Merge "Add OVN metadata MTU patch" into main
diff --git a/doc/requirements.txt b/doc/requirements.txt
index a2a321f..07d4540 100644
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -5,3 +5,4 @@
sphinx
sphinx-autobuild
sphinx-copybutton
+sphinxcontrib-mermaid
diff --git a/doc/source/conf.py b/doc/source/conf.py
index 239e656..82c0c07 100644
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -20,9 +20,10 @@
# https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
extensions = [
- "sphinx_copybutton",
"pbr.sphinxext",
"reno.sphinxext",
+ "sphinx_copybutton",
+ "sphinxcontrib.mermaid",
]
templates_path = ["_templates"]
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 9703ada..de86dca 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -28,6 +28,7 @@
config/index
deploy/index
admin/index
+ user/index
release-notes
diff --git a/doc/source/user/auth.rst b/doc/source/user/auth.rst
new file mode 100644
index 0000000..3afd6fd
--- /dev/null
+++ b/doc/source/user/auth.rst
@@ -0,0 +1,223 @@
+##############
+Authentication
+##############
+
+*******************************************
+Using external token from identity provider
+*******************************************
+
+Since OpenStack is configured to trust Keycloak as an identity provider, you will
+need to generate a token from Keycloak and use it to authenticate with the OpenStack
+API.
+
+If you are using Keycloak with an OpenID Connect (OIDC) identity provider, you
+may want to exchange a token generated from your identity provider for a token
+from Keycloak, which can then be used to authenticate with the OpenStack API.
+
+.. mermaid::
+ :align: center
+ :config: {"theme": "dark"}
+
+ sequenceDiagram
+ participant Client
+ participant OIDC Provider
+ participant Keycloak
+ participant Keystone
+ participant OpenStack
+
+ Client->>OIDC Provider: Request Token (Client Credentials)
+ OIDC Provider-->>Client: Returns OIDC Token
+
+ Client->>Keycloak: Exchange OIDC Token
+ Keycloak-->>Client: Returns Keycloak OIDC Token
+
+ Client->>Keystone: Authenticate with Keycloak Token
+ Keystone-->>Client: Returns Keystone Token
+
+ Client->>OpenStack: Use Keystone Token
+ OpenStack-->>Client: OpenStack API Access Granted
+
+In order to get started with this process, you'll need a OpenID connect token
+issued by an identity provider which exists in the Keycloak realm.
+
+1. **Exchange the OpenID connect (OIDC) Token with Keycloak**
+
+ Use the *OpenID connect token* from your identity provider and exchange it for
+ a *Keycloak-issued token*. The following ``curl`` command is provided as an
+ example but you can use any tool that can make HTTP requests.
+
+ You will need to replace the following placeholders in the example code:
+
+ - ``<KEYCLOAK_URL>``: The URL of your Keycloak instance.
+ - ``<KEYCLOAK_CLIENT_ID>``: The client ID of the Keycloak client.
+ - ``<KEYCLOAK_CLIENT_SECRET>``: The client secret of the Keycloak client.
+
+ .. code-block:: sh
+
+ curl -X POST "https://<KEYCLOAK_URL>/realms/atmosphere/protocol/openid-connect/token" \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
+ -d "client_id=<KEYCLOAK_CLIENT_ID>" \
+ -d "client_secret=<KEYCLOAK_CLIENT_SECRET>" \
+ -d "subject_token=<OIDC_TOKEN>" \
+ -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token"
+
+ The response will return a token that is issued by Keycloak which you can use
+ to authenticate with the OpenStack API.
+
+ .. code-block:: json
+
+ {
+ "access_token" : ".....",
+ "refresh_token" : ".....",
+ "expires_in" : "...."
+ }
+
+
+2. **Authenticate with Keystone Using the Keycloak Token**
+
+ With the token issued by Keycloak, you can now authenticate with Keystone in order
+ to obtain a fernet token which can be used to talk to all of the OpenStack APIs.
+
+ You will need to replace the following placeholders in the example code:
+
+ - ``<OPENSTACK_AUTH_URL>``: The URL of your Keystone authentication endpoint.
+ - ``<KEYCLOAK_OIDC_TOKEN>``: The token issued by Keycloak.
+
+ .. code-block:: sh
+
+ curl "<OPENSTACK_AUTH_URL>/v3/OS-FEDERATION/identity_providers/atmosphere/protocols/openid/auth" \
+ -H "Authorization: Bearer <KEYCLOAK_OIDC_TOKEN>"
+
+ This response will return an unscoped Keystone token (not tied to any project) which
+ will be in the ``X-Subject-Token`` header.
+
+ .. code-block:: http
+
+ HTTP/1.1 201 Created
+ X-Subject-Token: <UNSCOPED_KEYSTONE_TOKEN>
+
+3. **List projects using the Keystone Token** (optional, if you already know the project ID)
+
+ At this point, you have an unscoped token issued by Keystone which is not bound
+ to any project. You will need to exchange that token for a project-scoped token
+ in order to be able to interact with the OpenStack APIs.
+
+ You can choose to list what projects you have access to using the Keystone token
+ that you have obtained.
+
+ You will need to replace the following placeholders in the example code:
+
+ - ``<OPENSTACK_AUTH_URL>``: The URL of your Keystone authentication endpoint.
+ - ``<UNSCOPED_KEYSTONE_TOKEN>``: The token issued by Keystone.
+
+ .. code-block:: sh
+
+ curl "<OPENSTACK_AUTH_URL>/v3/projects" \
+ -H "X-Auth-Token: <UNSCOPED_KEYSTONE_TOKEN>"
+
+ This response will return a list of projects that you have access to.
+
+ .. code-block:: json
+
+ {
+ "projects": [
+ {
+ "id": "....",
+ "name": "....",
+ "description": "...."
+ }
+ ]
+ }
+
+4. **Exchange the unscoped token for a project-scoped token**
+
+ Once you have identified the project that you want to interact with, you can
+ exchange the unscoped token for a project-scoped token.
+
+ You will need to replace the following placeholders in the example code:
+
+ - ``<OPENSTACK_AUTH_URL>``: The URL of your Keystone authentication endpoint.
+ - ``<UNSCOPED_KEYSTONE_TOKEN>``: The token issued by Keystone.
+ - ``<PROJECT_ID>``: The ID of the project that you want to interact with.
+
+ .. code-block:: sh
+
+ curl "<OPENSTACK_AUTH_URL>/v3/auth/projects" \
+ -H "Content-Type: application/json" \
+ -H "X-Auth-Token: <UNSCOPED_KEYSTONE_TOKEN>" \
+ -d '{
+ "auth": {
+ "identity": {
+ "methods": ["token"],
+ "token": {
+ "id": "<UNSCOPED_KEYSTONE_TOKEN>"
+ }
+ },
+ "scope": {
+ "project": {
+ "id": "<PROJECT_ID>"
+ }
+ }
+ }
+ }'
+
+ This response will return a project-scoped token which you can use to interact
+ with the OpenStack APIs which will be in the ``X-Subject-Token`` header.
+
+ .. code-block:: http
+
+ HTTP/1.1 201 Created
+ X-Subject-Token: <SCOPED_KEYSTONE_TOKEN>
+
+ OpenStack Keystone will provide the token details in the response body, including
+ the full catalog of services that you have access to.
+
+ .. code-block:: json
+
+ {
+ "token": {
+ "methods": [
+ "token"
+ ],
+ "expires_at": "....",
+ "issued_at": "....",
+ "user": {
+ "domain": {
+ "id": "....",
+ "name": "...."
+ },
+ "id": "....",
+ "name": "...."
+ },
+ "audit_ids": [
+ "...."
+ ],
+ "catalog": [
+ {
+ "endpoints": [
+ {
+ "id": "....",
+ "interface": "....",
+ "region": "....",
+ "url": "...."
+ }
+ ],
+ "id": "....",
+ "name": "....",
+ "type": "...."
+ }
+ ],
+ "project": {
+ "domain": {
+ "id": "....",
+ "name": "...."
+ },
+ "id": "....",
+ "name": "...."
+ }
+ }
+ }
+
+ You can then use the project-scoped token to interact with the OpenStack APIs,
+ such as creating a server, listing servers, etc.
diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst
new file mode 100644
index 0000000..9ed7b12
--- /dev/null
+++ b/doc/source/user/index.rst
@@ -0,0 +1,8 @@
+##########
+User Guide
+##########
+
+.. toctree::
+ :maxdepth: 2
+
+ auth
diff --git a/images/barbican/Dockerfile b/images/barbican/Dockerfile
index 8f0dfcb..1ccb14f 100644
--- a/images/barbican/Dockerfile
+++ b/images/barbican/Dockerfile
@@ -6,8 +6,8 @@
ARG BARBICAN_GIT_REF=b5841df387e5ab38caf173950a1d98ab37a51453
ADD --keep-git-dir=true https://opendev.org/openstack/barbican.git#${BARBICAN_GIT_REF} /src/barbican
RUN git -C /src/barbican fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/barbican \
pykmip
diff --git a/images/cinder/Dockerfile b/images/cinder/Dockerfile
index 6c384ff..274323a 100644
--- a/images/cinder/Dockerfile
+++ b/images/cinder/Dockerfile
@@ -8,8 +8,8 @@
RUN git -C /src/cinder fetch --unshallow
COPY patches/cinder /patches/cinder
RUN git -C /src/cinder apply --verbose /patches/cinder/*
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/cinder \
purestorage \
diff --git a/images/designate/Dockerfile b/images/designate/Dockerfile
index 72bf3d2..edd6b97 100644
--- a/images/designate/Dockerfile
+++ b/images/designate/Dockerfile
@@ -8,8 +8,8 @@
RUN git -C /src/designate fetch --unshallow
COPY patches/designate /patches/designate
RUN git -C /src/designate apply --verbose /patches/designate/*
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/designate
EOF
diff --git a/images/glance/Dockerfile b/images/glance/Dockerfile
index 1d2ad18..440f3bd 100644
--- a/images/glance/Dockerfile
+++ b/images/glance/Dockerfile
@@ -8,8 +8,8 @@
RUN git -C /src/glance fetch --unshallow
ADD --keep-git-dir=true https://opendev.org/openstack/glance_store.git#stable/2024.2 /src/glance_store
RUN git -C /src/glance_store fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/glance \
/src/glance_store[cinder] \
diff --git a/images/heat/Dockerfile b/images/heat/Dockerfile
index 72493d7..a2c6ccb 100644
--- a/images/heat/Dockerfile
+++ b/images/heat/Dockerfile
@@ -6,8 +6,8 @@
ARG HEAT_GIT_REF=64bdbb9bc66c38760989dd7bb2574ccc14069872
ADD --keep-git-dir=true https://opendev.org/openstack/heat.git#${HEAT_GIT_REF} /src/heat
RUN git -C /src/heat fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/heat
EOF
diff --git a/images/horizon/Dockerfile b/images/horizon/Dockerfile
index 62cb2b3..1d0ff5b 100644
--- a/images/horizon/Dockerfile
+++ b/images/horizon/Dockerfile
@@ -25,8 +25,8 @@
RUN git -C /src/horizon apply --verbose /patches/horizon/*
COPY patches/magnum-ui /patches/magnum-ui
RUN git -C /src/magnum-ui apply --verbose /patches/magnum-ui/*
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/designate-dashboard \
/src/heat-dashboard \
diff --git a/images/ironic/Dockerfile b/images/ironic/Dockerfile
index 5f81ed0..2047e27 100644
--- a/images/ironic/Dockerfile
+++ b/images/ironic/Dockerfile
@@ -6,8 +6,8 @@
ARG IRONIC_GIT_REF=5aa51d6985d25acd6abfb161c62c66facc20a6ca
ADD --keep-git-dir=true https://opendev.org/openstack/ironic.git#${IRONIC_GIT_REF} /src/ironic
RUN git -C /src/ironic fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/ironic \
python-dracclient \
diff --git a/images/keystone/Dockerfile b/images/keystone/Dockerfile
index 084869f..abb2d99 100644
--- a/images/keystone/Dockerfile
+++ b/images/keystone/Dockerfile
@@ -6,8 +6,8 @@
ARG KEYSTONE_GIT_REF=47891f4ae8fd7876e5a7657f58c32c371feeddc3
ADD --keep-git-dir=true https://opendev.org/openstack/keystone.git#${KEYSTONE_GIT_REF} /src/keystone
RUN git -C /src/keystone fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/keystone[ldap] \
keystone-keycloak-backend==0.2.0
diff --git a/images/magnum/Dockerfile b/images/magnum/Dockerfile
index c2cb92c..724e7b8 100644
--- a/images/magnum/Dockerfile
+++ b/images/magnum/Dockerfile
@@ -14,8 +14,8 @@
ARG MAGNUM_GIT_REF=db197e08a09da93062fc4222180051dadfc0f0d8
ADD --keep-git-dir=true https://opendev.org/openstack/magnum.git#${MAGNUM_GIT_REF} /src/magnum
RUN git -C /src/magnum fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/magnum \
magnum-cluster-api==0.24.2
diff --git a/images/manila/Dockerfile b/images/manila/Dockerfile
index 52ac86e..9a11c8f 100644
--- a/images/manila/Dockerfile
+++ b/images/manila/Dockerfile
@@ -6,8 +6,8 @@
ARG MANILA_GIT_REF=09f3ab0a229362c00bb55f704cfeae43bccd3c8d
ADD --keep-git-dir=true https://opendev.org/openstack/manila.git#${MANILA_GIT_REF} /src/manila
RUN git -C /src/manila fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/manila
EOF
diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile
index 6f6ad73..8745625 100644
--- a/images/neutron/Dockerfile
+++ b/images/neutron/Dockerfile
@@ -20,8 +20,8 @@
ARG LOG_PASER_GIT_REF=9bc923c1294864ec709c538ba5c309065ef710d5
ADD --keep-git-dir=true https://github.com/vexxhost/neutron-ovn-network-logging-parser.git#${LOG_PASER_GIT_REF} /src/neutron-ovn-network-logging-parser
RUN git -C /src/neutron-ovn-network-logging-parser fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/neutron \
/src/neutron-vpnaas \
diff --git a/images/nova/Dockerfile b/images/nova/Dockerfile
index 497d9f2..f96dcdf 100644
--- a/images/nova/Dockerfile
+++ b/images/nova/Dockerfile
@@ -9,8 +9,8 @@
ARG SCHEDULER_FILTERS_GIT_REF=77ed1c2ca70f4166a6d0995c7d3d90822f0ca6c0
ADD --keep-git-dir=true https://github.com/vexxhost/nova-scheduler-filters.git#${SCHEDULER_FILTERS_GIT_REF} /src/nova-scheduler-filters
RUN git -C /src/nova-scheduler-filters fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/nova \
/src/nova-scheduler-filters \
diff --git a/images/octavia/Dockerfile b/images/octavia/Dockerfile
index ef9a147..9160156 100644
--- a/images/octavia/Dockerfile
+++ b/images/octavia/Dockerfile
@@ -8,8 +8,8 @@
RUN git -C /src/octavia fetch --unshallow
ADD --keep-git-dir=true https://opendev.org/openstack/ovn-octavia-provider.git#stable/2024.2 /src/ovn-octavia-provider
RUN git -C /src/ovn-octavia-provider fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/octavia \
/src/ovn-octavia-provider
diff --git a/images/openstack-venv-builder/Dockerfile b/images/openstack-venv-builder/Dockerfile
index 70bab69..54a100d 100644
--- a/images/openstack-venv-builder/Dockerfile
+++ b/images/openstack-venv-builder/Dockerfile
@@ -24,18 +24,19 @@
lsb-release \
openssh-client \
python3 \
- python3-dev \
- python3-pip \
- python3-venv
+ python3-dev
apt-get clean
rm -rf /var/lib/apt/lists/*
EOF
-RUN python3 -m venv --upgrade-deps --system-site-packages /var/lib/openstack
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
COPY --from=requirements --link /upper-constraints.txt /upper-constraints.txt
-RUN pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv venv --system-site-packages /var/lib/openstack
+uv pip install \
--constraint /upper-constraints.txt \
cryptography \
pymysql \
python-binary-memcached \
python-memcached \
uwsgi
+EOF
diff --git a/images/placement/Dockerfile b/images/placement/Dockerfile
index 1ce55c8..b2529f2 100644
--- a/images/placement/Dockerfile
+++ b/images/placement/Dockerfile
@@ -6,8 +6,8 @@
ARG PLACEMENT_GIT_REF=828b2559a1b3c0b59c543e851c6ea3efb1baae20
ADD --keep-git-dir=true https://opendev.org/openstack/placement.git#${PLACEMENT_GIT_REF} /src/placement
RUN git -C /src/placement fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/placement
EOF
diff --git a/images/python-openstackclient/Dockerfile b/images/python-openstackclient/Dockerfile
index abafa29..b940b3b 100644
--- a/images/python-openstackclient/Dockerfile
+++ b/images/python-openstackclient/Dockerfile
@@ -3,8 +3,8 @@
# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z
FROM openstack-venv-builder AS build
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
osc-placement \
python-barbicanclient \
diff --git a/images/staffeln/Dockerfile b/images/staffeln/Dockerfile
index 0f63af1..991ea96 100644
--- a/images/staffeln/Dockerfile
+++ b/images/staffeln/Dockerfile
@@ -6,8 +6,8 @@
ARG STAFFELN_GIT_REF=v2.2.3
ADD --keep-git-dir=true https://github.com/vexxhost/staffeln.git#${STAFFELN_GIT_REF} /src/staffeln
RUN git -C /src/staffeln fetch --unshallow
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/staffeln
EOF
diff --git a/images/tempest/Dockerfile b/images/tempest/Dockerfile
index 4edec8e..dc558d9 100644
--- a/images/tempest/Dockerfile
+++ b/images/tempest/Dockerfile
@@ -26,8 +26,8 @@
ADD --keep-git-dir=true https://opendev.org/openstack/octavia-tempest-plugin.git#master /src/octavia-tempest-plugin
RUN git -C /src/octavia-tempest-plugin fetch --unshallow
ADD https://releases.openstack.org/constraints/upper/master /upper-constraints.txt
-RUN --mount=type=cache,mode=0755,target=/root/.cache/pip,sharing=private <<EOF bash -xe
-pip3 install \
+RUN --mount=type=cache,target=/root/.cache/uv <<EOF bash -xe
+uv pip install \
--constraint /upper-constraints.txt \
/src/tempest \
/src/barbican-tempest-plugin \
diff --git a/releasenotes/notes/add-keycloak-token-exchange-283b38032dda9baf.yaml b/releasenotes/notes/add-keycloak-token-exchange-283b38032dda9baf.yaml
new file mode 100644
index 0000000..f3d7c4a
--- /dev/null
+++ b/releasenotes/notes/add-keycloak-token-exchange-283b38032dda9baf.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - Keycloak is now configured to have the ``token-exchange`` and the
+ ``admin-fine-grained-authz`` features enabled to allow for use of the
+ `OAuth Token Exchange <https://www.keycloak.org/securing-apps/token-exchange>`_
+ protocol.
diff --git a/releasenotes/notes/use-uv-for-venv-ec400e1d456a8c5f.yaml b/releasenotes/notes/use-uv-for-venv-ec400e1d456a8c5f.yaml
new file mode 100644
index 0000000..b8ff8a8
--- /dev/null
+++ b/releasenotes/notes/use-uv-for-venv-ec400e1d456a8c5f.yaml
@@ -0,0 +1,4 @@
+---
+other:
+ - The images now use the `uv` tool to create the virtual environment which
+ is faster and more reliable than the previous method.
diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml
index 41ee1ee..ead80fb 100644
--- a/roles/keycloak/vars/main.yml
+++ b/roles/keycloak/vars/main.yml
@@ -26,6 +26,8 @@
# we have to define jdbc connection string explicitly along side
# `externalDatabase` helm values.
extraEnvVars:
+ - name: KC_FEATURES
+ value: "token-exchange,admin-fine-grained-authz"
- name: KC_PROXY
value: edge
- name: KC_DB