Question
When manually migrating the configuration of the Keycloak app after an app update, I get the response:
$ univention-keycloak upgrade-config
Nothing to do, already at domain config version 22.0.3-ucs2
but my Keycloak version is actually different:
$ udm appcenter/app list --filter univentionAppID=keycloak* --properties version
univentionAppID=keycloak*
DN: univentionAppID=keycloak_24.0.5-ucs2,cn=keycloak,cn=apps,cn=univention,dc=tierheim,dc=intranet
version: 24.0.5-ucs2
Why is there a difference between the domain config version and the app version ?
Answer
An update of the domain config version is only necessary if a domain-wide part of the Keycloak configuration needs to be changed, e.g. the connection and authentication settings or a change to the UCS realm. However, this is not always (with every app update) the case.
If the domain config version is changed during a Keycloak app update then the univention-keycloak upgrade-config command would perform the migration as expected. The domain config version will therefore only be congruent with the Keycloak version if a Keycloak app update has just taken place that has raised the domain config version, e.g. keycloak=28.0.1-ucs1 could bring a change that leads to domain_config_version: 28.0.1-ucs1. You can use the following command to display which version of the domain config was the initial one, as well as the current one:
univention-keycloak domain-config --get --json | grep domain