Skip to content

Hostzero-GmbH/keycloak-operator

v0.6.1 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 2mo Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

keycloak kubernetes sso sso-authentication

Affected surfaces

breaking_upgrade

Summary

AI summary

Fixes operator crash when a namespaced KeycloakRealm references a ClusterKeycloakInstance via clusterInstanceRef.

Full changelog

Critical Bug Fix

Operator crash when KeycloakRealm uses clusterInstanceRef

Severity: Critical — The operator panics and crashes when a namespaced KeycloakRealm references a ClusterKeycloakInstance via clusterInstanceRef.

This affects any deployment where a central ClusterKeycloakInstance is shared across namespaces with KeycloakRealm resources. All child resources were also affected because they inherit the instance resolution path from the realm.

Root cause: Several controllers assumed spec.instanceRef was always set on the KeycloakRealm and dereferenced it without a nil check. When spec.clusterInstanceRef is used instead, instanceRef is nil, causing a nil pointer panic.

Fix: Extracted a shared GetKeycloakClientFromRealmInstance helper that safely handles both instanceRef and clusterInstanceRef paths. All controllers now use this single helper, eliminating duplicated instance-resolution logic.

Upgrade Notes

No breaking changes. Drop-in replacement for v0.6.0. If you are using ClusterKeycloakInstance with namespaced KeycloakRealm resources, upgrading to v0.6.1 is strongly recommended as v0.6.0 will crash in this configuration.

What's Changed

  • Fix nil pointer panic when KeycloakRealm uses clusterInstanceRef by @pehlert in https://github.com/Hostzero-GmbH/keycloak-operator/pull/49

Full Changelog: https://github.com/Hostzero-GmbH/keycloak-operator/compare/v0.6.0...v0.6.1

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Hostzero-GmbH/keycloak-operator

Get notified when new releases ship.

Sign up free

About Hostzero-GmbH/keycloak-operator

All releases →

Related context

Earlier breaking changes

  • v0.9.0 Removes `spec.credentials` and `spec.client`; requires migration to new `spec.auth` block.

Beta — feedback welcome: [email protected]