Upgrade Keycloak to 26.0.7

.tool-versions

@@ -0,0 +1,3 @@
+# "java 21" is an asdf alias, so that it doesn't matter which distribution (corretto, temurin, zulu, yni) is used
+# see also https://github.com/andrewthauer/asdf-alias
+java 21

config/src/main/resources/keycloak/bin/kc-with-setup.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # ========================================
 # Mostly copied from https://github.com/keycloak/keycloak/blob/main/quarkus/dist/src/main/content/bin/kc.sh
@@ -17,20 +17,22 @@ case "$(uname)" in
     FreeBSD)
         RESOLVED_NAME="$(readlink -f "$0")"
         ;;
+    OpenBSD)
+        RESOLVED_NAME="$(readlink -f "$0")"
+        JAVA_HOME="$(/usr/local/bin/javaPathHelper -h keycloak)"
+        ;;
     Linux)
         RESOLVED_NAME="$(readlink -f "$0")"
         ;;
 esac
 
-if [ "x$RESOLVED_NAME" = "x" ]; then
-    RESOLVED_NAME="$0"
-fi
+RESOLVED_NAME="${RESOLVED_NAME:-"$0"}"
 
 GREP="grep"
 DIRNAME="$(dirname "$RESOLVED_NAME")"
 
 abs_path () {
-  if [ -z $IS_CYGWIN ] ; then
+  if [ -z "$IS_CYGWIN" ] ; then
     echo "$DIRNAME/$1"
   else
     cygpath -w "$DIRNAME/$1"
@@ -40,22 +42,25 @@ abs_path () {
 SERVER_OPTS="-Dkc.home.dir='$(abs_path '..')'"
 SERVER_OPTS="$SERVER_OPTS -Djboss.server.config.dir='$(abs_path '../conf')'"
 SERVER_OPTS="$SERVER_OPTS -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
+SERVER_OPTS="$SERVER_OPTS -Dpicocli.disable.closures=true"
 SERVER_OPTS="$SERVER_OPTS -Dquarkus-log-max-startup-records=10000"
-SERVER_OPTS="$SERVER_OPTS --add-opens java.base/java.lang.invoke=ALL-UNNAMED"
-CLASSPATH_OPTS="'$(abs_path "../lib/quarkus-run.jar"):$(abs_path "../lib/bootstrap/*")'"
+CLASSPATH_OPTS="'$(abs_path "../lib/quarkus-run.jar")'"
 
 DEBUG_MODE="${DEBUG:-false}"
 DEBUG_PORT="${DEBUG_PORT:-8787}"
 DEBUG_SUSPEND="${DEBUG_SUSPEND:-n}"
 
-CONFIG_ARGS=${CONFIG_ARGS:-""}
+esceval() {
+    printf '%s\n' "$1" | sed "s/'/'\\\\''/g; 1 s/^/'/; $ s/$/'/"
+}
 
+PRE_BUILD=true
 while [ "$#" -gt 0 ]
 do
     case "$1" in
       --debug)
           DEBUG_MODE=true
-          if [ -n "$2" ] && [[ "$2" =~ ^[0-9]+$ ]]; then
+          if [ -n "$2" ] && expr "$2" : '[0-9]\{0,\}$' >/dev/null; then
               DEBUG_PORT=$2
               shift
           fi
@@ -65,22 +70,24 @@ do
           break
           ;;
       *)
-          if [[ $1 = --* || ! $1 =~ ^-D.* ]]; then
-            if [[ "$1" = "start-dev" ]]; then
-              CONFIG_ARGS="$CONFIG_ARGS --profile=dev $1"
-            else
-              CONFIG_ARGS="$CONFIG_ARGS $1"
-            fi
-          else
-            SERVER_OPTS="$SERVER_OPTS $1"
-          fi
+          OPT=$(esceval "$1")
+          case "$1" in
+            start-dev) CONFIG_ARGS="$CONFIG_ARGS --profile=dev $1";;
+            -D*) SERVER_OPTS="$SERVER_OPTS ${OPT}";;
+            *) case "$1" in
+                 --optimized | --help | --help-all | -h) PRE_BUILD=false;;
+                 build) if [ -z "$CONFIG_ARGS" ]; then PRE_BUILD=false; fi;;
+               esac
+               CONFIG_ARGS="$CONFIG_ARGS ${OPT}"
+               ;;
+          esac
           ;;
     esac
     shift
 done
 
-if [ "x$JAVA" = "x" ]; then
-    if [ "x$JAVA_HOME" != "x" ]; then
+if [ -z "$JAVA" ]; then
+    if [ -n "$JAVA_HOME" ]; then
         JAVA="$JAVA_HOME/bin/java"
     else
         JAVA="java"
@@ -90,36 +97,82 @@ fi
 #
 # Specify options to pass to the Java VM.
 #
-if [ "x$JAVA_OPTS" = "x" ]; then
-   JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Dfile.encoding=UTF-8"
+if [ -z "$JAVA_OPTS" ]; then
+   # The defaults set up Keycloak with '-XX:+UseG1GC -XX:MinHeapFreeRatio=40 -XX:MaxHeapFreeRatio=70 -XX:GCTimeRatio=12 -XX:AdaptiveSizePolicyWeight=10' which proved to provide a good throughput and efficiency in the total memory allocation and CPU overhead.
+   # If the memory is not used, it will be freed. See https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers for details.
+   # To optimize for large heap sizes or for throughput and better response time due to shorter GC pauses, consider ZGC and Shenandoah GC.
+   # As of KC25 and JDK17, G1GC, ZGC and Shenandoah GC seem to be eager to claim the maximum heap size. Tests showed that ZGC might need additional tuning in reclaiming dead objects.
+   JAVA_OPTS="-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseG1GC -XX:FlightRecorderOptions=stackdepth=512"
+
+   if [ -z "$JAVA_OPTS_KC_HEAP" ]; then
+      if [ "$KC_RUN_IN_CONTAINER" = "true" ]; then
+         # Maximum utilization of the heap is set to 70% of the total container memory
+         # Initial heap size is set to 50% of the total container memory in order to reduce GC executions
+         JAVA_OPTS_KC_HEAP="-XX:MaxRAMPercentage=70 -XX:MinRAMPercentage=70 -XX:InitialRAMPercentage=50"
+      else
+         JAVA_OPTS_KC_HEAP="-Xms64m -Xmx512m"
+      fi
+   else
+      echo "JAVA_OPTS_KC_HEAP already set in environment; overriding default settings"
+   fi
+
+   JAVA_OPTS="$JAVA_OPTS $JAVA_OPTS_KC_HEAP"
+
+else
+   echo "JAVA_OPTS already set in environment; overriding default settings"
+fi
+
+# See also https://github.com/wildfly/wildfly-core/blob/7e5624cf92ebe4b64a4793a8c0b2a340c0d6d363/core-feature-pack/common/src/main/resources/content/bin/common.sh#L57-L60
+if [ -z "$JAVA_ADD_OPENS" ]; then
+   JAVA_ADD_OPENS="--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED"
 else
-   echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS"
+   echo "JAVA_ADD_OPENS already set in environment; overriding default settings"
 fi
+JAVA_OPTS="$JAVA_OPTS $JAVA_ADD_OPENS"
 
-if [ "x$JAVA_OPTS_APPEND" != "x" ]; then
-  echo "Appending additional Java properties to JAVA_OPTS: $JAVA_OPTS_APPEND"
+# Set the default locale for the JVM to English to prevent locale-specific character variations
+if [ -z "$JAVA_LOCALE" ]; then
+   JAVA_LOCALE="-Duser.language=en -Duser.country=US"
+else
+   echo "JAVA_LOCALE already set in environment; overriding default settings"
+fi
+JAVA_OPTS="$JAVA_OPTS $JAVA_LOCALE"
+
+if [ -n "$JAVA_OPTS_APPEND" ]; then
+  echo "Appending additional Java properties to JAVA_OPTS"
   JAVA_OPTS="$JAVA_OPTS $JAVA_OPTS_APPEND"
 fi
 
 # Set debug settings if not already set
 if [ "$DEBUG_MODE" = "true" ]; then
     DEBUG_OPT="$(echo "$JAVA_OPTS" | $GREP "\-agentlib:jdwp")"
-    if [ "x$DEBUG_OPT" = "x" ]; then
+    if [ -z "$DEBUG_OPT" ]; then
         JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=$DEBUG_PORT,server=y,suspend=$DEBUG_SUSPEND"
     else
         echo "Debug already enabled in JAVA_OPTS, ignoring --debug argument"
     fi
 fi
 
-JAVA_RUN_OPTS="$JAVA_OPTS $SERVER_OPTS -cp $CLASSPATH_OPTS io.quarkus.bootstrap.runner.QuarkusEntryPoint ${CONFIG_ARGS#?}"
+esceval_args() {
+  while IFS= read -r entry; do
+    result="$result $(esceval "$entry")"
+  done
+  echo $result
+}
 
-if [[ (! $CONFIG_ARGS = *"--optimized"*) ]] && [[ ! "$CONFIG_ARGS" == " build"* ]] && [[ ! "$CONFIG_ARGS" == *"-h" ]] && [[ ! "$CONFIG_ARGS" == *"--help"* ]]; then
-    eval "'$JAVA'" -Dkc.config.build-and-exit=true $JAVA_RUN_OPTS
-    EXIT_CODE=$?
-    JAVA_RUN_OPTS="-Dkc.config.built=true $JAVA_RUN_OPTS"
-    if [ $EXIT_CODE != 0 ]; then
-      exit $EXIT_CODE
-    fi
+JAVA_RUN_OPTS=$(echo "$JAVA_OPTS" | xargs printf '%s\n' | esceval_args)
+
+# The property 'java.util.concurrent.ForkJoinPool.common.threadFactory' is set here, as a Java Agent or enabling JMX might initialize the factory before Quarkus can set the property in JDK21+.
+JAVA_RUN_OPTS="-Djava.util.concurrent.ForkJoinPool.common.threadFactory=io.quarkus.bootstrap.forkjoin.QuarkusForkJoinWorkerThreadFactory $JAVA_RUN_OPTS $SERVER_OPTS -cp $CLASSPATH_OPTS io.quarkus.bootstrap.runner.QuarkusEntryPoint ${CONFIG_ARGS#?}"
+
+if [ "$PRINT_ENV" = "true" ]; then
+  echo "Using JAVA_OPTS: $JAVA_OPTS"
+  echo "Using JAVA_RUN_OPTS: $JAVA_RUN_OPTS"
+fi
+
+if [ "$PRE_BUILD" = "true" ]; then
+  eval "'$JAVA'" -Dkc.config.build-and-exit=true $JAVA_RUN_OPTS || exit $?
+  JAVA_RUN_OPTS="-Dkc.config.built=true $JAVA_RUN_OPTS"
 fi
 
 eval exec "'$JAVA'" $JAVA_RUN_OPTS &

config/src/main/resources/keycloak/bin/keycloak-setup.sh

@@ -25,8 +25,8 @@ runKeycloakConfigCli() {
   java -jar "${BASEDIR}"/client/keycloak-config-cli-"${keycloak-config-cli.version}".jar \
       --keycloak.url=http://localhost:8080/ \
       --keycloak.ssl-verify=true \
-      --keycloak.user="${KEYCLOAK_ADMIN}" \
-      --keycloak.password="${KEYCLOAK_ADMIN_PASSWORD}" \
+      --keycloak.user="${KC_BOOTSTRAP_ADMIN_USERNAME}" \
+      --keycloak.password="${KC_BOOTSTRAP_ADMIN_PASSWORD}" \
       --keycloak.availability-check.enabled=true \
       --keycloak.availability-check.timeout=300s \
       --import.var-substitution.enabled=true \
@@ -44,7 +44,7 @@ runKeycloakCli() {
   fi
 
   # login to admin console
-  ${KCADM} config credentials --server http://localhost:8080 --user "${KEYCLOAK_ADMIN}" --password "${KEYCLOAK_ADMIN_PASSWORD}" --realm master ${KCADM_CONFIG}
+  ${KCADM} config credentials --server http://localhost:8080 --user "${KC_BOOTSTRAP_ADMIN_USERNAME}" --password "${KC_BOOTSTRAP_ADMIN_PASSWORD}" --realm master ${KCADM_CONFIG}
 
   # helper functions using kc admin cli
   source "${BASEDIR}"/keycloak-cli-helpers.sh

config/src/main/resources/keycloak/conf/keycloak.conf

@@ -27,6 +27,7 @@ db=postgres
 ### https://www.keycloak.org/server/features
 
 # features is a comma-separated list of features to be enabled
+features=organization
 
 # features-disabled is a comma-separated list of features to be disabled
 

container/src/main/resources/Dockerfile

@@ -30,4 +30,4 @@ RUN chmod -R g+rwx /opt/keycloak
 USER 1000
 WORKDIR /opt/keycloak
 ENTRYPOINT ["/opt/keycloak/bin/kc-with-setup.sh"]
-CMD ["start"]
+CMD ["start", "--optimized"]

container/src/test/java/sut/SystemUnderTest.java

@@ -66,7 +66,10 @@ private KeycloakCustomContainer startKeycloak(PostgreSQLContainer postgres) {
         keycloak = new KeycloakCustomContainer()
                 .withLogConsumer(new Slf4jLogConsumer(LOGGER))
                 .withNetwork(network)
-                .withEnv(Map.of("KC_DB", "postgres",
+                .withEnv(Map.of(
+                        "KC_BOOTSTRAP_ADMIN_USERNAME", "admin",
+                        "KC_BOOTSTRAP_ADMIN_PASSWORD", "admin",
+                        "KC_DB", "postgres",
                         "KC_DB_USERNAME" , postgres.getUsername(),
                         "KC_DB_PASSWORD", postgres.getPassword(),
                         "KC_DB_URL", jdbcUrl,

docker-compose/src/main/resources/keycloak.common.env

@@ -8,13 +8,13 @@
 ### Initial User
 ### https://www.keycloak.org/server/configuration
 
-### Important: change the values of KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD and move them to secrets.env
+### Important: change the values of KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD and move them to secrets.env
 
-# KEYCLOAK_ADMIN is the username of the initial admin user
-KEYCLOAK_ADMIN=admin
+# KC_BOOTSTRAP_ADMIN_USERNAME
+KC_BOOTSTRAP_ADMIN_USERNAME=admin
 
-# KEYCLOAK_ADMIN_PASSWORD is the password of the initial admin user
-KEYCLOAK_ADMIN_PASSWORD=admin
+# KC_BOOTSTRAP_ADMIN_PASSWORD
+KC_BOOTSTRAP_ADMIN_PASSWORD=admin
 
 ###################################################################################################################
 ### Database

helm/src/generated/keycloak-custom-chart/values.yaml

@@ -22,12 +22,12 @@ keycloakx:
     relativePath: "/"
 
   extraEnv: |
-    - name: KEYCLOAK_ADMIN
+    - name: KC_BOOTSTRAP_ADMIN_USERNAME
       valueFrom:
         secretKeyRef:
           name: {{ include "keycloak.fullname" . }}-admin-creds
           key: user
-    - name: KEYCLOAK_ADMIN_PASSWORD
+    - name: KC_BOOTSTRAP_ADMIN_PASSWORD
       valueFrom:
         secretKeyRef:
           name: {{ include "keycloak.fullname" . }}-admin-creds

helm/src/main/resources/values.yaml

@@ -22,12 +22,12 @@ keycloakx:
     relativePath: "/"
 
   extraEnv: |
-    - name: KEYCLOAK_ADMIN
+    - name: KC_BOOTSTRAP_ADMIN_USERNAME
       valueFrom:
         secretKeyRef:
           name: {{ include "keycloak.fullname" . }}-admin-creds
           key: user
-    - name: KEYCLOAK_ADMIN_PASSWORD
+    - name: KC_BOOTSTRAP_ADMIN_PASSWORD
       valueFrom:
         secretKeyRef:
           name: {{ include "keycloak.fullname" . }}-admin-creds

themes/src/main/resources/META-INF/keycloak-themes.json

@@ -1,7 +1,7 @@
 {
   "themes": [{
     "name" : "inventage",
-    "types": [ "login", "account", "common" ]
+    "types": [ "login", "common" ]
   }, {
     "name" : "inventage.v2",
     "types": [ "account", "common" ]

themes/src/main/resources/theme/inventage.v2/account/theme.properties

@@ -5,8 +5,8 @@
 # @see https://www.patternfly.org/v4/developer-resources/global-css-variables
 # @see https://developers.google.com/web/tools/chrome-devtools/workspaces/
 
-# Inherit from keycloak.v2
-parent=keycloak.v2
+# Inherit from keycloak.v3
+parent=keycloak.v3
 
 # Make all resources under "common/resources" available across the entire theme
 #