Enable Network Policies and upgrade to Keycloak to v23.0.7

class/defaults.yml

@@ -43,7 +43,7 @@ parameters:
       keycloak:
         registry: quay.io
         repository: keycloak/keycloak
-        tag: 22.0.5
+        tag: 23.0.7
       busybox:
         registry: docker.io
         repository: busybox
@@ -261,7 +261,7 @@ parameters:
         host: ${keycloak:fqdn}
       networkPolicy:
         # Note: Do not enable when using ingress controller with hostNetwork=true.
-        enabled: false
+        enabled: true
         # Note: On Syn-managed OpenShift4 clusters there should be already NetworkPolicies that allow traffic from Ingress controller out-of-the-box.
         extraFrom:
           - podSelector:

docs/modules/ROOT/pages/how-tos/upgrade-15.x-to-16.x.adoc

@@ -0,0 +1,34 @@
+= Upgrade from v15 to v16
+
+This guide describes the steps to perform an upgrade of the component from version v15 to v16.
+
+== Breaking Changes
+
+* Network Policies are now enabled by default
+
+== Changes
+
+* The component requires Kubernetes v1.25 or newer.
+* Keycloak version is v23.0.7 by default.
+
+== Parameter changes
+
+* None
+
+== Step-by-step guide
+
+When upgrading the component, the following actions are required if the built-in database is used:
+
+. Do a backup of the built-in database.
++
+[source,bash]
+----
+instance=keycloak
+namespace=syn-${instance}
+
+kubectl -n "${namespace}" exec -ti keycloak-postgresql-0 -c postgresql -- sh -c 'PGDATABASE="$POSTGRES_DATABASE" PGUSER="$POSTGRES_USER" PGPASSWORD="$POSTGRES_PASSWORD" pg_dump --clean' > keycloak-postgresql-$(date +%F-%H-%M-%S).sql
+----
+
+. Apply the parameter changes.
+
+. Compile and push the cluster catalog.

docs/modules/ROOT/partials/nav.adoc

@@ -27,6 +27,7 @@
 * xref:how-tos/upgrade-12.x-to-13.x.adoc[Upgrade 12.x to 13.x]
 * xref:how-tos/upgrade-13.x-to-14.x.adoc[Upgrade 13.x to 14.x]
 * xref:how-tos/upgrade-14.x-to-15.x.adoc[Upgrade 14.x to 15.x]
+* xref:how-tos/upgrade-15.x-to-16.x.adoc[Upgrade 15.x to 16.x]
 * xref:how-tos/openshift-4.adoc[Install on OpenShift 4]
 * xref:how-tos/pin-versions.adoc[Pin versions]
 

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/ingress.yaml

@@ -10,7 +10,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/networkpolicy.yaml

@@ -5,7 +5,7 @@ metadata:
     app.kubernetes.io/instance: keycloakx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: keycloakx
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/prometheusrule.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/service-headless.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloakx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: keycloakx
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-headless
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/service-http.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-http
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/serviceaccount.yaml

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/servicemonitor.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-keycloakx
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-builtin
@@ -97,7 +97,7 @@ spec:
                 name: keycloak-admin-user
             - secretRef:
                 name: keycloak-postgresql
-          image: quay.io/keycloak/keycloak:22.0.5
+          image: quay.io/keycloak/keycloak:23.0.7
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet:

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/ingress.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/instance: external
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-external

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/networkpolicy.yaml

@@ -0,0 +1,41 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: keycloakx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: keycloakx
+    app.kubernetes.io/version: 23.0.7
+    helm.sh/chart: keycloakx-2.3.0
+  name: keycloakx
+  namespace: syn-external
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: ingress-nginx
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: keycloakx
+              app.kubernetes.io/name: keycloakx
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: keycloakx
+      app.kubernetes.io/name: keycloakx
+  policyTypes:
+    - Ingress

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/prometheusrule.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: external
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-external

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/service-headless.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloakx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: keycloakx
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-headless
   namespace: syn-external

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/service-http.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: external
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-http
   namespace: syn-external

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/serviceaccount.yaml

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: external
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-external

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/servicemonitor.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: external
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-keycloakx
   namespace: syn-external

tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: external
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-external
@@ -95,7 +95,7 @@ spec:
                 name: keycloak-admin-user
             - secretRef:
                 name: keycloak-postgresql
-          image: quay.io/keycloak/keycloak:22.0.5
+          image: quay.io/keycloak/keycloak:23.0.7
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet:

tests/golden/external/external/external/01_networkpolicy_infinispan.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: external
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    name: keycloakx-infinispan
+  name: keycloakx-infinispan
+spec:
+  egress: []
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: keycloakx
+              app.kubernetes.io/name: keycloakx
+      ports:
+        - port: 7800
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: keycloakx
+      app.kubernetes.io/name: keycloakx
+  policyTypes:
+    - Ingress

tests/golden/external/external/external/40_netpol.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations: {}
+  labels:
+    name: prometheus-syn-infra-monitoring-to-keycloakx
+  name: prometheus-syn-infra-monitoring-to-keycloakx
+  namespace: syn-external
+spec:
+  egress: []
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: syn-infra-monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/component: prometheus
+      ports:
+        - port: 8080
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: keycloakx
+      app.kubernetes.io/name: keycloakx
+  policyTypes:
+    - Ingress

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/ingress.yaml

@@ -10,7 +10,7 @@ metadata:
     app.kubernetes.io/instance: openshift-postgres
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/networkpolicy.yaml

@@ -0,0 +1,41 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: keycloakx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: keycloakx
+    app.kubernetes.io/version: 23.0.7
+    helm.sh/chart: keycloakx-2.3.0
+  name: keycloakx
+  namespace: syn-openshift-postgres
+spec:
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: ingress-nginx
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: ingress-nginx
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: keycloakx
+              app.kubernetes.io/name: keycloakx
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: keycloakx
+      app.kubernetes.io/name: keycloakx
+  policyTypes:
+    - Ingress

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/prometheusrule.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: openshift-postgres
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/service-headless.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloakx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: keycloakx
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-headless
   namespace: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/service-http.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: openshift-postgres
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx-http
   namespace: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/serviceaccount.yaml

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: openshift-postgres
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    app.kubernetes.io/version: 22.0.5
+    app.kubernetes.io/version: 23.0.7
     helm.sh/chart: keycloakx-2.3.0
   name: keycloakx
   namespace: syn-openshift-postgres