10:41 a.m.
Thanks for showing interest Pedro.
* No not on k8s yet, but may soon do that ( in couple of months time).* Yes thats , to
have each cluster have its own keycloak db (mysql) ( and jdbc_ping) for each cluster, may
be separate each farm by a security group so that there is no cross talks on (7600, jdbc
ping ports)..* I am thinking of have a forward proxy with rewrite urls (farm specific
url)or enrich the request with a header to so that ALB/load balancer can identify the farm
and dispatch the request to keycloak nodes in that cluster farm.
* I am also thinking of having service registry (simple keyvalue pair cache/db) to
maintain list of cluster and a mapping of realm to farm so that i will be able to locate
the farm for each realm.* POST realms calls may need special handing which checks the
registry first and dispatches request to one of the farm ( which ever has the least no of
tenants) so that all farm grows equally.
* I am additionally planning to run these farms with differnt keycloak version (farm A
cloud be on keycloak 4.5, farm b on keycloak 5.0), things should not break as long as the
apis are backward compatible and as long as i am posting a request in a format which can
be understood by keycloak farm with the old version) i.e 4.5 in my case ( i use a template
for creating tenants), i may have to now maintain multiple templates - one for each
version of keycloak..
Another model i am thinking of is side car each cluster farm and use envoy to route
request to correct farm..
Either way, one thing which is evident is i need a registry/store where i maintain mapping
of realms-to-farm and rewrite urls/ add header so that the correct farm is resolved and
request get redirected there.
Another thing to take care is to ensure that the master realm is consistent across all the
4 farms (i.e. if i add a user to master, i need to ensure that it is replicated across all
the 4 farms).. this could be bit challenging... again i might have to take help of
envoy/nginx to multicast that request to each farm :)
Basically.. do things around keycloak, and keep the central piece un altered...
Let me know if you have any innovative idea here.. eagerly waiting to see whats in store
from keycloak-6.. any hints ;)?
Regards,Madhu On Friday, 5 April, 2019, 6:29:20 pm IST, Pedro Igor Silva
<psilva(a)redhat.com> wrote:
I don't. But I'm interested to discuss how you could achieve this.
* Are you using kubernetes ?* Do each cluster have its own database ?
On Wed, Apr 3, 2019 at 12:11 PM Madhu <kkcmadhu(a)yahoo.com> wrote:
Hi All,
Inorder to scale keycloak to handle about 2000 to 3000 realms i am thinking of running
keycloak in a cluster farm..
something like have one keycloak cluster per 500 tenants and manage 5 or 6 such keycloak
clusters (a farm).
But , i want my end users to be totally unware of this .. they should just be talking to
keycloak on single url something like https://kecloak-yourserver/auth/realms/realm1/
Internally, i am planning resolve realm-names to a specific farm.. e.g. realm1 ->
keycloakCluster2, realmA-> keycloakCluster1 etc..
Any body out there tried such a thing on Cloud (AWS) ?
if so, please share your experience/pain points..
This will go a long way in helping me scale keycloak horizontally in one of my prod
deployments.
Madhu
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user