[keycloak-user] Best Practice AWS+ECS implementation
Schuster Sebastian (INST-CSS/BSV-OS)
Sebastian.Schuster at bosch-si.com
Fri Sep 7 11:10:06 EDT 2018
It's mostly just preference. To me, it looks like Kubernetes (or something based on it) has won when it comes to orchestrating containers. I wouldn't go for something proprietary like ECS right now. Also makes it a bit easier to go to other clouds as all major players are offering managed Kubernetes now...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
-----Original Message-----
From: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov>
Sent: Freitag, 7. September 2018 16:31
To: Schuster Sebastian (INST-CSS/BSV-OS) <Sebastian.Schuster at bosch-si.com>
Cc: keycloak-user at lists.jboss.org; Dmitry Telegin <dt at acutus.pro>
Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation
@Sebastian
Thanks for your comments.
Is migrating from ECS to EKS beneficial? Or is it a preference seeing that both are managed services.
@Dmitry
Thanks for your comments.
> The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
Could you please elaborate on what do you mean by "credential collector"?
I want to spin up a web tier for load balancing and running a "small" web application to receive the username and password credentials, and this web tier will direct credentials to the keycloak server for authentication.
Currently, a user is directed to the keycloak server for authentication. I want to break to break into two pieces the collection of the username and password collection and the authentication.
Has anyone execute this architecture?
--
Jonathan Carrasco (173F)
Jet Propulsion Laboratory
On 9/7/18, 12:21 AM, "Schuster Sebastian (INST-CSS/BSV-OS)" <Sebastian.Schuster at bosch-si.com> wrote:
Hi Jonathan,
Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward.
In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production.
Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that’s not supported by ALB AFAIK.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dmitry Telegin
Sent: Freitag, 7. September 2018 04:55
To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation
Hello Jonathan,
On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote:
> Hello.
>
> I’m working on implementing Keycloak on ECS. The proposed architecture is:
> 2x – Keycloak Docker images (customized for Domain
> Mode)
> RDS Postgres Instance
Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration).
In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING.
See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html
Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic.
>
> My question- and I’m open to comments- is what is best practice for Load Balancing and what is the community using? I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon’s ALB.
In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/
Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx.
On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course).
> Is that something that makes sense or better to just use ALB?
This is pretty reasonable. The main points here are:
- you can have something more powerful and feature-rich than ALB;
- you can take full control of it.
For example, Keycloak recommends using sticky sessions for performance
purposes:
https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions
This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB.
> The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
Could you please elaborate on what do you mean by "credential collector"?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
>
> --
> Jonathan Carrasco (173F)
> Jet Propulsion Laboratory
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list