Upgrade rhbk-operator to stable-v26.4#1775
Upgrade rhbk-operator to stable-v26.4#1775openshift-merge-bot[bot] merged 1 commit intoredhat-appstudio:mainfrom
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughUpdated the Keycloak operator subscription channel in the Helm chart values from Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@installer/charts/tssc-subscriptions/values.yaml`:
- Line 20: Update the subscription channel value (the channel key in
values.yaml) to stable-v26.4 and, instead of auto-applying the operator upgrade,
ensure the OLM subscription is set to manual approval and annotated/documented
so upgrades require human confirmation; before changing the deployed operator
also take a full database backup and test the upgrade in a non-prod environment,
then apply the intermediate upgrade steps (v24→v26.0, v26.0→v26.2, v26.2→v26.4)
and update Keycloak CRs to handle the breaking changes (explicit OIDC acr_values
forwarding, hostname/proxy defaults, Infinispan marshalling/cache clearing, DB
index recreation on CLIENT_ATTRIBUTES/GROUP_ATTRIBUTE, and SAML
SubjectConfirmationData validation), and document the deploy error that
triggered this change and verify the fix with v26.4 prior to production rollout.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: e96f7e1d-1ca7-4a68-ab37-fed2c3f75119
📒 Files selected for processing (1)
installer/charts/tssc-subscriptions/values.yaml
| namespace: rhbk-operator | ||
| name: rhbk-operator | ||
| channel: stable-v24 | ||
| channel: stable-v26.4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check if the stable-v26.4 channel exists in the Red Hat operator catalog
echo "Searching for rhbk-operator channel information..."
rg -i "rhbk.*operator.*channel.*v26" --type yaml -C 3
echo -e "\nChecking for any operator catalog or package manifest references..."
fd -e yaml -e json | xargs rg -l "rhbk-operator" | head -20Repository: redhat-appstudio/tssc-cli
Length of output: 236
🏁 Script executed:
#!/bin/bash
# Description: Look for documentation about Keycloak operator upgrades
echo "Searching for upgrade or migration documentation..."
fd -e md -e txt README CHANGELOG UPGRADE MIGRATION | xargs rg -i "keycloak.*upgrade|migration.*guide" -C 2
echo -e "\nSearching for version references in documentation..."
fd -e md | xargs rg -i "stable-v2[456]|keycloak.*operator.*v2[456]" -C 2Repository: redhat-appstudio/tssc-cli
Length of output: 3681
🌐 Web query:
Red Hat Build of Keycloak operator stable-v26.4 channel release notes breaking changes upgrade from v24
💡 Result:
The Red Hat Build of Keycloak Operator's stable-v26.4 channel corresponds to Red Hat build of Keycloak 26.4 (including patches like 26.4.10). Specific Operator release notes are integrated into the main Red Hat build of Keycloak 26.4 Release Notes and Upgrading Guide. No separate Operator-only release notes were found; Operator changes are documented in context of server upgrades. Key breaking changes relevant for Operator-managed upgrades from v24 (likely stable-v24.x channel, Keycloak 24.y): From Upgrading Guide (26.2.x to 26.4): - 26.4.10: SAML broker/adapter checks SubjectConfirmationData for bearer type (may require IdP config changes if issues arise). - 26.4.4: Only normalized paths accepted in requests (double dots .. or slashes // rejected; set http-accept-non-normalized-paths=true to revert). - 26.4.2: acr_values not auto-forwarded to OIDC IdPs (explicitly configure mapping if needed); re-created indexes on CLIENT_ATTRIBUTES/GROUP_ATTRIBUTE tables (may affect EDB). Operator-specific notable changes (not breaking, but upgrade-impacting): - Default affinity changed to include topology spread constraints for zones/nodes (improves availability). - Operator creates ServiceMonitor automatically for metrics (disable via CR if unwanted). - Rolling updates extended to future patch releases (enable via features: rolling-updates:v2). - Deploys across multiple AZs by default (renamed multi-site to multi-cluster). - Default cache stack now jdbc-ping (kubernetes stack deprecated). For full upgrade path from v24, review intermediate Upgrading Guides (24->26.0, 26.0->26.2, 26.2->26.4) as major changes like Infinispan marshalling (caches cleared) and hostname/proxy defaults apply. Use manual OLM approval; backup DB before upgrade. See Operator Guide for CR config (e.g., update strategy: Rolling vs Recreate). Sources: Official Red Hat docs (Release Notes, Upgrading Guide, Operator Guide for 26.4).
Citations:
- 1: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/html-single/release_notes/index
- 2: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/html-single/release_notes/
- 3: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/html-single/operator_guide/
- 4: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/pdf/release_notes/Red_Hat_build_of_Keycloak-26.4-Release_Notes-en-US.pdf
- 5: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/pdf/upgrading_guide/Red_Hat_build_of_Keycloak-26.4-Upgrading_Guide-en-US.pdf
- 6: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/html/upgrading_guide/migration-changes
- 7: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/html-single/upgrading_guide/index
- 8: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.4/html-single/operator_guide/index
- 9: https://www.fluxcd.io
- 10: https://artifacthub.io/packages/olm/community-operators/keycloak-operator/26.4.4
Address breaking changes in the Keycloak Operator v24 to v26.4 upgrade.
The upgrade from stable-v24 to stable-v26.4 introduces several significant breaking changes that require configuration updates and operational care:
Breaking changes identified:
- Path normalization (v26.4.4): Double dots (
..) and double slashes (//) are now rejected in requests - OIDC acr_values behavior (v26.4.2): No longer automatically forwarded to IdPs; requires explicit configuration
- Database changes: Index recreation on
CLIENT_ATTRIBUTESandGROUP_ATTRIBUTEtables - Infinispan marshalling changes clear existing caches
- Hostname and proxy defaults have changed
- SAML broker/adapter now validates SubjectConfirmationData bearer type
Critical operational requirements:
- Database backup is required before upgrade (due to index recreation and cache clearing)
- Manual OLM approval is required for the subscription update
- Existing Keycloak instances may require CR updates to remain compatible
- Review the intermediate upgrade guides (v24→v26.0, v26.0→v26.2, v26.2→v26.4) for comprehensive migration steps
- Operator-level changes include default affinity topology spread constraints and ServiceMonitor creation
Test this upgrade in a non-production environment first. Document the specific deploy error that prompted this change and verify the solution with v26.4 before production deployment.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@installer/charts/tssc-subscriptions/values.yaml` at line 20, Update the
subscription channel value (the channel key in values.yaml) to stable-v26.4 and,
instead of auto-applying the operator upgrade, ensure the OLM subscription is
set to manual approval and annotated/documented so upgrades require human
confirmation; before changing the deployed operator also take a full database
backup and test the upgrade in a non-prod environment, then apply the
intermediate upgrade steps (v24→v26.0, v26.0→v26.2, v26.2→v26.4) and update
Keycloak CRs to handle the breaking changes (explicit OIDC acr_values
forwarding, hostname/proxy defaults, Infinispan marshalling/cache clearing, DB
index recreation on CLIENT_ATTRIBUTES/GROUP_ATTRIBUTE, and SAML
SubjectConfirmationData validation), and document the deploy error that
triggered this change and verify the fix with v26.4 prior to production rollout.
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
lingyzhuang
force-pushed
the
upgrade-rhbk-operator
branch
from
bf58c59 to
ee4923c
Compare
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lingyzhuang, Roming22 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit c1c1bb7
into
redhat-appstudio:main
2 participants
Fix deploy error in
Red Hat OpenShift Container Platform Cluster (Multi-Cloud)cluster.Summary by CodeRabbit