ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Upgrade Keycloak to 26.x in pal-e-platform #358

New issue
Open
opened 2026-05-10 01:55:10 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-05-10 01:55:10 +00:00
Contributor
Copy link

Type

Infra

Lineage

Split from ldraney/pal-enterprises#6 — scoped to Keycloak upgrade in pal-e-platform and pal-e-services.

Repo

ldraney/pal-e-platform

User Story

As a platform owner
I want Keycloak upgraded to the latest 26.x stable release
So that the identity provider stays current and benefits from security patches and improvements.

Context

The cluster currently runs Keycloak 26.0.7. The target is 26.6.1, a minor bump within the 26.x line. The Keycloak upgrade guide should be reviewed for any breaking changes between 26.0 and 26.6.

Component Current Target
Keycloak 26.0.7 26.6.1

File Targets

Files the agent should modify or create:

  • pal-e-platform: terraform/modules/keycloak/main.tf — image tag 26.0.7 → 26.6.1
  • pal-e-services: terraform/k3s.tfvars — if any realm schema changes needed

Files the agent should NOT touch:

  • config/initializers/omniauth.rb in pal-enterprises — no client-side changes needed
  • Keycloak realm/client definitions — no client changes expected for a minor bump

Acceptance Criteria

  • When I visit the Keycloak admin console, version shows 26.6.1
  • Verify pal-enterprises login flow works after upgrade (visit /login, complete OIDC flow)
  • When I test existing westside-app and pal-e-app auth flows, they still work
  • No realm or client config regressions

Test Expectations

  • Keycloak pod starts successfully after image bump
  • Health check on Keycloak endpoint returns 200
  • OIDC discovery endpoint (/.well-known/openid-configuration) returns valid config
  • All existing OIDC clients can complete auth flows

Constraints

  • Review Keycloak upgrade guide for 26.0 → 26.6 breaking changes
  • Must not break existing OIDC clients (westside-app, westside-spa, pal-e-app, pal-enterprises)
  • Coordinate timing with any pal-enterprises deploys to avoid auth disruption

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • project-pal-enterprises — project this affects
  • sop-keycloak-client-creation — Keycloak client conventions (now IaC'd)
  • ldraney/pal-enterprises#6 — parent issue (superseded)
### Type Infra ### Lineage Split from ldraney/pal-enterprises#6 — scoped to Keycloak upgrade in pal-e-platform and pal-e-services. ### Repo `ldraney/pal-e-platform` ### User Story As a platform owner I want Keycloak upgraded to the latest 26.x stable release So that the identity provider stays current and benefits from security patches and improvements. ### Context The cluster currently runs Keycloak 26.0.7. The target is 26.6.1, a minor bump within the 26.x line. The Keycloak upgrade guide should be reviewed for any breaking changes between 26.0 and 26.6. | Component | Current | Target | |---|---|---| | Keycloak | 26.0.7 | 26.6.1 | ### File Targets Files the agent should modify or create: - `pal-e-platform: terraform/modules/keycloak/main.tf` — image tag 26.0.7 → 26.6.1 - `pal-e-services: terraform/k3s.tfvars` — if any realm schema changes needed Files the agent should NOT touch: - `config/initializers/omniauth.rb` in pal-enterprises — no client-side changes needed - Keycloak realm/client definitions — no client changes expected for a minor bump ### Acceptance Criteria - [ ] When I visit the Keycloak admin console, version shows 26.6.1 - [ ] Verify pal-enterprises login flow works after upgrade (visit `/login`, complete OIDC flow) - [ ] When I test existing westside-app and pal-e-app auth flows, they still work - [ ] No realm or client config regressions ### Test Expectations - [ ] Keycloak pod starts successfully after image bump - [ ] Health check on Keycloak endpoint returns 200 - [ ] OIDC discovery endpoint (`/.well-known/openid-configuration`) returns valid config - [ ] All existing OIDC clients can complete auth flows ### Constraints - Review Keycloak upgrade guide for 26.0 → 26.6 breaking changes - Must not break existing OIDC clients (westside-app, westside-spa, pal-e-app, pal-enterprises) - Coordinate timing with any pal-enterprises deploys to avoid auth disruption ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-enterprises` — project this affects - `sop-keycloak-client-creation` — Keycloak client conventions (now IaC'd) - ldraney/pal-enterprises#6 — parent issue (superseded)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#358
No description provided.