Skip to content

Large files in the keycloak chart cause Helm Secret size to exceed 1MiB #9

New issue
New issue
Open
Open
Large files in the keycloak chart cause Helm Secret size to exceed 1MiB#9
Labels
Bug Fixescommunity-contributionstatus::reviewteam::Service Meshtriage-kindtriage-priority
@p1-bot-repo-sync

Description

@p1-bot-repo-sync
p1-bot-repo-sync
bot
opened on May 15, 2025

When attempting to import a 100 KiB realm file using a secret added to the Keycloak Helm chart, we encountered the following error:

Helm upgrade failed for release keycloak/keycloak with chart keycloak@2.5.1-bb.0: 
create: failed to create: Secret "sh.helm.release.v1.keycloak.v3" is invalid: 
data: Too long: must have at most 1048576 bytes

When examining the state of the prior Helmrelease version, the existing data was already very close to the Secret size limit:

$ k get secret -n bigbang sh.helm.release.v1.keycloak.v2 -oyaml | yq '.data.release' | base64 -d > sh.helm.release.v1.keycloak.v2.yaml
$ ls -l sh.helm.release.v1.keycloak.v2.yaml
-rw-------. 1 root root 997160 Nov  1 14:15 sh.helm.release.keycloak.yaml

Attempting to inspect the contents of the Secret reveals that it needs to be base64-decoded again and then gunzipped, resulting in the following:

$ base64 -d sh.helm.release.v1.keycloak.v2.yaml | gunzip > sh.helm.release.v1.keycloak.v2-unzipped.yaml
$ ls -l
-rw-------. 1 root root 1822118 Nov  1 14:37 sh.helm.release.v1.keycloak.v2-unzipped.yaml
-rw-------. 1 root root  997160 Nov  1 14:22 sh.helm.release.v1.keycloak.v2.yaml

The resulting data is in JSON format, with the following top-level keys and sizes:

$ yq 'keys()' sh.helm.release.v1.keycloak.v2-unzipped.yaml
- "name"
- "info"
- "chart"
- "config"
- "manifest"
- "version"
- "namespace"
$ yq '.name' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
9
$ yq '.info' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
937
$ yq '.chart' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
1554589
$ yq '.config' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
4307
$ yq '.manifest' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
262641
$ yq '.version' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
2
$ yq '.namespace' sh.helm.release.v1.keycloak.v2-unzipped.yaml | wc -c
9

As shown, the full contents of the Helm chart are stored in the Secret (so that Helm can calculate the differences between different Helm revisions), bloating the size of the Secret significantly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug Fixescommunity-contributionstatus::reviewteam::Service Meshtriage-kindtriage-priority

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions