/consultation/workshop-20231005.md#user-token-lifespan) +* Custom login themes break when inserting HTML/CSS/JavaScript code in the IdP display name ## 1.2.0 From d667ee69e1824cf12126163e91d40336feb5787b Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 5 Dec 2023 11:21:28 +0100 Subject: [PATCH 4/5] docs: update FAQ for CX-Central config --- docs/technical documentation/11. FAQ.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/technical documentation/11. FAQ.md b/docs/technical documentation/11. FAQ.md index 6f6032e0..7bf57ad7 100644 --- a/docs/technical documentation/11. FAQ.md +++ b/docs/technical documentation/11. FAQ.md @@ -79,7 +79,7 @@ To transform the created "role" to an actual role, since currently its a single 3. Update keycloak base image -...description needed by @evelyn +The [CX-Central realm file](../../import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm import and seeding. 4. Update documentation @@ -132,9 +132,9 @@ For the scenario of sql, the relevant sql can get found below: ('(user_roles.id)', '{de}', '{description}'), ('(user_roles.id)', '{en}', '{description}'); -3. Update keycloak base image +3. Update Keycloak base image -...description needed by @evelyn +The [CX-Central realm file](../../import/realm-config/generic/catenax-central/CX-Central-realm.json) needs to be updated with role changes (export from Keycloak) to provide the configuration in the init container for the realm import and seeding. 4. Update documentation From 525be56919c25f03139946335db22dbf7d2822f6 Mon Sep 17 00:00:00 2001 From: Evelyn Gurschler Date: Tue, 5 Dec 2023 11:21:35 +0100 Subject: [PATCH 5/5] chore: clean up --- docs/technical documentation/12. Upgrade Details.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/technical documentation/12. Upgrade Details.md b/docs/technical documentation/12. Upgrade Details.md index 0b854750..4f973d1c 100644 --- a/docs/technical documentation/12. Upgrade Details.md +++ b/docs/technical documentation/12. Upgrade Details.md @@ -5,7 +5,7 @@ ## Summary -This document describes the keycloak database changes and its impact on transactional data. Depending on the impact, possible risks/impediments on upgrades as well as mitigation plans are described. +This document describes the Keycloak database changes and its impact on transactional data. Depending on the impact, possible risks/impediments on upgrades as well as mitigation plans are described. Each section includes the respective change details, impact on existing data and the respective release with which the change is getting active. ### v1.7.0