Hello,
we are trying to setup keycloak in combination with a Postgresql Database Cluster. The Cluster would consist of two keycloak server instances, one with a write postgresql and the other with a read postgresql.
The only problem I see is how people can change their passwords when they are on the keycloak instance with Read only postgres.
Ist their an option to forward or disable the registration when on this instance?
Thank you and greetings
Thomas
Is there a reason you want this architecture?
I would suggest you to try out the domain mode or maybe the standalone-ha
But does the standalone ha or domain mode setup solve my problem with only one writable postgresql and the others readable?
In the documentation I always found the assumption that all databases are writable.
The reason for the standalone stop is, that the instances are running in isolated computation centers and I would prefer to not need an additional communication between them
You are right it doesn’t solve your problem.
Can you tell more about your problem and why do you need a read only postgres
To support high avaliability we want to distribute keycloak over multiple Data-Centers. If one Crashes, the other Datacenter will make the work. Keycloak itself we don’t see as a problem but we need to save the Data and postgres supports out of the box only a Master/Slave Setup. I would need to add an Middleware or another software to make all postgresql instances master.
In my understanding the Authentication itself is no Problem when keycloak cannot write to the database. The Problem comes with Registration (and Adding an OTP-token in our Case). For us it would be fine to display a dialog when the user ist on the Read-Only Keycloak Instance “Registration currently not available”.
Is this possible?
Or what would be an recommended setup, if I want to use Postgres as databse?
I still can’t understand why do you need that one instance would be connected to a read only postgres, I’m not sure thats an option so I’m trying to understand the situation you are in.
I got that would like it to be HA and DR and so on, distribute it over different DC is a good solution.
But why would you need that from one DC everything will be normal, and from the other just readonly
Keycloak does support Cross-Datacenter operation, but not readonly DB access. There’s no active/passive scenario when running KC in a cluster, all nodes are equal.
Is there a software you can recommend to run postgresql Active/Active? The Main Problem derives from the unavailibitlity of the (opensource) Active/Active Cluster possiblitlity of Postgres.
Or is the Recommended Setup with MariaDB?
I don‘t know anything about database cluster/ha strategies, that‘s not my focus. I‘m just using them.
There is no recommendation from Keycloak about which database to use. Most major relational databases are supported like in the docs mentioned.