[keycloak-user] Best Practice AWS+ECS implementation

Carrasco, Jonathan J (173F) jonathan.j.carrasco at jpl.nasa.gov
Fri Sep 7 10:31:01 EDT 2018 

@Sebastian
Thanks for your comments.
Is migrating from ECS to EKS beneficial? Or is it a preference seeing that both are managed services. 

@Dmitry
Thanks for your comments.
    > The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
    
    Could you please elaborate on what do you mean by "credential collector"?

I want to spin up a web tier for load balancing and running a "small" web application to receive the username and password credentials, and this web tier will direct credentials to the keycloak server for authentication.
Currently, a user is directed to the keycloak server for authentication. I want to break to break into two pieces the collection of the username and password collection and the authentication.
Has anyone execute this architecture?
-- 
Jonathan Carrasco (173F)
Jet Propulsion Laboratory

On 9/7/18, 12:21 AM, "Schuster Sebastian (INST-CSS/BSV-OS)" <Sebastian.Schuster at bosch-si.com> wrote:

    Hi Jonathan,
    
    Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward.
    
    In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production.
    
    Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that’s not supported by ALB AFAIK.
    
    Best regards,
    Sebastian
    
    
    Mit freundlichen Grüßen / Best regards
    
    Dr.-Ing.  Sebastian Schuster
    
    Engineering and Support (INST/ESY1) 
    Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
    Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
    
    Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
    Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn 
    
    
    
    
    -----Original Message-----
    From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dmitry Telegin
    Sent: Freitag, 7. September 2018 04:55
    To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov>; keycloak-user at lists.jboss.org
    Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation
    
    Hello Jonathan,
    
    On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote:
    > Hello.
    > 
    > I’m working on implementing Keycloak on ECS. The proposed architecture is:
    >                 2x – Keycloak Docker images (customized for Domain 
    > Mode)
    >                 RDS Postgres Instance
    
    Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration).
    In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING.
    
    See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html
    Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic.
    
    > 
    > My question- and I’m open to comments- is what is best practice for Load Balancing and what is the community using?  I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon’s ALB.
    
    In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/
    
    Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx.
    On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course).
    
    > Is that something that makes sense or better to just use ALB?
    
    This is pretty reasonable. The main points here are:
    - you can have something more powerful and feature-rich than ALB;
    - you can take full control of it.
    
    For example, Keycloak recommends using sticky sessions for performance
    purposes:
    https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions
    This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB.
    
    > The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
    
    Could you please elaborate on what do you mean by "credential collector"?
    
    Cheers,
    Dmitry Telegin
    CTO, Acutus s.r.o.
    Keycloak Consulting and Training
    
    Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
    +42 (022) 888-30-71
    E-mail: info at acutus.pro
    
    > 
    > --
    > Jonathan Carrasco (173F)
    > Jet Propulsion Laboratory
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list