chore(deps): update docker.io/bitnami/keycloak docker tag to v26 (#208)

* chore(deps): update docker.io/bitnami/keycloak docker tag to v26

| datasource | package                    | from | to |
| ---------- | -------------------------- | ---- | -- |
| docker     | docker.io/bitnami/keycloak | 25   | 26 |

* chore(docker): add Keycloak 26 image

* chore(docs): update readme

* chore(keycloak): overwrite jdbc driver; upstream is too outdated

* chore: remove dynamic aws_wrapper version by a static one managed by renovate

* fix: downgrade jdbc wrapper to 2.3.9

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Langleu <lars.lange@camunda.com>
Co-authored-by: Leo J <153937047+leiicamundi@users.noreply.github.com>

Author: 3 people

.github/scripts/utils/get_aws_jdbc_wrapper_version.sh

@@ -105,14 +105,6 @@ jobs:
 
                   echo "keycloak_full_version=${keycloak_full_version}"
 
-                  aws_jdbc_wrapper_version=$(
-                    .github/scripts/utils/get_aws_jdbc_wrapper_version.sh "$keycloak_full_version" \
-                    || { echo "Error: Cannot get aws jdbc wrapper version for keycloak $keycloak_full_version"; exit 1; }
-                  )
-
-                  echo "aws_jdbc_wrapper_version=${aws_jdbc_wrapper_version}" >> "$GITHUB_ENV"
-                  echo "aws_jdbc_wrapper_version=${aws_jdbc_wrapper_version}"
-
             - name: Build image using Camunda docker build
               id: build-image-step
               uses: camunda/infra-global-github-actions/build-docker-image@adc932a586d745b8a147a7f52117e683d5c59b54 # main
@@ -124,8 +116,6 @@ jobs:
                   image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }}
                   build_context: ./keycloak-${{ matrix.keycloak_version }}/
                   build_platforms: linux/amd64,linux/arm64
-                  build_args: |
-                      AWS_JDBC_WRAPPER_VERSION=${{ env.aws_jdbc_wrapper_version }}
                   extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary"
                       type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short
 

.github/workflows/build-images.yml

@@ -2,4 +2,4 @@
 # It is its only purpose.
 
 # Note: When renovate alerts about a new version of keycloak, please follow the `DEVELOPER.md` new release procedure.
-FROM docker.io/bitnami/keycloak:25
+FROM docker.io/bitnami/keycloak:26

.watch-latest/Dockerfile

@@ -29,10 +29,7 @@ Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute
 keycloak_full_version="$(grep "ARG BASE_IMAGE_NAME=.*$1" ./Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}')"
 echo "keycloak_full_version=$keycloak_full_version"
 
-aws_jdbc_wrapper_version="$(../.github/scripts/utils/get_aws_jdbc_wrapper_version.sh $keycloak_full_version)"
-echo "aws_jdbc_wrapper_version=$aws_jdbc_wrapper_version"
-
-docker build . -t "docker.io/camunda/keycloak:$keycloak_full_version" --build-arg "AWS_JDBC_WRAPPER_VERSION=$aws_jdbc_wrapper_version"
+docker build . -t "docker.io/camunda/keycloak:$keycloak_full_version""
 ```
 
 This Dockerfile includes the necessary dependencies and configurations for AWS Advanced JDBC Wrapper.

DEVELOPER.md

@@ -26,7 +26,7 @@ To start the image, run:
 ```bash
 docker run --name mykeycloak -p 8443:8443 \
         -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
-        docker.io/camunda/keycloak:25
+        docker.io/camunda/keycloak:26
 ```
 
 Keycloak will start in production mode, using secured HTTPS communication and will be available at [https://localhost:8443](https://localhost:8443).
@@ -83,7 +83,7 @@ Don't forget to set the `serviceAccountName` of the deployment/statefulset to po
 To use this image in the Helm chart [bitnami/keycloak](https://artifacthub.io/packages/helm/bitnami/keycloak), update the image used and add the necessary extra environment variables:
 
 ```yaml
-image: docker.io/camunda/keycloak:25
+image: docker.io/camunda/keycloak:26
 extraEnvVars:
   - name: KEYCLOAK_EXTRA_ARGS
     value: "--db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO"

README.md

@@ -9,8 +9,9 @@ FROM docker.io/camunda/identity:latest@sha256:19ed5c6a1e2fde366092b5339023c86e66
 # Building builder image
 # hadolint ignore=DL3006
 FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} AS builder
-# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
-ARG AWS_JDBC_WRAPPER_VERSION
+
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
 
 USER 0
 
@@ -54,8 +55,8 @@ FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
 ARG BASE_IMAGE_NAME
 ARG BASE_IMAGE_DIGEST
 
-# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
-ARG AWS_JDBC_WRAPPER_VERSION
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
 
 # Copy the previously built aws jdbc drivers
 COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/

keycloak-23/Dockerfile

@@ -9,8 +9,9 @@ FROM docker.io/camunda/identity:latest@sha256:19ed5c6a1e2fde366092b5339023c86e66
 # Building builder image
 # hadolint ignore=DL3006
 FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} AS builder
-# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
-ARG AWS_JDBC_WRAPPER_VERSION
+
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
 
 USER 0
 
@@ -54,8 +55,8 @@ FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
 ARG BASE_IMAGE_NAME
 ARG BASE_IMAGE_DIGEST
 
-# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
-ARG AWS_JDBC_WRAPPER_VERSION
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
 
 # Copy the previously built aws jdbc drivers
 COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/

keycloak-24/Dockerfile

@@ -9,8 +9,9 @@ FROM docker.io/camunda/identity:latest@sha256:19ed5c6a1e2fde366092b5339023c86e66
 # Building builder image
 # hadolint ignore=DL3006
 FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} AS builder
-# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
-ARG AWS_JDBC_WRAPPER_VERSION
+
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
 
 USER 0
 
@@ -54,8 +55,8 @@ FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
 ARG BASE_IMAGE_NAME
 ARG BASE_IMAGE_DIGEST
 
-# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
-ARG AWS_JDBC_WRAPPER_VERSION
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
 
 # Copy the previously built aws jdbc drivers
 COPY --chown=1001:1000 --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/

keycloak-25/Dockerfile

@@ -0,0 +1,96 @@
+ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:26.0.0-debian-12-r1"
+# List of all available images with associated sha: https://hub.docker.com/r/bitnami/keycloak/tags
+# Note: use the global image digest to make this image platform agnostic (see: https://github.com/camunda/zeebe/pull/14186)
+ARG BASE_IMAGE_DIGEST="sha256:6aadcb7f1af5f463ccd8acaed341bead98d0c968532cd99f950512c74345818b"
+
+# We use the identity image to copy the keycloak theme
+FROM docker.io/camunda/identity:latest@sha256:19ed5c6a1e2fde366092b5339023c86e66797f497f8efcac61c4de1ac254134b AS identity
+
+# Building builder image
+# hadolint ignore=DL3006
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} AS builder
+
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
+
+USER 0
+
+# install maven (silence alert about version pinning of maven)
+# hadolint ignore=DL3008
+RUN mkdir /home/keycloak && chown keycloak /home/keycloak && \
+    apt-get update && apt-get install maven -y --no-install-recommends
+
+COPY --from=identity /app/keycloak-theme/ /opt/bitnami/keycloak/themes/identity
+RUN chown 1001:1000 -R /opt/bitnami/keycloak/themes
+
+USER 1001
+
+WORKDIR /home/keycloak
+
+# Install the custom providers
+# download the wrapper from github, then fetch the dependencies from maven
+RUN curl -fL "https://repo1.maven.org/maven2/software/amazon/jdbc/aws-advanced-jdbc-wrapper/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.pom" \
+    -o /home/keycloak/pom.xml \
+    && chown 1001:1000 /home/keycloak/pom.xml \
+    && chmod 0644 /home/keycloak/pom.xml && \
+
+    cat /home/keycloak/pom.xml && mvn install && \
+    cp /home/keycloak/.m2/repository/software/amazon/*/*/*/*.jar /opt/bitnami/keycloak/providers/ && \
+
+    curl -fL "https://github.com/aws/aws-advanced-jdbc-wrapper/releases/download/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" \
+    -o /opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar \
+    && chown 1001:1000 /opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar \
+    && chmod 0644 /opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar && \
+
+    ls -alh /opt/bitnami/keycloak/providers/
+
+
+RUN /opt/bitnami/keycloak/bin/kc.sh build
+
+##### FINAL Keycloak IMAGE # ####
+
+# hadolint ignore=DL3006
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
+# leave the values below unset to use the default value at the top of the file
+ARG BASE_IMAGE_NAME
+ARG BASE_IMAGE_DIGEST
+
+# renovate: datasource=github-tags depName=aws/aws-advanced-jdbc-wrapper
+ARG AWS_JDBC_WRAPPER_VERSION=2.3.9
+
+# Copy the previously built aws jdbc drivers
+COPY --chown=1001:1000 --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
+
+COPY --chown=1001:1000 --from=builder /opt/bitnami/keycloak/themes/identity /opt/bitnami/keycloak/themes/identity
+
+
+# common, k8s, openshift and OCI labels:
+# OCI: https://github.com/opencontainers/image-spec/blob/main/annotations.md
+# OCP: https://docs.openshift.com/container-platform/4.10/openshift_images/create-images.html#defining-image-metadata
+LABEL maintainer="Camunda" \
+      name="camunda/keycloak" \
+      summary="Keycloak bitnami with AWS wrapper" \
+      io.k8s.description="Keycloak bitnami with AWS wrapper." \
+      io.k8s.display-name="keycloak" \
+      description="Keycloak bitnami with AWS JDBC wrapper." \
+      jdbc.aws-jdbc-wrapper.version="${AWS_JDBC_WRAPPER_VERSION}" \
+      org.opencontainers.image.authors="Camunda" \
+      org.opencontainers.image.vendor="Camunda" \
+      org.opencontainers.image.documentation="https://hub.docker.com/camunda/keycloak/" \
+      org.opencontainers.image.licenses="Apache License 2.0" \
+      org.opencontainers.image.base.name="docker.io/library/${BASE_IMAGE_NAME}" \
+      org.opencontainers.image.base.digest="${BASE_IMAGE_DIGEST}" \
+      io.openshift.tags="bpmn,identity,keycloak,camunda,bitnami" \
+      io.openshift.min-memory="1Gi" \
+      io.openshift.min-cpu="1"
+
+      # cpu and ram allocation reference: https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing
+
+      # the following labels are generated at buildtime - see https://github.com/docker/metadata-action
+      # org.opencontainers.image.title
+      # org.opencontainers.image.description
+      # org.opencontainers.image.url
+      # org.opencontainers.image.created
+      # org.opencontainers.image.revision
+      # org.opencontainers.image.source
+      # org.opencontainers.image.version