mod-scheduler - Backport Keycloak 26.x to Quesnelia
Description
CSP Request Details
Due to several high severity security vulnerabilities, we need to backport the upgrade to Keycloak 26 to Quesnelia.
The umbrella CSP request has been approved: https://folio-org.atlassian.net/browse/KEYCLOAK-37
CSP Rejection Details
None
Potential Workaround
None
clones
has to be done after
has to be done before
relates to
Checklist
hideActivity
Show:
Done
Details
Details
Assignee
Pavel Filippov
Pavel FilippovReporter
Craig McNally
Craig McNallyPriority
P2Story Points
0
Sprint
None
Development Team
Eureka
Fix versions
Release
Quesnelia (R1 2024) Service Patch #10
RCA Group
TBD
CSP Approved
Yes
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created January 23, 2025 at 1:18 PM
Updated February 21, 2025 at 1:42 PM
Resolved February 4, 2025 at 5:35 PM
TestRail: Cases
TestRail: Runs
Overview
Upgrade to Keycloak v26.0.X.
See:
https://www.keycloak.org/2024/10/keycloak-2600-released and https://www.keycloak.org/docs/latest/upgrading/index.html#migration-changes
https://www.keycloak.org/2024/10/keycloak-2601-released
https://www.keycloak.org/2024/10/keycloak-2602-released
(There was no 26.0.3)
https://www.keycloak.org/2024/10/keycloak-2604-released
https://www.keycloak.org/2024/11/keycloak-2605-released
https://www.keycloak.org/2024/11/keycloak-2606-released
https://www.keycloak.org/2024/12/keycloak-2607-released
From the Release notes:
Java 21 support Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions. Java 17 support is deprecated OpenJDK 17 support is deprecated in Keycloak, and will be removed in a following release in favor of OpenJDK 21.Also:
BouncyCastle FIPS updated Our FIPS 140-2 integration is now tested and supported with version 2 of BouncyCastle FIPS libraries. This version is certified with Java 21. If you use FIPS 140-2 integration, it is recommended to upgrade BouncyCastle FIPS library to the versions mentioned in the latest documentation. The BouncyCastle FIPS version 2 is certified with FIPS 140-3. So Keycloak can be FIPS 140-3 compliant as long as it is used on the FIPS 140-3 compliant system. This might be the RHEL 9 based system, which itself is compliant with the FIPS 140-3. But note that RHEL 8 based system is only certified for the FIPS 140-2.Scope
Upgrade folio-keycloak base image
Work with devops / QA to ensure we haven’t introduced any regressions/problems.
Including with custom themes, and plugins/extensions (e.g. for automatic IdP link creation)
Upgrade keycloak client version where applicable? (e.g. mgr-*, sidecar, mod-*-keycloak, etc.)
Q: should we put this in scope of this task? Create one Jira to update the clients? Create distinct JIRAs for each affected component?
Acceptance Criteria
A new folio-keycloak image based on keycloak 26.x has been built and is available
QA has run at least smoke tests against an environment running the new image (e.g. etesting-snapshot).