[keycloak-user] Upgrade Documentation: Containers and Cross-Dc
Hayden Fuss
hfuss at bandwidth.com
Fri Aug 31 17:14:19 EDT 2018
>
> Also this is in no way container feels friendly since you can get the
> migrations off a container easily.
>
Sorry meant *can't*.
On Fri, Aug 31, 2018 at 5:11 PM Hayden Fuss <hfuss at bandwidth.com> wrote:
> Hello,
>
> When going through the upgrade documentation, it was tailored towards very
> mutable deployments of Keycloak on VMs. Will the docs soon describe
> containerized deployments of Keycloak as well? Obviously, the config XML
> changes won't be the issue, moreso just the deployment strategy.
>
> The docs say
>
> For standalone-high availability (HA) mode, all instances must be upgraded
>> at the same time.
>
>
> Which to me is a little vague, it almost sounds like you *have* to stop
> all servers at the same time rather than in a rolling fashion. Does this
> mean you can't deploy Keycloak with zero-downtime? Even in a containerized
> environment which will more easily allow for rolling, blue/green, or canary
> deployments?
>
> For the cross-DC scenario thats even scarier since Keycloak would have to
> be down in *all* DC's temporarily. Even if thats not the case, how does
> the manual DB migration work, especially in the cross-DC case:
>
> When you start the server with this configuration it checks if the
>> database needs to be migrated. The required changes are written to an SQL
>> file that you can review and manually run against the database
>>
>
> It sounds like you have to start the new version of the server to get the
> migrations. What will the new version of the server do while the migrations
> haven't been applied, will it still run or crash/return 5xxs since the
> schema updates I would think it _requires_ don't exist?
>
> Also this is in no way container feels friendly since you can get the
> migrations off a container easily. The automated migrations seem like they
> would require downtime too unless the changes are guaranteed to be
> backwards compatible, but that contradicts "all instances must be upgraded
> at the same time".
>
> Also with the 4.4.0 release coming up, Infinispan will be upgraded a major
> version that will likely be breaking release for those running the cross-DC
> setup, or will they have the option to keep using Infinispan 8.2.8? Can we
> expect lots of Infinispan upgrades in the future?
>
> Sorry I know those are a lot of questions, thanks for any help clarifying
> or providing past experiences with Keycloak upgrades.
>
> Best,
> Hayden
>
More information about the keycloak-user
mailing list