Fix keycloak in upgrade scenario (!6118) · Merge requests · Sylva-projects / sylva-core

What does this MR do and why?

Lately I've noticed multiples upgrade pipelines failing on sso and login test on scheduled pipeline ( and others).

ex:

https://gitlab.com/sylva-projects/sylva-core/-/pipelines/2160725487

https://gitlab.com/sylva-projects/sylva-core/-/pipelines/2168446646

https://gitlab.com/sylva-projects/sylva-core/-/pipelines/2161568934

During my investigation I've observed secret credential-sylva-sylva-admin-keycloak refered into sylva-admin configuration based on crossplane provider:

apiVersion: user.keycloak.m.crossplane.io/v1alpha1
kind: User
metadata:
  namespace: keycloak
  resourceVersion: "1329055"
  uid: 9b451414-1899-47c6-9471-c3359d21f546
spec:
  forProvider:
    email: sylva-admin@example.com
    emailVerified: true
    enabled: true
    firstName: sylva
    initialPassword:
    - temporary: false
      valueSecretRef:
        key: password
        name: credential-sylva-sylva-admin-keycloak <= secret 
    lastName: sylva
    realmId: sylva
    username: sylva-admin
  initProvider: {}

But during the upgrade seems to be deleted because initialy the secret was created by KeycloakUser using legacy solution and once we removed that resource as a part of transition to crossplane we remove the secret as well. Having ownerReferences the delete process is cascaded to all the resources.

apiVersion: v1
kind: Secret
metadata:
  creationTimestamp: "2025-11-19T08:27:28Z"
  name: credential-sylva-sylva-admin-keycloak
  namespace: keycloak
  ownerReferences:                              <= reference to keycloakUser resource
  - apiVersion: legacy.k8s.keycloak.org/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: KeycloakUser
    name: sylva-user
    uid: 7833997e-0218-4b4d-83f6-886ce06c08c1
  resourceVersion: "33113"
  uid: 7cc47b7d-5d36-46eb-9dea-8c85060a0474
type: Opaque

Disscussing with @mihai.zaharia I understood that we want to keep the same name for the secret and do not alterate exiting scripts which are getting the SSO credentials, so the easiest way to fix the issue was to remove the ownerReferences field and avoid deleting the secret.

Related reference(s)

Test coverage

Tested in https://gitlab.com/sylva-projects/sylva-core/-/pipelines/2169269254

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon	Meaning	Available values
☁️	Infra Provider	`capd`, `capo`, `capm3`
🚀	Bootstrap Provider	`kubeadm` (alias `kadm`), `rke2`, `okd`, `ck8s`
🐧	Node OS	`ubuntu`, `suse`, `na`, `leapmicro`
🛠️	Deployment Options	`light-deploy`, `dev-sources`, `ha`, `misc`, `maxsurge-0`, `logging`, `no-logging`, `cilium`
🎬	Pipeline Scenarios	Available scenario list and description
🟢	Enabled units	Any available units name, by default apply to management and workload cluster. Can be prefixed by `mgmt:` or `wkld:` to be applied only to a specific cluster type

Global config for deployment pipelines

autorun pipelines
allow failure on pipelines
record sylvactl events

Notes:

Enabling autorun will make deployment pipelines to be run automatically without human interaction
Disabling allow failure will make deployment pipelines mandatory for pipeline success.
if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited Nov 20, 2025 by Bogdan Antohe

Fix keycloak in upgrade scenario

What does this MR do and why?

Related reference(s)

Test coverage

CI configuration

Global config for deployment pipelines

Merge request reports