terraformkeycloakkubernetes-helm

Unable to Upgrade Keycloak to 24.4.13 Using helm_release in Terraform


I’m trying to upgrade Keycloak from version 21.4.1 to 24.4.13 using helm_release in Terraform, but the deployment is failing with the following error:

│ Error: invalid_reference: invalid tag

The upgrade works fine when I run the Helm CLI command manually:

helm upgrade keycloak bitnami/keycloak -f values.yaml --version 24.4.13 --namespace keycloak --debug

# helm module
resource "helm_release" "release" {
  name       = var.chart
  chart      = var.chart
  repository = var.repository
  version    = var.chart_version
  namespace  = kubernetes_namespace.namespace.metadata[0].name

  dynamic "set" {
    for_each = var.settings
    content {
      name  = set.key
      value = set.value
    }
  }
}

module "app" {
  source  = "./modules/helm"

  chart         = "keycloak"
  repository    = "https://charts.bitnami.com/bitnami"
  namespace     = "keycloak"
  chart_version = var.chart_version
  settings = {
    "replicaCount"                                                            = 1
    "auth.adminUser"                                                          = "admin"
    "auth.adminPassword"                                                      = random_password.keycloak_admin.result
    "logging.level"                                                           = "DEBUG"
    "proxy"                                                                   = "edge"
    "externalDatabase.host"                                                   = local.db_host
    "externalDatabase.port"                                                   = "5432"
    "externalDatabase.user"                                                   = local.db_user
    "externalDatabase.password"                                               = local.db_password
    "externalDatabase.existingSecret"                                         = ""
    "externalDatabase.database"                                               = local.db_database
    "ingress.hostname"                                                        = "account.${var.domain}"
    "ingress.enabled"                                                         = "true"
    "postgresql.enabled"                                                      = "false"
    "ingress.ingressClassName"                                                = "nginx"
    "ingress.tls"                                                             = "true"
    "service.sessionAffinity"                                                 = "ClientIP"
    "automountServiceAccountToken"                                            = "false"
    "serviceAccount.automountServiceAccountToken"                             = "false"
    "production"                                                              = "true"
    "service.type"                                                            = "ClusterIP"
    "resources.limits.cpu"                                                    = "1000m"
    "resources.limits.memory"                                                 = "500Mi"
    "resources.requests.memory"                                               = "500Mi"
    "containerSecurityContext.enabled"                                        = "true"
    "containerSecurityContext.runAsUser"                                      = "1001"
    "containerSecurityContext.runAsGroup"                                     = "1001"
    "containerSecurityContext.runAsNonRoot"                                   = "true"
    "containerSecurityContext.allowPrivilegeEscalation"                       = "false"
    "containerSecurityContext.readOnlyRootFilesystem"                         = "true"
    "ingress.annotations.cert-manager\\.io/cluster-issuer"                    = "issuer"
    "ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/proxy-buffer-size" = "12k"
  }

  depends_on = [
    module.db_flexible
  ]
}

I attempted to use the values block instead of the set block, but the error persisted.

module "app" {
  source = "./modules/helm"

  ....
  ....

  values = [<<-YAML
replicaCount: 1
auth:
  adminUser: "user"
  adminPassword: "password"
logging:
  level: DEBUG
proxy: edge
externalDatabase:
  host: "dbhost"
  port: 5432
  user: "dbuser"
  password: "dbpassword"
  database: "db"
ingress:
  hostname: "account.demo.com"
  enabled: true
  ingressClassName: nginx
  tls: true
  annotations:
    cert-manager.io/cluster-issuer: issuer
postgresql:
  enabled: false
service:
  sessionAffinity: ClientIP
  type: ClusterIP
automountServiceAccountToken: false
serviceAccount:
  automountServiceAccountToken: false
production: true
resources:
  limits:
    cpu: 1000m
    memory: 500Mi
  requests:
    memory: 500Mi
containerSecurityContext:
  enabled: true
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
image:
  registry: docker.io
  repository: bitnami/keycloak
  tag: "latest" # tried various versions
  pullPolicy: IfNotPresent
YAML
  ]

  depends_on = [
    module.db_flexible
  ]
}

what am I missing?


Solution

  • Bitnami charts are moving to OCI. Although their blog post states that old https repository should still work, I faced the same problem as OP when updating to latest versions of Keycloak.

    Updating to OCI url did my issue:

        repository = "oci://registry-1.docker.io/bitnamicharts"  
        chart      = "keycloak"  
        version    = "24.4.13"