[TASK] Upgrade to Keycloak v22 for 8.3 release

[jessesimpson36]

Describe the use case:

Our identity team decided to support different versions of keycloak, and this ticket is to track items related to that for 8.3

From Dimitri:

For new minor releases we will add support for the last two versions, so in 8.3 these will be 22 and 21 - we will drop support for any older versions. Right now we do not plan to add/remove supported versions in patch releases, so 8.2.x will stay as it is (16-21)

Describe the enhancement/feature:

Tasks

Beta Give feedback

1. Update camunda-platform-docs under Next in "Supported Environments" to list the correct versions of keycloak
2. Create an upgrade guide (or a section regarding keycloak / postgresql)
3. Update the helm chart with changes necessary to support the new keycloak version

Desired outcome and acceptance tests:

[Ben-Sheppard]

I have been aware of a couple of issues now with Keycloak returning 502 bad gateway errors. Its not always the case however what I have noticed is that the headers on the requests with Keycloak v19+ are larger and sometimes grow to be larger than the buffer size of the ingress, this then leads to the request being truncated (causing a 502 error).

Specifically with the Keycloak 22 upgrade there are two settings that should be configured, these are:

identity:
  keycloak:
    proxy: edge

and,

global:
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/proxy-buffer-size: "64K" # I think this can be fine tuned to 16 or 32

[hisImminence]

Hi @Ben-Sheppard, thanks for the update!

It was actually JIT as I got a question to that one today in SUPPORT-18223 👏
As I get it we should see to get this into 8.3 as if not - we would need for 8.4 to include the keycloak 22 version, right?

As @jessesimpson36 is on FTO, do you know the status of this? And did you aligned with them if you are able to support on some of the task listed above, like:

• Create an upgrade guide (or a section regarding keycloak / postgresql)
• Update the helm chart with changes necessary to support the new keycloak version

🙂

[Ben-Sheppard]

Hey @hisImminence -

That is correct, the aim is for this change to be with the 8.3 release (the code has already been merged from the Identity side on the main branch so just helm to handle.

I have been speaking to @jessesimpson36 for a reasonable amount about this, and we aligned somewhat before they went away, however my aim here is to push this topic forward to ensure that the 8.3 version of helm charts is:

1. Able to support Keycloak 22
2. Supported with any upgrade steps necessary

It is possible that I will need to sync with @jessesimpson36 when they are back for some support but my intention is to own this set of changes :)

[hisImminence]

It is possible that I will need to sync with @jessesimpson36 when they are back for some support but my intention is to own this set of changes :)

That are awesome news! Thanks for the update and I am sure @jessesimpson36 will find the time to sync with you once being back 🚀

[aabouzaid]

I'm closing this issue since Keycloak v22 has been merged, and the upgrade guide will be part of docs PR:
camunda/camunda-docs#2665