Re: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha?

My guess around configuration is expected default infrastructure is truly standalone on virtual infrastructure or openshift where ssl is terminated on jboss and infrastructure supports multicast dns for ha. We use our own standalone.xml similar to below. You'll probably want to look at jgroups jdbc ping since multicast might not work. Someone recently asked if you can just disable cache if you can avoid jgroups but I haven't tried that myself or heard back that is a viable solution. https://goldmann.pl/blog/2014/07/23/customizing-the-configuration-of-the-... http://www.fafonso.com/jgroups/unicast/postgresql/jdbc/ping/cluster/2016/... _____________________________ From: Tonnis Wildeboer <tonnis@autonomic.ai<mailto:tonnis@autonomic.ai>> Sent: Friday, August 25, 2017 1:33 PM Subject: [keycloak-user] Keycloak in kubernetes cluster with AWS postgress: standalone-ha? To: <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> I am attempting to run Keycloak in a kubernetes cluster with a shared postgres (RDS) db. Everything is hosted on AWS. The keycloak instances are deployed using Helm. I have read the clustering documentation and from that it seems that the appropriate clustering mode in this scenario would be "Standalone Clustered Mode".Therefore, I am using the "jboss/keycloak-ha-postgres" Docker image. Since I am using the nginx Ingress controller I have the prescribed PROXY_ADDRESS_FORWARDING=true environment variable. Upon inspection of the Docker image, however, I noticed that the $JBOSS_HOME/standalone/configuration/standalone-ha.xml file in that image does not have the proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" attribute in the <http-listener ...> element. I also noticed that the jboss-dockerfiles/keycloak-server base image has a sed command to add this to the standalone.xml file but not to the standalone-ha.xml file. Also, of the exmaples I have found via Google searches, I have not found examples of deploying Keycloak this way, which is surprising. I have seen examples with a single instance using the standalone postres image, but not "Standalone Clustered". So here are my questions: 1. What are the specific differences between using --server-config standalone-ha.xml vs standalone.xml? 2. Is there communication between the pods that needs to happen when running in "Standalone Clustered Mode"? (I ask this because I would need to make sure that this is possible, possibly across VPCs.) If so, what is it? I am hoping they just share a database. 3. Why doesn't the base jboss-dockerfiles/keycloak-server image also modify the standalone-ha.xml file too, in the same way it modifies the standalone.xml file: ( https://github.com/jboss-dockerfiles/keycloak/blob/0a54ccaccd5e27e75105b9... )? 4. Is there any other documentation, etc that I should be looking at? Thank you, Tonnis _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user