Migration to Quarkus

Keycloak v17 is changing their runtime from Wildfly to Quarkus. This brings a complete new way of how the Keycloak container has to be deployed (Quarkus based Keycloak Image vs the Wildfly based image) and parameterized. While Wildfly is a full-fledged application server for Java, Quarkus is a Kubernetes Native Java stack.

The Keycloak default image requires a "build" before startup. This can be automatized using the --auto-build, which is the default in the component. This additional step can be removed by creating a customized Keycloak image.

New variables

KC_HOSTNAME containing the FQDN of the Keycloak service. Verification can be turned off by using the parameters --hostname-strict=false and --hostname-strict-https=false. However, for production the hostname verification should be turned on!
KC_HTTP_RELATIVE_PATH in Keycloak is / by default. However, the Helm chart contains the default value of /auth, so for upgrades there is no breaking change.

Changed variables

The Wildfily container did automatically create a truststore file out of PEM files existing in /etc/x509/https. Now the public and private key file must be defined in variables, for example KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt and KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key.
KEYCLOAK_STATISTICS is replaced by KC_METRICS_ENABLED.
JGROUPS_DISCOVERY_PROTOCOL and JGROUPS_DISCOVERY_PROPERTIES are replaced by JAVA_OPTS=-Djgroups.dns.query=keycloakx-headless (see Helm chart documentation).
PROXY_ADDRESS_FORWARDING removed, see Using a reverse proxy and KC_PROXY for more information. If KC_PROXY is set to a value of edge, reencyrpt or passthrough the X-Forwarded-For, X-Forwarded-Proto and X-Forwarded-Host HTTP headers are used by Keycloak (see Source Code).
KEYCLOAK_USER renamed to KEYCLOAK_ADMIN
KEYCLOAK_PASSWORD renamed to KEYCLOAK_ADMIN_PASSWORD
DB_DATABASE renamed to KC_DB_URL_DATABASE
DB_USER renamed to KC_DB_USERNAME
DB_PASSWORD renamed to KC_DB_PASSWORD
DB_VENDOR renamed to KC_DB
DB_ADDR renamed to KC_DB_URL_HOST
DB_PORT renamed to KC_DB_URL_PORT
Theme path has changed from /opt/jboss/keycloak/themes/ to /opt/keycloak/themes/.
KEYCLOAK_WELCOME_THEME renamed to KC_SPI_THEME_WELCOME_THEME

Removed variables

CACHE_OWNERS_AUTH_SESSIONS_COUNT and CACHE_OWNERS_COUNT have no direct equivalent in the Quarkus setup. A cache replica/owner number of >= 2 is required to preserve the Infinispan cache over single Keycloak pod restarts. The Wildfly default value of those variables has been 1 and defined the amount of replicas/owners for a specific cache. Now the default in the Quarkus Setup is "Each distributed cache has two owners per default, which means that two nodes have a copy of the specific cache entries". A custom Infinispan configuration file can be configured using the environment variable KC_CACHE_CONFIG_FILE to override the default.