Keycloak active-active Docker

Hi,

I would like to setup 2 keycloak instances in active-active mode using an external infinispan server.
Questions are :

  • Could we use the same infinispan for both instances to simplify things ?
  • Anyone succeeding this willing to share infinispan configuration and keycloak conf

I tried with one external server using KC24 but struggled to have something working as documentation is pretty sparse on the topic for people who aren’t Java addict.

Thanks,

So far, officially you will find active-passive deployments in Keycloak [1].

Check out [2] the thread where they mention solving some blockers for active/active multi-site support.

[1] Concepts for active-passive deployments - Keycloak
[2] Persistent user sessions (preview) · keycloak/keycloak · Discussion #28271 · GitHub

Hi @Arnaud-F , by Active-Active, you want a setup that has a cluster running in Region X and another running in Region Y and ensure that both clusters stay in sync and can serve users at anytime?

Hi,

Sorry for late reply.
Presently the active-active will be between two instances of Keycloak that are distant from 100m (two separate buildings), not between region/continent.

Indeed having them both in sync to achieve the active-active is what I want.
I would like to avoid the active/passive mode where you have a lot of manual work to do to restart the primary server.

Thanks

If the latency is small enough between the two locations, you can use a regular cluster setup and both nodes are active-active by default. It all depends on the latency…

100 miles or 100 meters?

As a reference, the typical data centers (availability zone) in AWS within the same region are ~60 miles (100 KM) apart.

That distance would generate between 4 to 10 ms on average of latency.

Most clusters will typically run with servers in different zones with such setup with no problem. Same goes for Keycloak and even your database cluster.

I haven’t actually tried to figure out what the latency threshold is, since we mostly deploy within AZ’s of cloud providers. Do you have any experience, or are you aware of the latency values at which problems occur? Furthermore, what are the problems? Additional request latency? Or some other failures?

I’ve had some discussions recently with someone from the Infinispan team and with Alexander from the Keycloak team. Infinispan can run into problems if latency is >30ms (no guaranteed and verifiable statement!).
Additionally, if you run a cluster on multi-region, you’d not only have to sync Infinispan, but also the DB. These are to two independent from each other running sync processes which may cause timing/availability (data is available in cache, but not in DB or vice versa) problems.

2 Likes

Hi,

Latency is pretty low (<10ms), struggling using external infinispan as I’m not a java guy and doc not clear enough.

Awaiting keycloak 26 to store sessions in DB to do things simpler on my side.

Thanks

1 Like