linode · merll · Aug 25, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 7, 2025
@@ -160,8 +160,8 @@ appsInfo:
       options:
         - Click 'I understand' to continue using Jaeger dashboard
   keycloak:
-    title: Keycloak Operator
-    appVersion: 26.2.4
+    title: Keycloak
+    appVersion: 26.3.2
     repo: https://github.com/keycloak/keycloak
     maintainers: Keycloak
     relatedLinks:

@@ -47,7 +47,7 @@ dependencies:
     version: 2.46.0
     repository: https://jaegertracing.github.io/helm-charts
   - name: keycloak
-    version: 24.7.1
+    version: 24.9.0
     repository: https://charts.bitnami.com/bitnami
   - name: kiali-operator
     version: 2.10.0

@@ -2,13 +2,13 @@ annotations:
   category: DeveloperTools
   images: |
     - name: keycloak
-      image: docker.io/bitnami/keycloak:26.2.4-debian-12-r0
+      image: docker.io/bitnami/keycloak:26.3.2-debian-12-r0
     - name: keycloak-config-cli
-      image: docker.io/bitnami/keycloak-config-cli:6.4.0-debian-12-r6
+      image: docker.io/bitnami/keycloak-config-cli:6.4.0-debian-12-r10
   licenses: Apache-2.0
   tanzuCategory: application
 apiVersion: v2
-appVersion: 26.2.4
+appVersion: 26.3.2
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -33,4 +33,4 @@ maintainers:
 name: keycloak
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/keycloak
-version: 24.7.1
+version: 24.9.0
@@ -16,6 +16,17 @@ helm install my-release oci://registry-1.docker.io/bitnamicharts/keycloak
 
 Looking to use Keycloak in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
 
+## ⚠️ Important Notice: Upcoming changes to the Bitnami Catalog
+
+Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new [Bitnami Secure Images initiative](https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications). As part of this transition:
+
+- Granting community users access for the first time to security-optimized versions of popular container images.
+- Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes
+- Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates.
+- For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support.
+
+These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the [Bitnami Secure Images announcement](https://github.com/bitnami/containers/issues/83267).
+
 ## Introduction
 
 Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
@@ -95,6 +106,7 @@ externalDatabase.user=myuser
 externalDatabase.password=mypassword
 externalDatabase.database=mydatabase
 externalDatabase.port=5432
+externalDatabase.schema=public
 ```
 
 > NOTE: Only PostgreSQL database server is supported as external database
@@ -504,7 +516,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po
 | `service.headless.annotations`          | Annotations for the headless service.                                                                                            | `{}`                     |
 | `service.headless.extraPorts`           | Extra ports to expose on Keycloak headless service                                                                               | `[]`                     |
 | `ingress.enabled`                       | Enable ingress record generation for Keycloak                                                                                    | `false`                  |
-| `ingress.ingressClassName`              | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)                                                    | `""`                     |
+| `ingress.ingressClassName`              | IngressClass that will be be used to implement the Ingress (evaluated as template) (Kubernetes 1.18+)                            | `""`                     |
 | `ingress.pathType`                      | Ingress path type                                                                                                                | `ImplementationSpecific` |
 | `ingress.apiVersion`                    | Force Ingress API version (automatically detected if not set)                                                                    | `""`                     |
 | `ingress.controller`                    | The ingress controller type. Currently supports `default` and `gce`                                                              | `default`                |
@@ -522,7 +534,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po
 | `ingress.secrets`                       | If you're providing your own certificates, please use this to add the certificates as secrets                                    | `[]`                     |
 | `ingress.extraRules`                    | Additional rules to be covered with this ingress record                                                                          | `[]`                     |
 | `adminIngress.enabled`                  | Enable admin ingress record generation for Keycloak                                                                              | `false`                  |
-| `adminIngress.ingressClassName`         | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)                                                    | `""`                     |
+| `adminIngress.ingressClassName`         | IngressClass that will be be used to implement the Ingress (evaluated as template) (Kubernetes 1.18+)                            | `""`                     |
 | `adminIngress.pathType`                 | Ingress path type                                                                                                                | `ImplementationSpecific` |
 | `adminIngress.apiVersion`               | Force Ingress API version (automatically detected if not set)                                                                    | `""`                     |
 | `adminIngress.controller`               | The ingress controller type. Currently supports `default` and `gce`                                                              | `default`                |
@@ -676,6 +688,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po
 | `externalDatabase.user`                      | Non-root username for Keycloak                                                                                    | `bn_keycloak`      |
 | `externalDatabase.password`                  | Password for the non-root username for Keycloak                                                                   | `""`               |
 | `externalDatabase.database`                  | Keycloak database name                                                                                            | `bitnami_keycloak` |
+| `externalDatabase.schema`                    | Keycloak database schema                                                                                          | `public`           |
 | `externalDatabase.existingSecret`            | Name of an existing secret resource containing the database credentials                                           | `""`               |
 | `externalDatabase.existingSecretHostKey`     | Name of an existing secret key containing the database host name                                                  | `""`               |
 | `externalDatabase.existingSecretPortKey`     | Name of an existing secret key containing the database port                                                       | `""`               |

@@ -2,7 +2,9 @@ CHART NAME: {{ .Chart.Name }}
 CHART VERSION: {{ .Chart.Version }}
 APP VERSION: {{ .Chart.AppVersion }}
 
-Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information.
+⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free.
+    Subscribe to Bitnami Secure Images to receive continued support and security updates.
+    More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267
 
 ** Please be patient while the chart is being deployed **
 

@@ -130,6 +130,13 @@ Return the Database database name
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return the Database port
+*/}}
+{{- define "keycloak.databaseSchema" -}}
+{{- ternary "public" (tpl (.Values.externalDatabase.schema | toString) $) .Values.postgresql.enabled | quote -}}
+{{- end -}}
+
 {{/*
 Return the Database user
 */}}

@@ -18,7 +18,7 @@ metadata:
   {{- end }}
 spec:
   {{- if .Values.adminIngress.ingressClassName }}
-  ingressClassName: {{ .Values.adminIngress.ingressClassName | quote }}
+  ingressClassName: {{ include "common.tplvalues.render" ( dict "value" .Values.adminIngress.ingressClassName "context" $ ) | quote }}
   {{- end }}
   rules:
     {{- if .Values.adminIngress.hostname }}

@@ -60,6 +60,7 @@ data:
   {{- if not .Values.externalDatabase.existingSecretDatabaseKey }}
   KEYCLOAK_DATABASE_NAME: {{ include "keycloak.databaseName" . | quote }}
   {{- end }}
+  KEYCLOAK_DATABASE_SCHEMA: {{ include "keycloak.databaseSchema" . }}
   {{- if not .Values.externalDatabase.existingSecretUserKey }}
   KEYCLOAK_DATABASE_USER: {{ include "keycloak.databaseUser" . | quote }}
   {{- end }}

@@ -18,7 +18,7 @@ metadata:
   {{- end }}
 spec:
   {{- if .Values.ingress.ingressClassName }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  ingressClassName: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.ingressClassName "context" $ ) | quote }}
   {{- end }}
   rules:
     {{- if .Values.ingress.hostname }}

@@ -111,7 +111,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/keycloak
-  tag: 26.2.4-debian-12-r0
+  tag: 26.3.2-debian-12-r0
   digest: ""
   ## Specify a imagePullPolicy
   ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -620,7 +620,7 @@ ingress:
   ## @param ingress.enabled Enable ingress record generation for Keycloak
   ##
   enabled: false
-  ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
+  ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (evaluated as template) (Kubernetes 1.18+)
   ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
   ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
   ##
@@ -737,7 +737,7 @@ adminIngress:
   ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak
   ##
   enabled: false
-  ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
+  ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (evaluated as template) (Kubernetes 1.18+)
   ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
   ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
   ##
@@ -1135,7 +1135,7 @@ keycloakConfigCli:
   image:
     registry: docker.io
     repository: bitnami/keycloak-config-cli
-    tag: 6.4.0-debian-12-r6
+    tag: 6.4.0-debian-12-r10
     digest: ""
     ## Specify a imagePullPolicy
     ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -1353,6 +1353,7 @@ postgresql:
 ## @param externalDatabase.user Non-root username for Keycloak
 ## @param externalDatabase.password Password for the non-root username for Keycloak
 ## @param externalDatabase.database Keycloak database name
+## @param externalDatabase.schema Keycloak database schema
 ## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
 ## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name
 ## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port
@@ -1366,6 +1367,7 @@ externalDatabase:
   port: 5432
   user: bn_keycloak
   database: bitnami_keycloak
+  schema: public
   password: ""
   existingSecret: ""
   existingSecretHostKey: ""