I’ve done a few searches and it seems the KeyCloak development is working toward full support of CockroachDB, but I haven’t seen any clear guidance on using this database platform. The list at Configuring the database - Keycloak does not include CRDB.
What risks am I taking by marrying these two technologies on a low-volume production workload?
Keycloak (official) plans support for CRDB in the “new” store, but will never support CRDB for the “legacy” store. We attempted to get a patch merged that enables it, but it was refused. We maintain a docker image that is up to date with Keycloak releases that contains our patch. Quay
It must be run with a few configuration options set:
KC_TRANSACTION_XA_ENABLED=false
KC_TRANSACTION_JTA_ENABLED=false
KC_DB=cockroach
Are you using the docker image referenced above? This works fine for me:
docker run -p 8081:8081 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
-e KC_TRANSACTION_XA_ENABLED=false \
-e KC_TRANSACTION_JTA_ENABLED=false \
-e KC_DB=cockroach \
-e KC_HOSTNAME_STRICT=false \
-e KC_DB_USERNAME=keycloak-user \
-e KC_DB_PASSWORD=keycloak-password \
-e KC_DB_URL=jdbc:postgresql://localhost:26257/keycloak_db_20 \
quay.io/phasetwo/keycloak-crdb start --hostname-port=8081
I used quay.io/keycloak/keycloak:20.0.3
I added --storage=jpa after start, and now it is works fine.
For quay.io/phasetwo/keycloak-crdb - works fine without --storage=jpa
When can users expect the “new” store to be production-ready?
The Keycloak maintainers might have an answer to that. A better place to ask that question would be in the discussions on the official GitHub repo.