We are going to bite the bullet and upgrade to the latest version. While it would be awesome if the migration of the DB is handled automatically, I’m not too hopeful because of the huge difference in versions.
My thinking is that I will need to simply start with a clean installation and then recreate my clients and users manually. While this will be a pain in the butt, I will do so if there is not other way BUT the problem I foresee is the Client secrets. It is imperative that the client secrets stays the same but it seems not to be possible in Keycloack to set the client Secret. How to overcome this?
We migrated from Wildfly Keycloak 11.0.2 to Quarkus Keycloak 20.0.1 a while ago. Using the realm export/import functionality most of the data could be transferred. Unfortunately, the client secrets are one of the things that cannot be exported and imported. We did not find a way to transfer the secrets so we had to reconfigure all clients after the migration. The other thing we had to reconfigure was the user federation.
In case you still want to use the realm export/import feature I should mention that we had to modify the exported files for the import to work. Make sure to read the official upgrade notes for all versions in between. You will most likely have to update some of your settings and probably some client configs too. Here are my notes from the migration in case they help you. Keep in mind that you may have to take additional steps since you intend to migrate to a newer version than we did.
Realm Export: Wildfly Keycloak
Open the Keycloak admin interface and select the realm you want to export. Click Export in the left sidebar. Toggle the Export clients option and click Export. Confirm the popup by clicking Export.
Upgrades notes from Wildfly Keycloak 11.0.2 to Quarkus Keycloak 20.0.1
If you upgrade from an older to a newer Keycloak version you may have to edit the exported files. This section contains instructions for changes discovered during upgrades.
-
If clients contain invalid hostnames either edit the hostnames to be valid or remove the clients
-
Remove any entries having type="js"as they will cause script upload not supported errors. It should mostly be Default Policy and Default Permission entries in policies blocks in which case you can remove the entire block if it does not contain other entries.
Realm Import: Quarkus Keycloak
Open the realm combobox at the top left (master is selected by default) and click the Create Realm button below the realm list. Click the Browse... button in the Resource file section and select the previously exported file. Click the Create button and wait for the import to finish.
Credentials and secrets are not exported for security reasons. You therefore have to reconfigure various items after import.
-
If the imported realm has user federation configured, click the User federation entry in the left sidebar and select the configured provider. Enter the credentials required to connect to the provider in the corresponding field and click the Save button.
-
If a client uses a client secret you have to generate a new secret and modify the configuration of any connecting service accordingly
Good luck with the migration!
Thank you very much for your detailed response. Turns out that in the end it was much easier than I anticipated. 
Going to answer my own question here in case it benefits someone else. In the end there was nothing to be concerned about. I made a copy of my existing Keycloak DB, pointed the latest version of Keycloak to it, and Bob’s you uncle! Keycloak simply upgraded my DB without any issues whatsoever. All data was preserved. Damn impressive considering that I went from v11 to v26.