Infinispan Deployment: Single Cluster

This describes the Infinispan deployment in a single cluster environment.

Audience

This guide describes the procedure required to deploy Infinispan in a single cluster environment. For simplicity, this guide uses the minimum configuration possible that allows Keycloak to be used with an external Infinispan.

See Running in production for additional guides.

Prerequisites

Procedure

  1. Install the Infinispan Operator

  2. Configure the credential to access the Infinispan cluster.

    Keycloak needs this credential to be able to authenticate with the Infinispan cluster. The following identities.yaml file sets the username and password with admin permissions

    credentials:
  - username: developer
    password: strong-password
    roles:
      - admin

    The identities.yaml could be set in a secret as one of the following:

    • As a Kubernetes Resource:

      Credential Secret
      apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: connect-secret
  namespace: keycloak
data:
  identities.yaml: Y3JlZGVudGlhbHM6CiAgLSB1c2VybmFtZTogZGV2ZWxvcGVyCiAgICBwYXNzd29yZDogc3Ryb25nLXBhc3N3b3JkCiAgICByb2xlczoKICAgICAgLSBhZG1pbgo= (1)
      1 The identities.yaml from the previous example base64 encoded.

    • Using the CLI

      kubectl create secret generic connect-secret --from-file=identities.yaml

      Check Configuring Authentication documentation for more details.

  3. Create an Infinispan cluster.

    The Creating Infinispan clusters documentation provides all the information on how to create and configure your Infinispan cluster.

    Infinispan CR
    apiVersion: infinispan.org/v1
kind: Infinispan
metadata:
  name: infinispan (1)
  namespace: keycloak
  annotations:
    infinispan.org/monitoring: 'true' (2)
spec:
  replicas: 3
  jmx:
    enabled: true
  security:
    endpointSecretName: connect-secret (3)
  service:
    type: DataGrid
    1 The cluster name
    2 Allows the cluster to be monitored by Prometheus
    3 If using a custom credential, configure here the secret name created in the previous step.

  4. Create the caches for Keycloak.

    Keycloak requires the following caches to be present: sessions, actionTokens, authenticationSessions, offlineSessions, clientSessions, offlineClientSessions, loginFailures, and work.

    Use the Infinispan Cache CR to deploy the caches in the Infinispan cluster.

    See below for an example for the sessions cache. Repeat this for all other caches listed above.

    Cache CR for the sessions cache
    apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
  name: sessions
  namespace: keycloak
spec:
  clusterName: infinispan
  name: sessions
  template: |-
    distributedCache:
      mode: "SYNC"
      owners: "2"
      statistics: "true"
      remoteTimeout: "5000"
      encoding:
        media-type: "application/x-protostream"
      locking:
        acquireTimeout: "4000"
      transaction:
        mode: "NON_XA" (1)
        locking: "PESSIMISTIC" (2)
      stateTransfer:
        chunkSize: "16"
      indexing:
        enabled: true
        indexed-entities:
        - keycloak.RemoteUserSessionEntity

    The Infinispan documentation contains more detail about cache configuration ands its options.

Verifying the deployment

Confirm that the Infinispan cluster is formed.

Wait until the Infinispan cluster is formed
kubectl wait --for condition=WellFormed --timeout=300s infinispans.infinispan.org -n keycloak infinispan