Infinispan Deployment: Single Cluster
This describes the Infinispan deployment in a single cluster environment.
Audience
This guide describes the procedure required to deploy Infinispan in a single cluster environment. For simplicity, this guide uses the minimum configuration possible that allows Keycloak to be used with an external Infinispan.
See Running in production for additional guides.
Prerequisites
-
OpenShift or Kubernetes cluster running
-
Understanding of the Infinispan Operator
Procedure
-
Install the Infinispan Operator
-
Configure the credential to access the Infinispan cluster.
Keycloak needs this credential to be able to authenticate with the Infinispan cluster. The following
identities.yaml
file sets the username and password with admin permissionscredentials: - username: developer password: strong-password roles: - admin
The
identities.yaml
could be set in a secret as one of the following:-
As a Kubernetes Resource:
Credential SecretapiVersion: v1 kind: Secret type: Opaque metadata: name: connect-secret namespace: keycloak data: identities.yaml: Y3JlZGVudGlhbHM6CiAgLSB1c2VybmFtZTogZGV2ZWxvcGVyCiAgICBwYXNzd29yZDogc3Ryb25nLXBhc3N3b3JkCiAgICByb2xlczoKICAgICAgLSBhZG1pbgo= (1)
1 The identities.yaml
from the previous example base64 encoded. -
Using the CLI
kubectl create secret generic connect-secret --from-file=identities.yaml
Check Configuring Authentication documentation for more details.
-
-
Create an Infinispan cluster.
The Creating Infinispan clusters documentation provides all the information on how to create and configure your Infinispan cluster.
Infinispan CRapiVersion: infinispan.org/v1 kind: Infinispan metadata: name: infinispan (1) namespace: keycloak annotations: infinispan.org/monitoring: 'true' (2) spec: replicas: 3 jmx: enabled: true security: endpointSecretName: connect-secret (3) service: type: DataGrid
1 The cluster name 2 Allows the cluster to be monitored by Prometheus 3 If using a custom credential, configure here the secret name created in the previous step. -
Create the caches for Keycloak.
Keycloak requires the following caches to be present:
sessions
,actionTokens
,authenticationSessions
,offlineSessions
,clientSessions
,offlineClientSessions
,loginFailures
, andwork
.Use the Infinispan Cache CR to deploy the caches in the Infinispan cluster.
See below for an example for the
sessions
cache. Repeat this for all other caches listed above.Cache CR for thesessions
cacheapiVersion: infinispan.org/v2alpha1 kind: Cache metadata: name: sessions namespace: keycloak spec: clusterName: infinispan name: sessions template: |- distributedCache: mode: "SYNC" owners: "2" statistics: "true" remoteTimeout: "5000" encoding: media-type: "application/x-protostream" locking: acquireTimeout: "4000" transaction: mode: "NON_DURABLE_XA" (1) locking: "PESSIMISTIC" (2) stateTransfer: chunkSize: "16" indexing: enabled: true indexed-entities: - keycloak.RemoteUserSessionEntity
The Infinispan documentation contains more detail about cache configuration ands its options.