I’m trying to upgrade Keycloak from version 21.4.1 to 24.4.13 using helm_release in Terraform, but the deployment is failing with the following error:
│ Error: invalid_reference: invalid tag
The upgrade works fine when I run the Helm CLI command manually:
helm upgrade keycloak bitnami/keycloak -f values.yaml --version 24.4.13 --namespace keycloak --debug
# helm module
resource "helm_release" "release" {
name = var.chart
chart = var.chart
repository = var.repository
version = var.chart_version
namespace = kubernetes_namespace.namespace.metadata[0].name
dynamic "set" {
for_each = var.settings
content {
name = set.key
value = set.value
}
}
}
module "app" {
source = "./modules/helm"
chart = "keycloak"
repository = "https://charts.bitnami.com/bitnami"
namespace = "keycloak"
chart_version = var.chart_version
settings = {
"replicaCount" = 1
"auth.adminUser" = "admin"
"auth.adminPassword" = random_password.keycloak_admin.result
"logging.level" = "DEBUG"
"proxy" = "edge"
"externalDatabase.host" = local.db_host
"externalDatabase.port" = "5432"
"externalDatabase.user" = local.db_user
"externalDatabase.password" = local.db_password
"externalDatabase.existingSecret" = ""
"externalDatabase.database" = local.db_database
"ingress.hostname" = "account.${var.domain}"
"ingress.enabled" = "true"
"postgresql.enabled" = "false"
"ingress.ingressClassName" = "nginx"
"ingress.tls" = "true"
"service.sessionAffinity" = "ClientIP"
"automountServiceAccountToken" = "false"
"serviceAccount.automountServiceAccountToken" = "false"
"production" = "true"
"service.type" = "ClusterIP"
"resources.limits.cpu" = "1000m"
"resources.limits.memory" = "500Mi"
"resources.requests.memory" = "500Mi"
"containerSecurityContext.enabled" = "true"
"containerSecurityContext.runAsUser" = "1001"
"containerSecurityContext.runAsGroup" = "1001"
"containerSecurityContext.runAsNonRoot" = "true"
"containerSecurityContext.allowPrivilegeEscalation" = "false"
"containerSecurityContext.readOnlyRootFilesystem" = "true"
"ingress.annotations.cert-manager\\.io/cluster-issuer" = "issuer"
"ingress.annotations.nginx\\.ingress\\.kubernetes\\.io/proxy-buffer-size" = "12k"
}
depends_on = [
module.db_flexible
]
}
I attempted to use the values block instead of the set block, but the error persisted.
module "app" {
source = "./modules/helm"
....
....
values = [<<-YAML
replicaCount: 1
auth:
adminUser: "user"
adminPassword: "password"
logging:
level: DEBUG
proxy: edge
externalDatabase:
host: "dbhost"
port: 5432
user: "dbuser"
password: "dbpassword"
database: "db"
ingress:
hostname: "account.demo.com"
enabled: true
ingressClassName: nginx
tls: true
annotations:
cert-manager.io/cluster-issuer: issuer
postgresql:
enabled: false
service:
sessionAffinity: ClientIP
type: ClusterIP
automountServiceAccountToken: false
serviceAccount:
automountServiceAccountToken: false
production: true
resources:
limits:
cpu: 1000m
memory: 500Mi
requests:
memory: 500Mi
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
image:
registry: docker.io
repository: bitnami/keycloak
tag: "latest" # tried various versions
pullPolicy: IfNotPresent
YAML
]
depends_on = [
module.db_flexible
]
}
what am I missing?
Bitnami charts are moving to OCI. Although their blog post states that old https repository should still work, I faced the same problem as OP when updating to latest versions of Keycloak.
Updating to OCI url did my issue:
repository = "oci://registry-1.docker.io/bitnamicharts"
chart = "keycloak"
version = "24.4.13"