Connect Keycloak with an external Infinispan

Building block for an Infinispan deployment on Kubernetes

This topic describes advanced Infinispan configurations for Keycloak on Kubernetes.

Architecture

This connects Keycloak to Infinispan using TCP connections secured by TLS 1.3. It uses the Keycloak’s truststore to verify Infinispan’s server certificate. As Keycloak is deployed using its Operator on OpenShift in the prerequisites listed below, the Operator already added the service-ca.crt to the truststore which is used to sign Infinispan’s server certificates. In other environments, add the necessary certificates to Keycloak’s truststore.

Prerequisites

Procedure

  1. Create a Secret with the username and password to connect to the external Infinispan deployment:

    apiVersion: v1
kind: Secret
metadata:
  name: remote-store-secret
  namespace: keycloak
type: Opaque
data:
  username: ZGV2ZWxvcGVy # base64 encoding for 'developer'
  password: c2VjdXJlX3Bhc3N3b3Jk # base64 encoding for 'secure_password'

  2. Extend the Keycloak Custom Resource with additionalOptions as shown below.

    All the memory, resource and database configurations are skipped from the CR below as they have been described in Deploy Keycloak for HA with the Keycloak Operator guide already. Administrators should leave those configurations untouched.

    		 
    apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  labels:
    app: keycloak
  name: keycloak
  namespace: keycloak
spec:
  additionalOptions:
    - name: cache-remote-host (1)
      value: "infinispan.keycloak.svc"
    - name: cache-remote-port (2)
      value: "11222"
    - name: cache-remote-username (3)
      secret:
        name: remote-store-secret
        key: username
    - name: cache-remote-password (4)
      secret:
        name: remote-store-secret
        key: password
    - name: spi-connections-infinispan-quarkus-site-name (5)
      value: keycloak
    1 The hostname of the remote Infinispan cluster.
    2 The port of the remote Infinispan cluster. This is optional and it default to 11222.
    3 The Secret name and key with the Infinispan username credential.
    4 The Secret name and key with the Infinispan password credential.
    5 The spi-connections-infinispan-quarkus-site-name is an arbitrary Infinispan site name which Keycloak needs for its Infinispan caches deployment when a remote store is used. This site-name is related only to the Infinispan caches and does not need to match any value from the external Infinispan deployment. If you are using multiple sites for Keycloak in a cross-DC setup such as Deploy Infinispan for HA with the Infinispan Operator, the site name must be different in each site.

Relevant options

Value

cache-remote-host

The hostname of the remote server for the remote store configuration.

It replaces the host attribute of remote-server tag of the configuration specified via XML file (see cache-config-file option.). If the option is specified, cache-remote-username and cache-remote-password are required as well and the related configuration in XML file should not be present.

CLI: --cache-remote-host
Env: KC_CACHE_REMOTE_HOST

cache-remote-password

The password for the authentication to the remote server for the remote store.

It replaces the password attribute of digest tag of the configuration specified via XML file (see cache-config-file option.). If the option is specified, cache-remote-username is required as well and the related configuration in XML file should not be present.

CLI: --cache-remote-password
Env: KC_CACHE_REMOTE_PASSWORD

Available only when remote host is set

cache-remote-port

The port of the remote server for the remote store configuration.

It replaces the port attribute of remote-server tag of the configuration specified via XML file (see cache-config-file option.).

CLI: --cache-remote-port
Env: KC_CACHE_REMOTE_PORT

Available only when remote host is set

11222 (default)

cache-remote-tls-enabled

Enable TLS support to communicate with a secured remote Infinispan server.

Recommended to be enabled in production.

CLI: --cache-remote-tls-enabled
Env: KC_CACHE_REMOTE_TLS_ENABLED

Available only when remote host is set

true (default), false

cache-remote-username

The username for the authentication to the remote server for the remote store.

It replaces the username attribute of digest tag of the configuration specified via XML file (see cache-config-file option.). If the option is specified, cache-remote-password is required as well and the related configuration in XML file should not be present.

CLI: --cache-remote-username
Env: KC_CACHE_REMOTE_USERNAME

Available only when remote host is set
On this page
Edit this guide