I just want to know if external infinispan is required for setting up Keycloak HA?
No, but you may need to configure the distributed cached Keycloak comes configured with.
Out of the box in the default configuration, with no intervention needed, N instances of Keycloak running on (virtual or physical) machines on the same subnet will automagically find each other via multicast UDP and form a cluster.
In a container environment, you’ll need to help Keycloak find the other instances. Take a look at Configuring distributed caches - Keycloak.
This documentation is somewhat sparse, but the idea is that you configure a discovery mechanism and (probably want to) leave the rest to jgroups (the underlying cluster engine used by keycloak).
For kubernetes, use KC_STACK=kubernetes
, create a headless service and set a property used by jgroups (-Djgroups.dns.query=<headless-service-FQDN>
) using environment variable JAVA_OPTS_APPEND
.
So, if your namespace is my_namespace
, your headless service is called keycloak-headless
, you have:
KC_STACK=kubernetes
JAVA_OPTS_APPEND=-Djgroups.dns.query=keycloak-headless.my_namespace.svc.cluster.local
The .my_namespace.svc.cluster.local
part is optional, but included for the sake of completeness.
Please note that CLUSTERED MODE DEPENDS ON AN EXTERNAL DATABASE. Although Keycloak runs by default with an ephemeral in-memory database, to correctly run as a cluster, you’ll need an external database. It should be pretty simple. Just create a database, set the credentials and keycloak will create and populate the schema.
Thanks @weltonrodrigo.
I have used same config as you have mentioned along with External DB.
I will tryout distributed caching setup.
Thanks
I followed the same instruction mentioned by @weltonrodrigo and I was facing error on startup. However, I changed the Keycloak from k8s Deployment to k8s StateFulSet and issue was resolved.