What is The Best Strategy to Upgrade My Keycloak Cluster?

Coming from a Site Reliability Engineering (SRE) background, I often hear questions about the best way to upgrade an application in production. In this blog post, we’ll explore multiple strategies tailored to different scenarios on how you cloud upgrade your Keycloak instance/clusters. We won’t delve into details, but each option will be discussed in subsequent posts.

Before any upgrade, back up your database and existing Keycloak deployment. You can also look into exporting your configuration.

Strategy 1: Small to Medium-Sized Clusters

For smaller clusters, typically serving startups or small businesses:

  1. Test Environment: Test the new Keycloak version in a staging environment that mirrors your production setup.
  2. Blue-Green Deployment: Use a blue-green deployment strategy. Set up the new Keycloak version alongside the old one (green is active, blue is new). Once the new version (blue) is tested and ready, switch the traffic from green to blue.

Strategy 2: Large Clusters

For larger clusters, typically serving enterprises or large organizations:

  1. Canary Release: Gradually roll out the new Keycloak version to a small subset of users before a full-scale rollout. Monitor performance and issues closely. This may not be possible, but it is still an upgrade strategy. We will test it out in another blog post.
  2. Automated Rolling Updates: Use Kubernetes or another orchestration tool to automate the rolling update, ensuring minimal downtime. This approach updates instances one at a time while keeping the service available.

Strategy 3: Highly Sensitive or High-Security Clusters

For clusters used in highly sensitive environments, such as financial services or government:

  1. Parallel Deployment: Deploy the new Keycloak version in parallel with the old one, with separate databases. Gradually migrate users to the new version after extensive testing.
  2. Security Audit and Penetration Testing: Before full deployment, conduct a thorough security audit and penetration testing of the new version to ensure no vulnerabilities are introduced.
  3. User Training and Communication: Inform your users about the upgrade and any changes in the authentication process. Offer training if the upgrade includes significant changes to user interaction.

Metrics for a Successful Upgrade

To ensure a successful Keycloak upgrade, it’s essential to monitor specific metrics both during and after the process. Here are some key metrics to keep an eye on:

  1. Response Times: Monitor the response times of authentication requests. A significant increase might indicate issues with the new version.
  2. Error Rates: Keep track of error rates in the authentication process. An uptick in errors can signal problems that need immediate attention.
  3. Resource Utilization: Check the CPU, memory, and disk usage of your Keycloak servers before and after the upgrade. Spikes in resource utilization could point to inefficiencies or leaks in the new version.
  4. User Login Success Rates: Track the rate of successful user logins. Decreases in successful logins could indicate issues with user data migration or system integration.
  5. Service Availability: Ensure that the Keycloak service remains highly available during the upgrade. Downtime should be minimal and within the planned maintenance window.

Keep in mind that while Keycloak might not provide all metrics directly, you can still monitor them through your own tools by analyzing logs or setting up specific listeners. For metrics that are available, refer to the Keycloak documentation at: Keycloak Metrics Documentation.

What to Do in Case of Failure

Even with thorough planning, upgrades can encounter issues. Here’s what to do in case of a failure:

  1. Rollback: If you’ve followed the blue-green deployment or canary release strategies, you can quickly rollback to the previous stable version of Keycloak.
  2. Analyze Logs: Check Keycloak and application logs to identify the root cause of the failure. Look for errors that started occurring right after the upgrade.
  3. Engage the Community or Support: If you’re unable to resolve the issue, seek help from the Keycloak community or your support provider. Be prepared to provide detailed logs and descriptions of the problem.
  4. Document the Issue: Once resolved, document the issue, the steps taken to diagnose it, and the solution. This can be invaluable for future upgrades or for others in the community.
  5. Postmortem Analysis: Conduct a postmortem analysis to understand what went wrong and how it can be prevented in future upgrades. Share the findings with your team and incorporate the lessons learned into your upgrade process.

By preparing for these scenarios and knowing what metrics to monitor, you can ensure a smoother Keycloak upgrade process and quickly address any issues that arise.

General Tips for All Clusters:

  • Version Compatibility: Always check plugin and dependencies compatibility with the new Keycloak version.
  • Custom Code: Review and test any custom code or scripts used in your Keycloak deployment.
  • Documentation: Keep detailed documentation of your Keycloak configuration and any changes made during the upgrade.
  • Support Plan: Have a support plan in place, knowing who to contact and what steps to follow if there’s an issue during or after the upgrade.

Additionally, if you’re interested in exploring version upgrades, you can personally test them out using Skycloak.


Upgrading your Keycloak cluster doesn’t have a one-size-fits-all solution. The best strategy depends on your cluster’s size, user base, and security needs. Regardless of the approach, always prioritize data backups, thorough testing, and clear communication with your users.

Leave a Comment