[keycloak-user] horizontally scaling keycloak cluster using a cluster farm on Cloud (AWS) -> any body tried out such a thing?
Madhu
kkcmadhu at yahoo.com
Fri Apr 5 11:41:02 EDT 2019
Thanks for showing interest Pedro.
* No not on k8s yet, but may soon do that ( in couple of months time).* Yes thats , to have each cluster have its own keycloak db (mysql) ( and jdbc_ping) for each cluster, may be separate each farm by a security group so that there is no cross talks on (7600, jdbc ping ports)..* I am thinking of have a forward proxy with rewrite urls (farm specific url)or enrich the request with a header to so that ALB/load balancer can identify the farm and dispatch the request to keycloak nodes in that cluster farm.
* I am also thinking of having service registry (simple keyvalue pair cache/db) to maintain list of cluster and a mapping of realm to farm so that i will be able to locate the farm for each realm.* POST realms calls may need special handing which checks the registry first and dispatches request to one of the farm ( which ever has the least no of tenants) so that all farm grows equally.
* I am additionally planning to run these farms with differnt keycloak version (farm A cloud be on keycloak 4.5, farm b on keycloak 5.0), things should not break as long as the apis are backward compatible and as long as i am posting a request in a format which can be understood by keycloak farm with the old version) i.e 4.5 in my case ( i use a template for creating tenants), i may have to now maintain multiple templates - one for each version of keycloak..
Another model i am thinking of is side car each cluster farm and use envoy to route request to correct farm..
Either way, one thing which is evident is i need a registry/store where i maintain mapping of realms-to-farm and rewrite urls/ add header so that the correct farm is resolved and request get redirected there.
Another thing to take care is to ensure that the master realm is consistent across all the 4 farms (i.e. if i add a user to master, i need to ensure that it is replicated across all the 4 farms).. this could be bit challenging... again i might have to take help of envoy/nginx to multicast that request to each farm :)
Basically.. do things around keycloak, and keep the central piece un altered...
Let me know if you have any innovative idea here.. eagerly waiting to see whats in store from keycloak-6.. any hints ;)?
Regards,Madhu On Friday, 5 April, 2019, 6:29:20 pm IST, Pedro Igor Silva <psilva at redhat.com> wrote:
I don't. But I'm interested to discuss how you could achieve this.
* Are you using kubernetes ?* Do each cluster have its own database ?
On Wed, Apr 3, 2019 at 12:11 PM Madhu <kkcmadhu at yahoo.com> wrote:
Hi All,
Inorder to scale keycloak to handle about 2000 to 3000 realms i am thinking of running keycloak in a cluster farm..
something like have one keycloak cluster per 500 tenants and manage 5 or 6 such keycloak clusters (a farm).
But , i want my end users to be totally unware of this .. they should just be talking to keycloak on single url something like https://kecloak-yourserver/auth/realms/realm1/
Internally, i am planning resolve realm-names to a specific farm.. e.g. realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..
Any body out there tried such a thing on Cloud (AWS) ?
if so, please share your experience/pain points..
This will go a long way in helping me scale keycloak horizontally in one of my prod deployments.
Madhu
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list