Merged
Conversation
mjnagel
reviewed
Feb 3, 2026
joelmccoy
reviewed
Feb 3, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts Keycloak’s HA behavior and operator guidance to improve SSO availability, primarily via session stickiness configuration and more graceful shutdown handling.
Changes:
- Introduces
autoscaling.sessionStickiness.enabledvalues and schema support, and gates the IstioDestinationRulefor sticky sessions on both autoscaling and this flag, plus adds helm-unittest coverage. - Adds Keycloak/Quarkus shutdown delay environment variables and a conditional Infinispan sticky-session configuration tied to autoscaling.
- Updates HA documentation for Keycloak’s waypoint HPA, including a higher recommended
minReplicasand a new availability-focused tip.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/keycloak/chart/values.yaml |
Adds autoscaling.sessionStickiness.enabled defaulting to true to control session stickiness behavior when autoscaling is enabled. |
src/keycloak/chart/values.schema.json |
Extends the autoscaling schema to include the new sessionStickiness.enabled boolean so values validation matches the new setting. |
src/keycloak/chart/tests/kc_session_stickiness_test.yaml |
Adds helm-unittest coverage ensuring the DestinationRule for sticky sessions is only rendered when autoscaling and session stickiness are both enabled, and validates the rendered resource fields. |
src/keycloak/chart/templates/statefulset.yaml |
Adds Quarkus shutdown delay env vars and wires autoscaling/sessionStickiness into Keycloak’s Infinispan sticky-session encoder configuration. |
src/keycloak/chart/templates/destination-rule.yaml |
Changes the render condition for the sticky-session DestinationRule to require both autoscaling.enabled and autoscaling.sessionStickiness.enabled. |
docs/reference/configuration/resource-configuration-and-ha.md |
Updates the Keycloak waypoint HPA example to use minReplicas: 2 and adds a tip explaining why 2 replicas are recommended for HA deployments. |
Comments suppressed due to low confidence (1)
docs/reference/configuration/resource-configuration-and-ha.md:233
- The documentation here still states that the waypoint HPA example "includes the default values", but
waypoint.horizontalPodAutoscaler.minReplicasinvalues.yamldefaults to1while this example and the surrounding tip use2. Please either update the actual default invalues.yamlto2or adjust the docs text to clarify that this is a recommended override (not the chart default) so users are not misled about the out-of-the-box configuration.
You can also configure autoscaling for the Keycloak [waypoint](https://istio.io/latest/docs/ambient/usage/waypoint/) (its Istio Layer7 proxy). The independent scalability of the waypoint proxy ensures that you never encounter a bottleneck due to service mesh integration. An HPA is enabled by default for the waypoint, with access to the configuration parameters via values. The below override example includes the default values which could be changed based on your needs:
```yaml
packages:
- name: core
repository: oci://ghcr.io/defenseunicorns/packages/uds/core
ref: x.x.x
overrides:
keycloak:
keycloak:
values:
- path: waypoint.horizontalPodAutoscaler.minReplicas
value: 2
- path: waypoint.horizontalPodAutoscaler.maxReplicas
value: 5
- path: waypoint.horizontalPodAutoscaler.metrics
value:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mjnagel
reviewed
Feb 4, 2026
Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
mjnagel
approved these changes
Feb 5, 2026
joelmccoy
approved these changes
Feb 5, 2026
chance-coleman
added a commit
that referenced
this pull request
Feb 10, 2026
🤖 I have created a release *beep* *boop* --- ## [0.61.0](v0.60.0...v0.61.0) (2026-02-10) ### Features * add blackbox exporter to uds-core as optional component ([#2314](#2314)) ([2f08ee5](2f08ee5)) * automount uds trust bundle to all applications ([#2337](#2337)) ([ce66203](ce66203)) * cluster-less crd pipeline ([#2316](#2316)) ([5128ffb](5128ffb)) * improve Keycloak availability ([#2334](#2334)) ([a306465](a306465)) ### Bug Fixes * cleanup zarf --no-progress deprecation ([#2352](#2352)) ([78d3b15](78d3b15)) * ensure ambient mode is the default in all operator code ([#2326](#2326)) ([bda5384](bda5384)) * multiarch script output ([#2338](#2338)) ([457d9b3](457d9b3)) * validate authservice callback uri + redirect uri ([#2349](#2349)) ([0ae9121](0ae9121)) ### Miscellaneous * bump eks/aks k8s to 1.34 ([#2339](#2339)) ([4145337](4145337)) * crd versioning adr ([#2308](#2308)) ([f1e5a86](f1e5a86)) * **deps:** bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 ([#2336](#2336)) ([5db96c7](5db96c7)) * **deps:** bump lodash from 4.17.21 to 4.17.23 ([#2319](#2319)) ([ad29405](ad29405)) * **deps:** update grafana ([#2257](#2257)) ([74ad882](74ad882)) * **deps:** update keycloak to v26.5.2 ([#2297](#2297)) ([e393a3d](e393a3d)) * **deps:** update loki ([#2265](#2265)) ([e12859b](e12859b)) * **deps:** update metrics-server to v0.8.1 ([#2324](#2324)) ([a48c45a](a48c45a)) * **deps:** update pepr to v1.0.8 ([#2320](#2320)) ([b4b1b48](b4b1b48)) * **deps:** update vector ([#2315](#2315)) ([872f083](872f083)) * remove deprecated devDep for root-ca script ([#2342](#2342)) ([616fbdb](616fbdb)) * update uds package icon to new doug logo ([#2353](#2353)) ([77150aa](77150aa)) ### Documentation * add clarity on label placement for reload ([#2330](#2330)) ([1a2515f](1a2515f)) * fix broken link and adjust markdown annotation ([#2331](#2331)) ([5d542a3](5d542a3)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Chance Coleman <139784371+chance-coleman@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This Pull Request introduces a set of changes that aim to improve the availability of the SSO service within the UDS Registry.
Related Issue
Relates to #2289
Type of change
Steps to Validate
Checklist before merging