Keycloak upgrade
Keycloak provides authentication and identity management for the Virtana Platform. Upgrade your Keycloak deployment whenever you upgrade the Virtana Platform to 2026.6.1. This topic describes how to upgrade an existing Keycloak deployment to version 2026.6.1.
Prerequisites
Before you upgrade Keycloak to 2026.6.1, confirm that your environment meets the following requirements:
An existing Keycloak deployment.
A Kubernetes cluster with Helm 3.x installed.
Access to the Virtana Helm repository.
Valid Docker registry credentials.
A DNS record configured for the Keycloak hostname.
What's new in 2026.6.1
Version 2026.6.1 changes how the Keycloak container image is sourced. Review this change before you prepare your values file. The Keycloak container image changes from quay.io/keycloak/keycloak:26.3 to dhi.io/keycloak:26. The chart now defines this image, so you must remove any image tag override from your existing values file.
Prepare the Keycloak values file
Create a file named keycloak-values.yaml, and replace the placeholder values with your environment-specific settings. The following block defines the global environment settings, the Docker registry and admin credentials, and the Keycloak image and features.
global:
environment: "app"
machine_type: "small"
secret_source: "valuesfile"
storageClass: ""
dockerRegistryCredentials:
DOCKER_SERVER: "https://index.docker.io/v2/"
DOCKER_USERNAME: "username"
DOCKER_PASSWORD: "password"
create_tls_selfsigned_certs:
keycloak: "true"
keycloak:
HOSTNAME: <KEYCLOAK_HOSTNAME>
ADMIN_USER: "vpadmin"
ADMIN_PASSWORD: "P@ssW0rd@123"
PG_ADMIN_USER: "postgres"
PG_ADMIN_PASSWORD: "password1"
ha_enabled: false
frontend:
nodeSelector: {}
tolerations: []
keycloak:
kcFeatures: "token-exchange"
ingress_controller:
enabled: true
## Remove the following two lines if SSL is configured on the load balancer
nginx_ingress:
tlsSecretName: ops-tls-secretThe following table describes each field in the values file.
Field | Description | Default values |
|---|---|---|
| Identifies the deployment context. Use | String: |
| Sets the resource profile for all Keycloak pods. | String: |
| Controls how Kubernetes secrets are provided. | String: |
| Specifies the Kubernetes StorageClass used for persistent volume claims. If left blank, the cluster's default StorageClass is used. Set this value when your cluster has multiple StorageClasses and you need to target a specific one (for example, a high-performance SSD class for the Keycloak database). | String (optional) |
| The URL of the Docker registry from which Keycloak and supporting images are pulled. Use | String (URL) |
| The username for authenticating with the Docker registry. The chart uses this credential to create an | String |
| The password or access token for the Docker registry account. Store this value securely. Avoid committing it to source control; consider injecting it at deploy time using a secrets manager or CI/CD variable. | String (sensitive) |
| When set to | String: |
| The fully qualified domain name (FQDN) at which Keycloak is reachable, for example | String (FQDN) |
| The username for the Keycloak master-realm administrator account. Use this credential to sign in to the Keycloak Admin Console and to perform post-deployment configuration. The default value is | String |
| The password for the Keycloak administrator account. Replace the default value with a strong, unique password before deploying to a production environment. Avoid committing this value to source control. | String (sensitive) |
| The superuser account name for the PostgreSQL database that Keycloak uses as its backing store. The default value is | String |
| The password for the PostgreSQL superuser account. Replace the default value with a strong, unique password. Avoid committing this value to source control. | String (sensitive) |
| Enables or disables high-availability (HA) mode for Keycloak. When set to | Boolean: |
| Constrains Keycloak pods to nodes that match the specified labels. For example, | Map (key-value pairs) |
| Allows Keycloak pods to be scheduled on nodes that have matching taints. Use this setting when your cluster uses taints to reserve nodes for specific workloads. Leave as | Array of toleration objects |
| Enables one or more Keycloak preview or experimental features at startup. The value | String (comma-separated feature names) |
| When set to | Boolean: |
| The name of the Kubernetes TLS secret that the NGINX ingress controller uses for HTTPS termination. The default value, | String (Kubernetes secret name) |
Because the chart now defines the Keycloak image, remove any image tag override from your existing configuration. If your keycloak-values.yaml file contains the following block, delete it before you upgrade. This applies to both Helm-based deployments (keycloak-values.yaml) and OVA-based deployments (templates/keycloak-values.yaml).
keycloak:
image:
tag: xxxxDeploy the upgrade
Keycloak upgrades follow the same procedure as the initial deployment. Update the chart to the target version, then redeploy using Helm, Argo CD, or Terraform.
Before you begin, update the Helm repository and check the latest version of the virtana-repo/virtana-co-controller chart:
helm repo update helm search repo virtana-repo/virtana-co-controller
Warning
If the Helm release name was previously set to opscruise-keycloak, reuse the same release name during the upgrade. Using a different name creates a new release and can disrupt the existing deployment.
Choose one of the following deployment methods.
To upgrade Keycloak with the Helm CLI, run the following command. Replace <LATEST_VERSION> with the chart version you confirmed earlier.
helm upgrade --install virtana-keycloak virtana-repo/virtana-co-controller \ --namespace keycloak --create-namespace \ --set tags.keycloak=true -f keycloak-values.yaml \ --version <LATEST_VERSION>
To upgrade Keycloak with Argo CD, apply the following Application manifest. Replace <LATEST_VERSION> with the target chart version, and replace <contents of keycloak-values.yaml> with your prepared values file.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: virtana-keycloak
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: "https://kubernetes.default.svc"
namespace: keycloak
source:
chart: virtana-co-controller
repoURL: "https://virtana.gitlab.io/helm-charts"
targetRevision: <LATEST_VERSION> # Provide the latest chart version
helm:
releaseName: virtana-keycloak
parameters:
- name: "tags.keycloak"
value: "true"
values: |
<contents of keycloak-values.yaml>
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=trueTo upgrade Keycloak with Terraform, apply the following helm_release resource. The version value references your Helm version variable, and the templatefile block supplies your environment-specific values.
resource "helm_release" "keycloak" {
create_namespace = true
chart = "virtana-co-controller"
name = "virtana-keycloak"
namespace = "keycloak"
repository = "https://virtana.gitlab.io/helm-charts"
version = var.helm_version
timeout = 600
wait = true
values = [
templatefile("${path.module}/../charts/keycloak-values.yaml", {
docker_password = var.docker_password
docker_username = var.docker_username
keycloak_hostname = var.keycloak_hostname
keycloak_password = var.keycloak_password
keycloak_username = var.keycloak_username
db_keycloak_username = var.db_keycloak_username
db_keycloak_password = var.db_keycloak_password
})
]
set {
name = "tags.keycloak"
value = "true"
}
}Verify the upgrade
To confirm that Keycloak is available after the upgrade, complete the following steps:
In a browser, go to
https://<KEYCLOAK_HOSTNAME>:443/auth.Sign in with your Keycloak admin credentials.
If the Admin Console loads successfully, the upgrade is complete.
Use a private image registry (optional)
To pull the Keycloak image from a private registry, add the following block to keycloak-values.yaml. Replace example.io with your registry hostname.
global: image_registry: example.io