Keycloak-Postgres!: v18, drop caps, healthcheck #417

Merged

saibotk merged 4 commits from update-keycloak-postgres into main

2025-10-12 19:31:35 +02:00

saibotk commented

2025-10-12 14:22:51 +02:00

Owner

This updates Keycloak's Postgres container to v18 and drops all capabilities by also switching to a non-root user.
We also added a healthcheck and thus hard-coded the database connection env variables.
The internal network is now also declared without IPv6, as this is probably the issue for some flaky DNS resolution, which we are still investigating.

See the respective commits for details.

This updates Keycloak's Postgres container to v18 and drops all capabilities by also switching to a non-root user. We also added a healthcheck and thus hard-coded the database connection env variables. The internal network is now also declared without IPv6, as this is probably the issue for some flaky DNS resolution, which we are still investigating. See the respective commits for details.

saibotk self-assigned this

2025-10-12 14:22:51 +02:00

saibotk added 4 commits

2025-10-12 14:22:52 +02:00

feat(keycloak)!: Update to postgres 18 & cap drop 512cf82781

BREAKING CHANGE: This updates the Keycloak Postgres container to Postgres 18!

The inner configuration changed and the data volume internally is now prefixed with the current major version [0].

Some internals also changed, which prevents running this container with the previous configuration.
Instead we, updated the config to run as the image's `postgres` user directly, so the container does not need to step down from root.
This also allowed us to remove all the additional capabilites.

The `ExposeHostPort` statement was also removed, as this is unused and only allows users to expose all ports defined this way via a command line argument, which is never the case for this container.

We also removed the custom stop signal definition, as this is now included in the image itself.

[0]: https://github.com/docker-library/postgres/pull/1259

refactor(keycloak)!: Hard-code database env variables e6ff334a54

BREAKING CHANGE: Postgres connection should now use the user `keycloak` and database `keycloak`.

We need to hard-code these, so we can rely on them being set to these exact values, e.g. for a healthcheck.

feat(keycloak): Add postgres healthcheck eba2061241

Adds a simple healthcheck based on the now enforced database name and user.

refactor(keycloak)!: Disable IPv6 for internal network

ci/woodpecker/pr/ansible-lint Pipeline was successful

Details

4ede0ae96a

BREAKING CHANGE: You need to recreate the network by stopping it and restarting it manually.

Internal bridge networks with IPv6 are suspected to cause flakey DNS resolution behavior, as observed in many cases within our deployments.
(DNS is resolved to inaccessible local IPv6 addresses of other network interfaces)
Note: We are still investigating the root cause for this behavior!

Because we do not need IPv6 here, the network is simplified to only use IPv4 to prevent such issues.

saibotk requested review from histalek

2025-10-12 14:22:53 +02:00

saibotk changed title from ~~Keycloak-Postgres: v18, drop caps, healthcheck~~ to Keycloak-Postgres!: v18, drop caps, healthcheck

2025-10-12 14:23:01 +02:00

saibotk referenced this pull request

2025-10-12 14:24:59 +02:00

chore(deps): update keycloak-postgres docker tag to v18 #409

saibotk force-pushed update-keycloak-postgres from 4ede0ae96a

ci/woodpecker/pr/ansible-lint Pipeline was successful

Details

to 54475d66ac

ci/woodpecker/pr/ansible-lint Pipeline was successful