Re: [keycloak-user] Best Practice AWS+ECS implementation

It's mostly just preference. To me, it looks like Kubernetes (or something based on it) has won when it comes to orchestrating containers. I wouldn't go for something proprietary like ECS right now. Also makes it a bit easier to go to other clouds as all major players are offering managed Kubernetes now... Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: Carrasco, Jonathan J (173F) <jonathan.j.carrasco(a)jpl.nasa.gov&gt; Sent: Freitag, 7. September 2018 16:31 To: Schuster Sebastian (INST-CSS/BSV-OS) <Sebastian.Schuster(a)bosch-si.com&gt; Cc: keycloak-user(a)lists.jboss.org; Dmitry Telegin <dt(a)acutus.pro&gt; Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation @Sebastian Thanks for your comments. Is migrating from ECS to EKS beneficial? Or is it a preference seeing that both are managed services. @Dmitry Thanks for your comments. Could you please elaborate on what do you mean by "credential collector"? I want to spin up a web tier for load balancing and running a "small" web application to receive the username and password credentials, and this web tier will direct credentials to the keycloak server for authentication. Currently, a user is directed to the keycloak server for authentication. I want to break to break into two pieces the collection of the username and password collection and the authentication. Has anyone execute this architecture? -- Jonathan Carrasco (173F) Jet Propulsion Laboratory On 9/7/18, 12:21 AM, "Schuster Sebastian (INST-CSS/BSV-OS)" <Sebastian.Schuster(a)bosch-si.com&gt; wrote: Hi Jonathan, Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward. In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production. Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that’s not supported by ALB AFAIK. Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Dmitry Telegin Sent: Freitag, 7. September 2018 04:55 To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco(a)jpl.nasa.gov>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation Hello Jonathan, On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote: Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration). In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING. See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws... Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic. In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/ Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx. On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course). This is pretty reasonable. The main points here are: - you can have something more powerful and feature-rich than ALB; - you can take full control of it. For example, Keycloak recommends using sticky sessions for performance purposes: https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB. Could you please elaborate on what do you mean by "credential collector"? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user