Update outdated keycloak container upstream

[jmontleon]

We're currently using keycloak 18.0.2-legacy. This image hasn't been updated in 9 months. It looks like the last legacy version was 19.0.3 which was only update 5 months ago.

If we need to do something so we can get on a current non-legacy release we should do it so we're not using outdated and potentially vulnerable releases of keycloak.

[rromannissen]

@jmontleon is this still a valid concern now that Keycloak is no longer deployed/managed by the Konveyor operator?

[sjd78]

@jmontleon is this still a valid concern now that Keycloak is no longer deployed/managed by the Konveyor operator?

While researching for #166, and looking through the operator's main ansible task, the operator still very much controls a keycloak deployment when auth is enabled. Different permutations of the feature_auth_type and app_profile variables, cause auth can be deployed in different ways. With auth enabled, the operator will manage a keycloak deployment or a RHSSO custom resource.

Under the default auth enabled upstream circumstances, a keycloak container is deployed:

• https://github.com/konveyor/operator/blob/a96f97d87e9d968a3f5562e8700a72e836eae823/roles/tackle/tasks/main.yml#L179-L190
• https://github.com/konveyor/operator/blob/main/roles/tackle/templates/deployment-keycloak-sso.yml.j2

If the app_profile is set to "mta", a RHSSO CR is deployed:

• https://github.com/konveyor/operator/blob/a96f97d87e9d968a3f5562e8700a72e836eae823/roles/tackle/tasks/main.yml#L192-L273
• https://github.com/konveyor/operator/blob/main/roles/tackle/templates/customresource-rhsso-keycloak.yml.j2

IMHO, the app_profile konveyor keycloak version and the app_profile mta RHSSO reference should try to match up as best we can so the hub and ui sso functions have the best chance of working in both deployment configurations.

[sjd78]

Some extra info...

• Red Hat SSO 7.6 is based on Keycloak 18! (see component details)
• RHSSO 7.6 is in maintenance support until June 2025 (see lifecycle page) and nothing shows up as coming up next
• Looks like RHSSO is being replaced with https://access.redhat.com/products/red-hat-build-of-keycloak/ which has a new release tracking keycloak releases every 6 months(ish)

[sjd78]

cc: @ibolton336 , @dymurray

[shawn-hurley]

I think that we need to add a discussion about this to the community call.

Things that I think we need to consider:

1. We don't want to work without some authorization system. It will be hard for users to use the project if they can't protect it with at least authorization.
2. We currently (AFAIK) hard code and set up a Realm in the hub. I wonder if there is a way to do this so that users can set up the RBAC in other systems to be used.

I think that upstream, we should endeavor to work with popular tools like https://auth0.com and delegate to a k8s cluster if they have that set up already.