Upgrading Keycloak to 16.1.0 is not straightforward, it requires manual hands, especially if you’re behind a nginx proxy or other reverse proxy.
The documentation has some vague hints that sends you to dead ends.
I wrote a little upgrade script for my keycloak upgrades
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
#!/usr/bin/env bash OLD=15.1.0 NEW=16.1.0 OLDPATH=~/keycloak-$OLD NEWPATH=~/keycloak-$NEW cd ~/ wget https://github.com/keycloak/keycloak/releases/download/$NEW/keycloak-$NEW.tar.gz tar xvf keycloak-$NEW.tar.gz mkdir -p $NEWPATH/modules/system/layers/base/org/postgresql/jdbc/main cp -a $OLDPATH/modules/system/layers/base/org/postgresql/jdbc/main/* $NEWPATH/modules/system/layers/base/org/postgresql/jdbc/main/ cp -a $OLDPATH/standalone/* $NEWPATH/standalone/ cd $NEWPATH bin/jboss-cli.sh --file=bin/migrate-standalone.cli echo -e "Next steps:\nnano -w /etc/systemd/system/keycloak.service && systemctl daemon-reload && systemctl restart keycloak.service\n\n" |
As you see this is for keycloak with a postgresql datasource.
Now since they don’t provide an upgrade script anymore you have to manually edit the standalone.xml file in standalone/configuration/standalone.xml .
Since I’m using a non-standard port I have to edit the port numbers for http & https
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/> <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker http-authentication-factory="application-http-authentication"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <application-security-domains> <application-security-domain name="other" security-domain="ApplicationDomain"/> </application-security-domains> </subsystem> |
and since I use port 4001 and 4443
1 2 3 4 5 6 7 8 9 10 11 12 |
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" port="${jboss.http.port:4001}"/> <socket-binding name="https" port="${jboss.https.port:4443}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <outbound-socket-binding name="mail-smtp"> <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/> </outbound-socket-binding> </socket-binding-group> |
then since I’m using postgresql I have to again define the datasource and driver, also remove the ExampleDS and H2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
<subsystem xmlns="urn:jboss:domain:datasources:6.0"> <datasources> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" use-ccm="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <connection-url>jdbc:postgresql://localhost:5432/MY-DATABASE-NAME-HERE</connection-url> <driver>postgresql</driver> <pool> <max-pool-size>100</max-pool-size> <flush-strategy>IdleConnections</flush-strategy> </pool> <security> <user-name>MY-USERNAME-HERE</user-name> <password>MY-PASSWORD-HERE</password> </security> <validation> <check-valid-connection-sql>SELECT 1</check-valid-connection-sql> <background-validation>true</background-validation> <background-validation-millis>60000</background-validation-millis> </validation> </datasource> <drivers> <driver name="postgresql" module="org.postgresql.jdbc"> <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class> </driver> </drivers> </datasources> </subsystem> |
Also I have to set this datasource to be the default one
1 2 3 4 5 6 7 8 9 10 |
<spi name="connectionsJpa"> <provider name="default" enabled="true"> <properties> <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/> <property name="initializeEmpty" value="true"/> <property name="migrationStrategy" value="update"/> <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/> </properties> </provider> </spi> |
Since there is no migration script and the old standalone.xml doesn’t work anymore this new script for just this version is as follows
1 2 3 4 5 6 7 8 9 10 11 |
#!/usr/bin/env bash OLD=15.1.0 NEW=16.1.0 OLDPATH=~/keycloak-$OLD NEWPATH=~/keycloak-$NEW cd ~/ wget https://github.com/keycloak/keycloak/releases/download/$NEW/keycloak-$NEW.tar.gz tar xvf keycloak-$NEW.tar.gz mkdir -p $NEWPATH/modules/system/layers/base/org/postgresql/jdbc/main cp -a $OLDPATH/modules/system/layers/base/org/postgresql/jdbc/main/* $NEWPATH/modules/system/layers/base/org/postgresql/jdbc/main/ echo -e "Next steps:\nnano -w /etc/systemd/system/keycloak.service && systemctl daemon-reload && systemctl restart keycloak.service\n\n" |
And that’s all there is to it.
Don’t you just love Java and XML configuration files?