[bitnami/keycloak] Documentation example doesn't work as expected

[Pyrrha]

Name and Version

bitnami/keycloak 24.4.2

What architecture are you using?

amd64

What steps will reproduce the bug?

1. According to https://artifacthub.io/packages/helm/bitnami/keycloak#configure-admin-ingress
2. Activate configCli (see values.yaml below)
3. Deploy with helm

Are you using any custom parameters or values?

From documentation:

keycloakConfigCli:
  enabled: true
  configuration:
    master.json: |
      {
        "realm" : "master",
        "attributes": {
          "frontendUrl": "https://keycloak-admin.example.com"
        }
      }

What is the expected behavior?

The job to pass.

What do you see instead?

The pod attached to the job fails with the following error:

2025-01-14T15:06:45.338Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : Starting KeycloakConfigApplication v6.1.6 using Java 21.0.5 with PID 1 (/opt/bitnami/keycloak-config-cli/keycloak-config-cli-25.0.1.jar started by ? in /opt/bitnami/keycloak-config-cli)
2025-01-14T15:06:45.343Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : No active profile set, falling back to 1 default profile: "default"
2025-01-14T15:06:51.711Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : Started KeycloakConfigApplication in 11.392 seconds (process running for 16.357)
2025-01-14T15:06:57.319Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Importing file 'file:/config/master.json'
2025-01-14T15:06:59.716Z  INFO 1 --- [           main] d.a.k.config.provider.KeycloakProvider   : Wait 120 seconds until http://keycloak-headless:8080/ is available ...
2025-01-14T15:07:05.918Z  WARN 1 --- [           main] d.a.k.config.provider.KeycloakProvider   : Local keycloak-config-cli (6.1.6-25.0.1) and remote Keycloak (26.0.7) may not compatible.
2025-01-14T15:07:06.835Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : jakarta.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "bruteForceStrategy" (class org.keycloak.representations.idm.RealmRepresentation), not marked as ignorable (143 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1304] (through reference chain: org.keycloak.representations.idm.RealmRepresentation["bruteForceStrategy"])
2025-01-14T15:07:06.836Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : keycloak-config-cli ran in 00:11.108.

Additional information

No response

[javsalgar]

Hi!

Just to confirm, are you able to access using the ingress url with a browser, for example? It is not clear to me if the problem lies in the keycloak configuration or in an invalid option for the config-cli

[MisterTimn]

Having similar issues with Keycloak chart 24.4.4, KC version 26.1.0

We import a custom realm config using configCli but run into this error:

2025-01-16T13:32:11.395Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : Starting KeycloakConfigApplication v6.2.1 using Java 21.0.5 with PID 1 (/opt/bitnami/keycloak-config-cli/keycloak-config-cli-26.0.5.jar started by ? in /opt/bitnami/keycloak-config-cli)
2025-01-16T13:32:11.405Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : No active profile set, falling back to 1 default profile: "default"
2025-01-16T13:32:15.992Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigApplication   : Started KeycloakConfigApplication in 8.382 seconds (process running for 12.163)
2025-01-16T13:32:21.890Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Importing file 'file:/config/kvasir-realm.json'
2025-01-16T13:32:23.805Z  INFO 1 --- [           main] d.a.k.config.provider.KeycloakProvider   : Wait 120 seconds until http://keycloak-headless:8080/ is available ...
2025-01-16T13:32:25.984Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : jakarta.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "verifiableCredentialsEnabled" (class org.keycloak.representations.idm.RealmRepresentation), not marked as ignorable (144 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 4399] (through reference chain: org.keycloak.representations.idm.RealmRepresentation["verifiableCredentialsEnabled"])
2025-01-16T13:32:25.985Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : keycloak-config-cli ran in 00:06.492.
stream closed EOF for keycloak/keycloak-keycloak-config-cli-gvzdw (keycloak-config-cli)

Our realm config has no field verifiableCredentialsEnabled so I assume this is an issue in version compatibility of the default config CLI bitnami/keycloak-config-cli:6.2.1-debian-12-r1
and Keycloak 26.1.0

It's the second time we have run into an issue with a Keycloak upgrade in which the config cli feature breaks.

[javsalgar]

I can confirm that CLI version 6.2.1 and Keycloak version 26.1.0 are the latest one we are packaging. Did you try reporting this issue to the upstream keycloak devs?

[BorgChrist]

There is a fix for the verifiableCredentialsEnabled issue attached to the issue here adorsys/keycloak-config-cli#1253