Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: 1.17.0
Affects Version/s: None
Component/s: Operator
Labels:
- doc-req
- team-gitops-scarlet

Story Points:
8
Epic Link:
Deprecate and remove Keycloak in OpenShift GitOps
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Release Note Text:

Hide
Deprecation Notice: Support for the Keycloak functionality in OpenShift GitOps is being removed in future release. If Keycloak-based SSO is configured, users will receive warning logs indicating deprecation.

Dex is the default and recommended authentication provider for OpenShift GitOps. It integrates with the OpenShift OAuth server and supports login using OpenShift users and groups. For most use cases, users should switch to Dex-based authentication.

If users still wish to use Keycloak, they must manage their own Keycloak instance using the Red Hat Build of Keycloak (RHBK) and configure integration manually in the Argo CD custom resource.

Show
Deprecation Notice: Support for the Keycloak functionality in OpenShift GitOps is being removed in future release. If Keycloak-based SSO is configured, users will receive warning logs indicating deprecation. Dex is the default and recommended authentication provider for OpenShift GitOps. It integrates with the OpenShift OAuth server and supports login using OpenShift users and groups. For most use cases, users should switch to Dex-based authentication. If users still wish to use Keycloak, they must manage their own Keycloak instance using the Red Hat Build of Keycloak (RHBK) and configure integration manually in the Argo CD custom resource.
Git Pull Request:
https://github.com/argoproj-labs/argocd-operator/pull/1759
Intelligence Requested:
Market:
Target Version:

1.17.0

Sprint:
GitOps Scarlet Sprint 17, GitOps Scarlet Sprint 18, GitOps Scarlet Sprint 19

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The goal of this story is to deprecate Keycloak within OpenShift GitOps (with the goal of eliminating it in a subsequent release). Keycloak support should still continue to work, but will be listed as deprecated in doc, in code, and in operator logs.

Slack thread for more details: https://redhat-internal.slack.com/archives/C072XEET171/p1749039415795409?thread_ts=1737090625.150739&cid=C072XEET171

Acceptance Criteria:

Add a deprecation notice to openshift gitops docs indicating keycloak support is being removed.
- Link to the following resources on how to replace it:
  - Existing OpenShift GitOps Dex docs
  - Configuring Keycloak from Argo CD: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/keycloak/#keycloak-and-argocd-with-pkce
  - Use ArgoCD CR `.spec.oidcConfig` field for SSO configuration.
  - Red Hat Build of Keycloak Operator: https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html/operator_guide/installation-
- Include this notice as both a release note, and in Configuring SSO for Argo CD for Keycloak (https://docs.redhat.com/en/documentation/red_hat_openshift_gitops/1.16/html/access_control_and_user_management/configuring-sso-for-argo-cd-using-keycloak).
Create a PR in argocd-operator:
- Add comment to keycloak fields that the fields are deprecated, and in a future release will no longer be supported.
- Log a message if keycloak functionality is used
- Otherwise, keycloak functionality will continue to work as expected (e.g. don't no-op yet)
- Merge PR
No unit/E2E tests needed, I believe.

links to

openshift/openshift-docs#96515: RHDEVDOCS-6452: Content creation for GitOps 1.17 RN

Assignee:: Rizwana Naaz

Reporter:: Jonathan West

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/06/11 11:45 PM

Updated:: 2025/08/12 2:24 PM

Resolved:: 2025/07/30 12:54 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates