chore(deps): update all non-major keycloak (#548)

* chore(deps): update all non-major keycloak

| datasource | package                                   | from                | to                  |
| ---------- | ----------------------------------------- | ------------------- | ------------------- |
| docker     | quay.io/keycloak/keycloak                 | 26.5.7              | 26.6.0              |
| docker     | registry.camunda.cloud/vendor-ee/keycloak | 26.5.7-debian-12-r0 | 26.6.0-debian-12-r0 |

* fix: improve retries

* try with bash

* fix

* fix: escape $port in healthcheck and fix compose v2 detection

- docker-compose.quay.yml: escape $port as $$port to prevent docker
  compose from interpolating the bash variable as an empty env var
- docker-compose.yml: try health endpoint on port 9000 first (KC 25+)
  then fall back to 8080 for older versions
- healthy.sh: use 'command -v' to check for docker-compose before
  calling it, avoiding 'command not found' errors on ubuntu-24.04

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leo <[email protected]>

Author: renovate[bot]

.github/actions/compose/healthy.sh

@@ -1,18 +1,19 @@
 #!/bin/bash
 
-# docker compose --> v2 (GA)
-# docker-compose --> v1 (missing some newer flags)
-# Edge case; Self-hosted runners don't support "docker compose" yet even though on v2
-VERSION=$(docker-compose version --short)
-
-if [[ "$VERSION" =~ ^1\.[0-9]+\.[0-9]+ || -z "${VERSION}" ]]; then
-    # if docker-compose is v1, we're setting it to docker compose, which should be v2
-    echo "Deteceted v1, setting to v2"
-    DOCKER_COMMAND="docker compose -f ${FILE} ${COMPOSE_FLAGS}"
+# docker compose --> v2 (GA, plugin)
+# docker-compose --> v1/v2 (standalone binary, may not be installed)
+if command -v docker-compose &>/dev/null; then
+    VERSION=$(docker-compose version --short 2>/dev/null)
+    if [[ "$VERSION" =~ ^1\.[0-9]+\.[0-9]+ ]]; then
+        echo "Detected docker-compose v1, using docker compose (v2 plugin)"
+        DOCKER_COMMAND="docker compose -f ${FILE} ${COMPOSE_FLAGS}"
+    else
+        echo "Detected docker-compose v2"
+        DOCKER_COMMAND="docker-compose -f ${FILE} ${COMPOSE_FLAGS}"
+    fi
 else
-    # e.g. locally or on self-hosted runners docker-compose can be v2
-    echo "Detected v2"
-    DOCKER_COMMAND="docker-compose -f ${FILE} ${COMPOSE_FLAGS}"
+    echo "docker-compose not found, using docker compose (v2 plugin)"
+    DOCKER_COMMAND="docker compose -f ${FILE} ${COMPOSE_FLAGS}"
 fi
 
 eval $DOCKER_COMMAND ps

.github/scripts/integration/main.py

@@ -1,14 +1,34 @@
+import time
 from keycloak import KeycloakAdmin
 from keycloak import KeycloakOpenIDConnection
+from keycloak.exceptions import KeycloakPostError
+
+max_retries = 30
+retry_delay = 5
 
 print("Connecting to KeyCloak")
-keycloak_connection = KeycloakOpenIDConnection(
-                        server_url="http://localhost:8080/",
-                        username='admin',
-                        password='admin',
-                        realm_name="master")
+for attempt in range(1, max_retries + 1):
+    try:
+        keycloak_connection = KeycloakOpenIDConnection(
+                                server_url="http://localhost:8080/",
+                                username='admin',
+                                password='admin',
+                                realm_name="master")
 
-keycloak_admin = KeycloakAdmin(connection=keycloak_connection)
+        keycloak_admin = KeycloakAdmin(connection=keycloak_connection)
+        break
+    except KeycloakPostError as e:
+        if "503" in str(e) and attempt < max_retries:
+            print(f"Keycloak bootstrap in progress (attempt {attempt}/{max_retries}), retrying in {retry_delay}s...")
+            time.sleep(retry_delay)
+        else:
+            raise
+    except Exception as e:
+        if attempt < max_retries:
+            print(f"Connection failed (attempt {attempt}/{max_retries}): {e}, retrying in {retry_delay}s...")
+            time.sleep(retry_delay)
+        else:
+            raise
 
 print("Checking that only 1 user exists")
 count_users = keycloak_admin.users_count()

docker-compose.quay.yml

@@ -54,10 +54,22 @@ services:
             AWS_WEB_IDENTITY_TOKEN_FILE: ${AWS_WEB_IDENTITY_TOKEN_FILE:-}
 
         healthcheck:
-            test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/8080' || exit 1
+            test:
+                - CMD
+                - bash
+                - -c
+                - >
+                  for port in 9000 8080; do
+                    if exec 3<>/dev/tcp/127.0.0.1/$$port 2>/dev/null; then
+                      echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3;
+                      timeout 5 cat <&3 | grep -q '200 OK' && exit 0;
+                    fi;
+                  done;
+                  exit 1
             interval: 15s
-            timeout: 5s
-            retries: 5
+            timeout: 15s
+            retries: 15
+            start_period: 30s
         ports:
             - 8080:8080
             - 9000:9000

docker-compose.yml

@@ -57,10 +57,13 @@ services:
             AWS_WEB_IDENTITY_TOKEN_FILE: ${AWS_WEB_IDENTITY_TOKEN_FILE:-}
 
         healthcheck:
-            test: timeout 10s bash -c ':> /dev/tcp/127.0.0.1/8080' || exit 1
+            test:
+                - CMD-SHELL
+                - curl -fsS http://127.0.0.1:9000/health/ready > /dev/null 2>&1 || curl -fsS http://127.0.0.1:8080/health/ready > /dev/null 2>&1
             interval: 15s
-            timeout: 5s
-            retries: 5
+            timeout: 15s
+            retries: 15
+            start_period: 30s
         ports:
             - 8080:8080
         depends_on:

keycloak-26/bases.yml

@@ -16,7 +16,7 @@ sources:
         # skopeo --override-os linux inspect docker://registry.camunda.cloud/vendor-ee/keycloak:<tag> --raw | jq '.Digest'
         image:
             repository: registry.camunda.cloud/vendor-ee/keycloak
-            tag: 26.5.7-debian-12-r0@sha256:350c7c7ee4ef8cafa5cd0b973d15237f62ed4193ee4ec9c3570265583c5f67fa
+            tag: 26.6.0-debian-12-r0@sha256:eb5b4fe7b1ae306322c75e4a72229bb8067f8b1cb48454225af27fc2a684fe60
 
     quay:
         # List of all available images with associated sha:
@@ -25,4 +25,4 @@ sources:
         # skopeo --override-os linux inspect docker://quay.io/keycloak/keycloak:<tag> --raw | jq '.Digest'
         image:
             repository: quay.io/keycloak/keycloak
-            tag: 26.5.7@sha256:45ae20191531eb608ddb0b775d012b40d3e4f942697f3214694887dd7c108d13
+            tag: 26.6.0@sha256:b0e5dbced1775de4d629f103c0a9cfc057decc62ce8d3cb1c54f8849a6c6eb62