[keycloak-user] horizontally scaling keycloak cluster using a cluster farm on Cloud (AWS) -> any body tried out such a thing?

Mon Apr 8 13:55:35 EDT 2019

On Fri, Apr 5, 2019 at 12:41 PM Madhu <kkcmadhu at yahoo.com> wrote:

> Thanks for showing interest Pedro.
>
> * No not on k8s yet, but may soon do that ( in couple of months time).
> * Yes thats , to have each cluster have its own keycloak db (mysql) ( and
> jdbc_ping) for each cluster, may be separate  each farm  by a security
> group so that there is no cross talks on (7600, jdbc ping ports)..
> * I am thinking of have a forward proxy  with rewrite urls (farm specific
> url)or enrich the request with a header to so that ALB/load balancer can
> identify the farm and dispatch the request to keycloak nodes in that
> cluster farm.
>

When you move to k8s I think you could use ingress to dispatch requests to
a specific cluster ?

>
> * I am also thinking of having service registry (simple keyvalue pair
> cache/db) to maintain list of cluster and a mapping of realm to farm so
> that i will be able to locate the farm for each realm.
>
* POST realms calls may need special handing which checks the registry
> first and dispatches request to one of the farm ( which ever has the least
> no of tenants) so that all farm grows equally.
>
> * I am additionally planning to run these farms with differnt keycloak
> version (farm A cloud be on keycloak 4.5, farm b on keycloak 5.0), things
> should not break as long as the apis are backward compatible and as long as
> i am posting a request in a format which can be understood by keycloak farm
> with the old version) i.e 4.5 in my case ( i use a template for creating
> tenants), i may have to now maintain multiple templates - one for each
> version of keycloak..
>
> Another model i am thinking of is side car each cluster farm  and use
> envoy to route request to correct farm..
>
>
> Either way, one thing which is evident is i need a registry/store where i
> maintain mapping of realms-to-farm and rewrite urls/ add header so that the
> correct farm is resolved and request get redirected there.
>
>
> Another thing to take care is to ensure that the master realm is
> consistent across all the 4 farms (i.e. if i add a user to master, i need
> to ensure that it is replicated across all the 4 farms).. this could be bit
> challenging... again i might have to take help of envoy/nginx to multicast
> that request to each farm :)
>

In addition to add users, what other configuration you might need to
replicate across the master realms of the farms ? Permissions maybe ?

>
> Basically.. do things around keycloak, and keep the central piece un
> altered...
>
> Let me know if you have any innovative idea here.. eagerly waiting to see
> whats in store from keycloak-6.. any hints ;)?
>
> Regards,
> Madhu
> On Friday, 5 April, 2019, 6:29:20 pm IST, Pedro Igor Silva <
> psilva at redhat.com> wrote:
>
>
> I don't. But I'm interested to discuss how you could achieve this.
>
> * Are you using kubernetes ?
> * Do each cluster have its own database ?
>
> On Wed, Apr 3, 2019 at 12:11 PM Madhu <kkcmadhu at yahoo.com> wrote:
>
> Hi All,
>
> Inorder to scale keycloak to handle about 2000 to 3000 realms i am
> thinking of running keycloak in a cluster farm..
> something like have one keycloak cluster per 500 tenants  and manage  5 or
> 6 such keycloak clusters (a farm).
> But , i want my end users to be totally unware of this .. they should just
> be talking to keycloak on single url  something like
> https://kecloak-yourserver/auth/realms/realm1/
> Internally, i am planning  resolve realm-names to a specific farm.. e.g.
> realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..
>
> Any body out there tried such a thing on  Cloud (AWS) ?
> if so, please share your experience/pain points..
> This will go a long way in helping me scale keycloak horizontally in one
> of my prod deployments.
> Madhu
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>