-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External Infinispan Deployments #28745
Comments
Quick question: Does this imply that also single-site deployments with multiple instances would need to set up an external infinispan instance/cluster to be able to operate or will all data be shared via the database in such a scenario? |
@sventorben It doesn't. |
Do you support the keycloak which 3-node cluster Pods to two k8s clusters and uses fixed IP addresses for communication? |
Does the keycloak operator support Infinispan high availability deployment only? How can I change the support if I am using k8s sts? |
Yes. It is mostly transparent for the Keycloak side but, the external Infinispan needs to be configured with cross-site enabled. A single external Infinispan shared between the Keycloak cluster also works, but it will be a single point of failure.
You need to configure the trust store because Keycloak uses TLS to communicate with the external Infinispan. Then, configure the credentials for access, as described in the documentation, converting the Keycloak Operator option into the stateful set environment variables. For the external Infinispan, you need to install the Infinispan operator as documented here |
i used it and config but not ready! lost some config?
|
@u2bo do you want to create a GitHub discussion and share your configuration and logs? |
Description
In the context of multi-site high availability deployment, this issue suggests the removal of the embedded clustered caches and using the required external Infinispan server in cross-site mode only.
This is a requirement for Active-Active deployments.
Motivation
Keeping the embedded clustered caches in sync with the external Infinispan is not simple. The current solution relies on events streaming to asynchronously update the embedded caches in both sites (sessions mostly) which is costly. Parts of the code also require all sessions to be available in the embedded caches and not fetch any updated value from external Infinispan (search for
SKIP_CACHE_LOAD
flag).To simplify the architecture and Keycloak source code, the proposal is to remove those embedded cache.
The drawback focuses mainly on performance:
num_owners / number of Keycloak servers
of finding the data locally and avoiding any network call. With the external Infinispan, a remote call is required (except if near-caching is enabled)There are benefits from this approach too. Besides the simplified source code, write operations would be faster since only the external Infinispan replicates data. Keycloak will be stateless, improving the startup times and, if possible by Keycloak logic, allowing different Keycloak versions to participate. Finally, upgrading Keycloak does not lose the sessions stored in the external Infinispan.
Tasks
The text was updated successfully, but these errors were encountered: