Infinispan Deployment: Single Cluster

This describes the Infinispan deployment in a single cluster environment.

Audience

This guide describes the procedure required to deploy Infinispan in a single cluster environment. For simplicity, this guide uses the minimum configuration possible that allows Keycloak to be used with an external Infinispan.

See Running in production for additional guides.

Prerequisites

Procedure

  1. Install the Infinispan Operator

  2. Configure the credential to access the Infinispan cluster.

    Keycloak needs this credential to be able to authenticate with the Infinispan cluster. The following identities.yaml file sets the username and password with admin permissions

    credentials:
      - username: developer
        password: strong-password
        roles:
          - admin

    The identities.yaml could be set in a secret as one of the following:

    • As a Kubernetes Resource:

      Credential Secret
      apiVersion: v1
      kind: Secret
      type: Opaque
      metadata:
        name: connect-secret
        namespace: keycloak
      data:
        identities.yaml: Y3JlZGVudGlhbHM6CiAgLSB1c2VybmFtZTogZGV2ZWxvcGVyCiAgICBwYXNzd29yZDogc3Ryb25nLXBhc3N3b3JkCiAgICByb2xlczoKICAgICAgLSBhZG1pbgo= (1)
      1 The identities.yaml from the previous example base64 encoded.
    • Using the CLI

      kubectl create secret generic connect-secret --from-file=identities.yaml

      Check Configuring Authentication documentation for more details.

  3. Create an Infinispan cluster.

    The Creating Infinispan clusters documentation provides all the information on how to create and configure your Infinispan cluster.

    Infinispan CR
    apiVersion: infinispan.org/v1
    kind: Infinispan
    metadata:
      name: infinispan (1)
      namespace: keycloak
      annotations:
        infinispan.org/monitoring: 'true' (2)
    spec:
      replicas: 3
      jmx:
        enabled: true
      security:
        endpointSecretName: connect-secret (3)
      service:
        type: DataGrid
    1 The cluster name
    2 Allows the cluster to be monitored by Prometheus
    3 If using a custom credential, configure here the secret name created in the previous step.
  4. Create the caches for Keycloak.

    Keycloak requires the following caches to be present: sessions, actionTokens, authenticationSessions, offlineSessions, clientSessions, offlineClientSessions, loginFailures, and work.

    Use the Infinispan Cache CR to deploy the caches in the Infinispan cluster.

    See below for an example for the sessions cache. Repeat this for all other caches listed above.

    Cache CR for the sessions cache
    apiVersion: infinispan.org/v2alpha1
    kind: Cache
    metadata:
      name: sessions
      namespace: keycloak
    spec:
      clusterName: infinispan
      name: sessions
      template: |-
        distributedCache:
          mode: "SYNC"
          owners: "2"
          statistics: "true"
          remoteTimeout: "5000"
          encoding:
            media-type: "application/x-protostream"
          locking:
            acquireTimeout: "4000"
          transaction:
            mode: "NON_DURABLE_XA" (1)
            locking: "PESSIMISTIC" (2)
          stateTransfer:
            chunkSize: "16"
          indexing:
            enabled: true
            indexed-entities:
            - keycloak.RemoteUserSessionEntity
          

    The Infinispan documentation contains more detail about cache configuration ands its options.

Verifying the deployment

Confirm that the Infinispan cluster is formed.

Wait until the Infinispan cluster is formed
kubectl wait --for condition=WellFormed --timeout=300s infinispans.infinispan.org -n keycloak infinispan