Keycloak Cluster / High Availability (Quarkus version) set up

I am noticing authentication session syncing issue when multiple keycloaks (ver 20 quarkus) are running in a cluster. I could not find any official documentation or example on how-to set up a cluster. So far I have collected the followings env variables by doing google search.

KC_CACHE: ispn
KC_CACHE_STACK: kubernetes
JAVA_OPTS_APPEND: Djgroups.dns.query=keycloak-headless

What is “keycloak-headless” represent? Is it the keycloak cluster service name? Anyway, the ^ setup is not working. A pointer to how-to doc or some example will help.

Thanks,
Kabi

Hewy @kabi.patt

Have you seen this?

1 Like

Thanks @gsmith for mentioning this :wink:

Not to forget the official docs, which are always worth to have a look at!

1 Like

Thank you @gsmith and @dasniko ! Yes, I have seen this and I picked up the 3 new env variables (mentioned above) from this article . But, not able to make it work in kubernetes.

  1. Is this setup does not work when keyclok is running in dev mode (kc.sh start-dev)?
  2. The value “keycloak” in below refers to what? Is it the STS (stateful-service) name that points to multiple keycloak pods keycloak-1, keycloak-2 ?
    command: start-dev -Djgroups.dns.query=keycloak

Disclaimer: I have not enough knowledge about K8s…

keycloak is the service name, under which the nodes are registered in the DNS. DNS_PING queries the DNS (hence the name) for all IPs which are registered under that name. With these IPs, the nodes can create a cluster.
Probably you have to start additional, so called “headless” services for getting it to work, but that’s something K8s specific… (see disclaimer)

keycloak-1 and keycloak-2 are the two hostnames of the nodes which are running, so that Nginx knows, where to spread the traffic to.

Note: My gist is a working example for a Docker Compose approach under Docker Swarm mode. Depending on your environment, you have to make adjustments which are not necessarily Keycloak related, but environment/infrastructure related!

1 Like

Thank you for the explanation. I will take it from here.

Did you get a breakthrough with the above issue you are facing? I’m running into the same problem.

Still not done with my experiments. The following env variable did not work.

        - name: jgroups.dns.query
          value: <keycloak-service-name>

I am yet to try the below.

        - name: jgroups.dns.query
          value: <keycloak-service-name>.abcxx.svc.cluster.local

@kabi.patt But I use the keycloak service name that is workable.

  • name: jgroups.dns.query
    value:

That is my deployment YAML file.

apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak

apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 3
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: Quay
args: [“start”]
env:
- name: KEYCLOAK_ADMIN
value: “admin”
- name: KEYCLOAK_ADMIN_PASSWORD
value: “admin”
- name: KC_PROXY
value: “edge”
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
value: “postgres”
- name: KC_DB_USERNAME
value: “keycloak”
- name: KC_DB_PASSWORD
value: “keycloak”
- name: KC_DB_URL_DATABASE
value: “keycloak”
- name: KC_HEALTH_ENABLED
value: “true”
- name: KC_METRICS_ENABLED
value: “true”
- name: KC_HOSTNAME_STRICT
value: “false”
- name: KC_CACHE
value: “ispn”
- name: KC_CACHE_STACK
value: “kubernetes”
#- name: KC_LOG_LEVEL
# value: “INFO,org.infinispan:DEBUG,org.jgroups:DEBUG”
- name: jgroups.dns.query
value: keycloak
ports:
- name: jgroups
containerPort: 7800
- name: http
containerPort: 8080
readinessProbe:
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
livenessProbe:
httpGet:
path: /health/live
port: 8080
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1

1 Like