Preventing loss of session data during upgrades

We’re planning to use Keycloak as our new authentication. We’ll have hundreds of thousands of users, authentication and offline sessions. We would like avoid loosing session data during planned upgrades.

Our plan is to deploy Keycloak to Kubernetes with as remote Infinispan cluster that’s also deployed in Kubernetes. This is similar to the cross-datacenter setup described in the documentation, except we won’t have a second site.

The upgrade procedure requires shutting down Keycloak, running the upgrade script and then deploying the new version. Given that we use an external Infinispan cluster, is it safe to assume that after an upgrade Keycloak will be able to reload existing session data on startup? The implementation of the infinispan entities is stable and hasn’t changed in few years. Is there anything else to consider?

Thanks,
Todd

Hello,
Could you find a solution?

is it safe to assume that after an upgrade Keycloak will be able to reload existing session data on startup?

Yes. Assuming your remote configuration is set up properly, this is a common way of doing large deployments that have this requirement.

Is there anything else to consider?

1. Don’t distribute realms/users/authorization/keys caches to remote infinispan. Those are just performance caches, and should be cleared, especially on upgrade
2. Consider running your infinispan cluster with a cache store (Persistent Cache Stores) if you really really don’t want to lose sessions.