Skip to content

chore: bump netbird to 0.72.3 and keycloak to 26.6.3#100

Merged
mikkeldamsgaard merged 2 commits into
mainfrom
chore/99-96-upstream-version-bumps
Jun 11, 2026
Merged

chore: bump netbird to 0.72.3 and keycloak to 26.6.3#100
mikkeldamsgaard merged 2 commits into
mainfrom
chore/99-96-upstream-version-bumps

Conversation

@mikkeldamsgaard

@mikkeldamsgaard mikkeldamsgaard commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Folds in all 17 open autorelease upstream-update issues.

netbird

  • Bump appVersion 0.68.3 → 0.72.3. Upstream adds IPv6 overlay addressing (opt-in), MFA for embedded-IdP users, private service expose over tunnel peers, and a WebSocket relay fallback for oversized QUIC datagrams. Release-note review found no removed config options, env vars, or ports; DB migrations are automatic.
  • Bump dashboard image v2.32.4v2.39.0 — the dashboard release paired with server 0.72.x.

keycloak

  • Bump appVersion 26.6.1 → 26.6.3. Pure security/bugfix patch releases (~32 CVEs across 26.6.2/26.6.3, incl. session fixation, redirect-URI bypass, SSRF, refresh-token reuse); also fixes a post-realm-migration exit-code-1 bug in 26.6.x. No KC_* option, port, or endpoint changes.

Chart version fields are intentionally untouched — they are bumped by the release flow.

Closes #81, #82, #84, #85, #86, #88, #89, #90, #91, #92, #93, #94, #95, #96, #97, #98, #99

How to verify

make test        # helm lint + 349 helm-unittest tests — passing locally
dprint check     # formatting — clean
make e2e         # full suite in kind — all 9 scenarios passed locally:
                 #   netbird: sqlite, postgres, mysql, gateway, oidc-keycloak, oidc-zitadel
                 #   keycloak: dev, postgres, replicas

E2e verified peer registration, network map sync, and relay reachability on netbird 0.72.3, and all 8 Keycloak REST API checks plus multi-replica health on 26.6.3.

🤖 Generated with Claude Code

mikkeldamsgaard and others added 2 commits June 11, 2026 21:21
@mikkeldamsgaard @claude
chore: bump netbird to 0.72.3 and keycloak to 26.6.3
c45f28c 
netbird:
- Bump appVersion 0.68.3 -> 0.72.3. Upstream adds IPv6 overlay addressing
  (opt-in), MFA for embedded-IdP users, private service expose, and a
  WebSocket relay fallback. No config options, env vars, or ports removed;
  DB migrations are automatic.
- Bump dashboard image v2.32.4 -> v2.39.0, the dashboard release paired
  with server 0.72.x.

keycloak:
- Bump appVersion 26.6.1 -> 26.6.3. Pure security/bugfix patch releases
  (~32 CVEs across 26.6.2/26.6.3); also fixes a post-migration exit-code-1
  bug in 26.6.x. No KC_* option, port, or endpoint changes.

Chart versions are intentionally untouched — they are bumped by the
release flow.

Closes #81, #82, #84, #85, #86, #88, #89, #90, #91, #92, #93, #94, #95,
#96, #97, #98, #99

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@mikkeldamsgaard @claude
fix(keycloak): publish not-ready addresses on JGroups headless service
af2fd46 
Simultaneously started replicas could not resolve each other via the
headless service until Ready, so each formed a singleton cluster and
merged late (split-brain). Cache invalidations sent during the split
window were lost, observed in CI as HTTP 403 from one replica for a
realm created via another (ISPN000517 topology-merge in the logs).

publishNotReadyAddresses: true lets JGroups DNS-PING discover peers
during startup, matching the upstream Keycloak operator's discovery
service.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@mikkeldamsgaard

mikkeldamsgaard commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

CI caught a real chart bug in the E2E — Keycloak: Replicas job (failed twice with the same signature): replicas booted as singleton JGroups clusters and merged late (ISPN000517 in the pod logs), so the cache invalidation for a freshly created realm was lost — client creation on the other replica returned 403. Root cause: the JGroups headless service was missing publishNotReadyAddresses: true, so peers were not DNS-resolvable until Ready. Fixed in the second commit, matching what the upstream Keycloak operator does; replicas e2e re-verified locally.

@mikkeldamsgaard mikkeldamsgaard merged commit 8c2cf82 into main Jun 11, 2026
13 checks passed
@mikkeldamsgaard mikkeldamsgaard deleted the chore/99-96-upstream-version-bumps branch June 11, 2026 19:55
This was referenced Jun 11, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Merged
mikkeldamsgaard added a commit that referenced this pull request Jun 11, 2026
@mikkeldamsgaard @claude
chore: prepare keycloak v26.6.3 release (#102)
1a4844e 
Sync chart version with upstream appVersion 26.6.3 (already bumped on
main via #100).

- Security: Keycloak 26.6.1 → 26.6.3 (~32 upstream CVE fixes)
- Fixed: publishNotReadyAddresses on the JGroups headless service
  (split-brain cluster formation with simultaneous replica starts)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore(netbird): upstream update available — server 0.68.3 → 0.69.0

1 participant

@mikkeldamsgaard