[keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha?

Phillip Fleischer pcfleischer at outlook.com
Tue Aug 29 05:51:20 EDT 2017


My guess around configuration is expected default infrastructure is truly standalone on virtual infrastructure or openshift where ssl is terminated on jboss and infrastructure supports multicast dns for ha.

We use our own standalone.xml  similar to below. You'll probably want to look at jgroups jdbc ping since multicast might not work. Someone recently asked if you can just disable cache if you can avoid jgroups but I haven't tried that myself or heard back that is a viable solution.

https://goldmann.pl/blog/2014/07/23/customizing-the-configuration-of-the-wildfly-docker-image/

http://www.fafonso.com/jgroups/unicast/postgresql/jdbc/ping/cluster/2016/08/07/jgroups-with-postgresql.html


_____________________________
From: Tonnis Wildeboer <tonnis at autonomic.ai<mailto:tonnis at autonomic.ai>>
Sent: Friday, August 25, 2017 1:33 PM
Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha?
To: <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>


I am attempting to run Keycloak in a kubernetes cluster with a shared
postgres (RDS) db. Everything is hosted on AWS. The keycloak instances are
deployed using Helm.

I have read the clustering documentation and from that it seems that the
appropriate clustering mode in this scenario would be "Standalone Clustered
Mode".Therefore, I am using the "jboss/keycloak-ha-postgres" Docker image.
Since I am using the nginx Ingress controller I have the prescribed
PROXY_ADDRESS_FORWARDING=true environment variable. Upon inspection of the
Docker image, however, I noticed that the
$JBOSS_HOME/standalone/configuration/standalone-ha.xml file in that image
does not have the
proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" attribute in the
<http-listener ...> element. I also noticed that the
jboss-dockerfiles/keycloak-server base image has a sed command to add this
to the standalone.xml file but not to the standalone-ha.xml file.

Also, of the exmaples I have found via Google searches, I have not found
examples of deploying Keycloak this way, which is surprising. I have seen
examples with a single instance using the standalone postres image, but not
"Standalone Clustered".

So here are my questions:

1. What are the specific differences between using --server-config
standalone-ha.xml vs standalone.xml?
2. Is there communication between the pods that needs to happen when
running in "Standalone Clustered Mode"? (I ask this because I would need to
make sure that this is possible, possibly across VPCs.) If so, what is it?
I am hoping they just share a database.
3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify
the standalone-ha.xml file too, in the same way it modifies the
standalone.xml file: (
https://github.com/jboss-dockerfiles/keycloak/blob/0a54ccaccd5e27e75105b904708ac4ccd80df5c5/server/Dockerfile#L23-L25
)?
4. Is there any other documentation, etc that I should be looking at?

Thank you,

Tonnis
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list