由于CVE-2020-10770漏洞，k8s集群升级keycloak 8.0.0-->15.0.0（由于15.0.0最近又出安全漏洞，升级为16.0.0）

背景　　

　　前段时间项目组用到的8.0.0版本的keycloak被安全部门同事扫出来一个中危漏洞：

A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

所以这两天在琢磨怎么升级keycloak。　　

　　最终依赖导出功能解决升级问题：（部署方式为腾讯云的k8s容器服务）

keycloak通过standalone.sh导出导出

1 新建部署单元，镜像：直接填： jboss/keycloak，版本用16.0.0
2 数据库配置在环境变量，指定另外的库，（环境变量好像有先后顺序之分？期间填错了database和user的前后位置导致报错）具体需要的环境变量有：

- env:
        - name: KEYCLOAK_USER
          value: admin
        - name: KEYCLOAK_PASSWORD
          value: **********
        - name: DB_VENDOR
          value: mysql
        - name: DB_ADDR
          value: 10.200.192.3
        - name: MYSQL_PORT
          value: "3306"
        - name: DB_DATABASE
          value: keycloak_2022
        - name: DB_USER
          value: root
        - name: DB_PASSWORD
          value: **********
        - name: PROXY_ADDRESS_FORWARDING
          value: "true"
        - name: KEYCLOAK_FRONTEND_URL
          value: https://sso-2022.xxx.com/auth
        - name: TZ
          value: Asia/Shanghai

3 该数据库必须已创建，且为空；
4 启动新keycloak。如果启动正常的话可以看到如下日志：

 1 Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
 2 -b 0.0.0.0
 3 =========================================================================
 4
 5   Using MySQL database
 6
 7 =========================================================================
 8
 9 [0m16:54:59,234 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.11.0.Final
10 [0m[0m16:54:59,836 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.12.Final
11 [0m[0m16:54:59,922 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.4.0.Final
12 [0m[0m16:55:00,731 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 15.0.0 (WildFly Core 15.0.1.Final) starting
13 [0m[0m16:55:01,040 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
14 [0m[0m16:55:04,734 INFO  [org.wildfly.security] (ServerService Thread Pool -- 20) ELY00001: WildFly Elytron version 1.15.3.Final
15 [0m[0m16:55:06,725 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 5) WFLYCTL0033: Extension 'security' is deprecated and may not be supported in future versions
16 [0m[0m16:55:08,639 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

5 从旧keycloak导出配置文件：keycloak-export.json：（参考链接https://www.coder.work/article/6370494）

bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=keycloak-export.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777

6

登录新版本keycloak导入：

bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=keycloak-export.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777

7 将keycloak的 KEYCLOAK_FRONTEND_URL 改为生产用的url，并将域名解析切换至新keycloak。自此，生产流量已切换至新keycloak。

经验证，用户和权限配置等都迁移正常。

总结：

官方表示，控制台导出，会将一些敏感信息用****代替，所以从控制台的导出和导入都会有问题。

----------------------------------------------------

参考链接：https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/export-import.html

参考链接：https://www.keycloak.org/docs/latest/server_admin/#assembly-exporting-importing_server_administration_guide