mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-05 06:49:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Update Infinispan examples in the High Availability guide

Browse Source 
Closes #35451

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
This commit is contained in:
Pedro Ruivo
2024-11-29 11:25:45 +00:00
committed by Alexander Schwartz
parent d3d6ee0e5d
commit 30196dfe12
7 changed files with 701 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/guides/high-availability/deploy-infinispan-kubernetes-crossdc.adoc
View File

@@ -198,11 +198,30 @@ The following example shows the `Cache` CR for `{site-a}`.
+
--
. In `{site-a}` create a `Cache` CR for each of the caches mentioned above with the following content.
This is an example for the `authenticationSessions` cache:
+
.Cache `actionTokens`
[source,yaml]
----
include::examples/generated/ispn-site-a.yaml[tag=infinispan-cache-actionTokens]
----
+
.Cache `authenticationSessions`
[source,yaml]
----
include::examples/generated/ispn-site-a.yaml[tag=infinispan-cache-authenticationSessions]
----
+
.Cache `loginFailures`
[source,yaml]
----
include::examples/generated/ispn-site-a.yaml[tag=infinispan-cache-loginFailures]
----
+
.Cache `work`
[source,yaml]
----
include::examples/generated/ispn-site-a.yaml[tag=infinispan-cache-work]
----
<1> The transaction mode.
<2> The locking mode used by the transaction.
<3> The remote site name.
@@ -218,7 +237,7 @@ The example above is the recommended configuration to achieve the best data cons
Deadlocks may occur in an active-active setup as entries are modified concurrently in both sites.
The `transaction.mode: NON_XA` ensures that the transaction is rolled back keeping the data consistent if this occurs.
The `transaction.mode: NON_DURABLE_XA` ensures that the transaction is rolled back keeping the data consistent if this occurs.
The setting `backup.failurePolicy: FAIL` is required in this case.
It will throw an error that allows the transaction to be safely rolled back.
When this occurs, {project_name} will attempt a retry.
@@ -234,10 +253,10 @@ The `backup.timeout` must always be higher than the `locking.acquireTimeout`.
+
For `{site-b}`, the `Cache` CR is similar, except for the `backups.<name>` outlined in point 3 of the above diagram.
+
.authenticationSessions `Cache` CR in `{site-b}`
.Example for `actionTokens` cache in `{site-b}`
[source,yaml]
----
include::examples/generated/ispn-site-b.yaml[tag=infinispan-cache-authenticationSessions]
include::examples/generated/ispn-site-b.yaml[tag=infinispan-cache-actionTokens]
----
== Verifying the deployment

44
docs/guides/high-availability/examples/generated/ispn-single.yaml
View File

@@ -57,7 +57,7 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
@@ -85,10 +85,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RootAuthenticationSessionEntity
# end::infinispan-cache-authenticationSessions[]
---
@@ -113,10 +117,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteAuthenticatedClientSessionEntity
# end::infinispan-cache-clientSessions[]
---
@@ -141,10 +149,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.LoginFailureEntity
# end::infinispan-cache-loginFailures[]
---
@@ -169,10 +181,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteAuthenticatedClientSessionEntity
# end::infinispan-cache-offlineClientSessions[]
---
@@ -197,10 +213,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteUserSessionEntity
# end::infinispan-cache-offlineSessions[]
---
@@ -225,10 +245,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteUserSessionEntity
# end::infinispan-cache-sessions[]
---
@@ -253,7 +277,7 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
@@ -281,12 +305,14 @@ spec:
expose:
type: Route
configMapName: "cluster-config"
image: quay.io/infinispan-test/server:15.0.x
image: quay.io/infinispan/server:15.0.11.Final
version: 15.0.4
configListener:
enabled: false
container:
extraJvmOpts: '-Dorg.infinispan.openssl=false -Dinfinispan.cluster.name=ISPN -Djgroups.xsite.fd.interval=2000 -Djgroups.xsite.fd.timeout=15000'
cpu: 4:2
memory: 2Gi:1Gi
logging:
categories:
org.infinispan: info

33
docs/guides/high-availability/examples/generated/ispn-site-a.yaml
View File

@@ -100,7 +100,11 @@ metadata:
name: crossdc-push-state-status
namespace: keycloak
data:
batch: site push-site-status --all-caches --site=site-b
batch: |-
site push-site-status --cache=actionTokens
site push-site-status --cache=authenticationSessions
site push-site-status --cache=loginFailures
site push-site-status --cache=work
# end::infinispan-crossdc-push-state-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
@@ -111,7 +115,11 @@ metadata:
name: crossdc-reset-push-state-status
namespace: keycloak
data:
batch: site clear-push-state-status --all-caches --site=site-b
batch: |-
site clear-push-site-status --cache=actionTokens
site clear-push-site-status --cache=authenticationSessions
site clear-push-site-status --cache=loginFailures
site clear-push-site-status --cache=work
# end::infinispan-crossdc-reset-push-state-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
@@ -122,12 +130,11 @@ metadata:
name: crossdc-clear-caches
namespace: keycloak
data:
batch: |+
batch: |-
clearcache actionTokens
clearcache authenticationSessions
clearcache loginFailures
clearcache work
# end::infinispan-crossdc-clear-caches[]
---
# Source: ispn-helm/templates/infinispan-alerts.yaml
@@ -184,7 +191,7 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
@@ -219,10 +226,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RootAuthenticationSessionEntity
backups:
site-b: # <3>
backup:
@@ -254,10 +265,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.LoginFailureEntity
backups:
site-b: # <3>
backup:
@@ -289,7 +304,7 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
@@ -324,7 +339,7 @@ spec:
expose:
type: Route
configMapName: "cluster-config"
image: quay.io/infinispan-test/server:15.0.x
image: quay.io/infinispan/server:15.0.11.Final
version: 15.0.4
configListener:
enabled: false

35
docs/guides/high-availability/examples/generated/ispn-site-b.yaml
View File

@@ -100,7 +100,11 @@ metadata:
name: crossdc-push-state-status
namespace: keycloak
data:
batch: site push-site-status --all-caches --site=site-a
batch: |-
site push-site-status --cache=actionTokens
site push-site-status --cache=authenticationSessions
site push-site-status --cache=loginFailures
site push-site-status --cache=work
# end::infinispan-crossdc-push-state-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
@@ -111,7 +115,11 @@ metadata:
name: crossdc-reset-push-state-status
namespace: keycloak
data:
batch: site clear-push-state-status --all-caches --site=site-a
batch: |-
site clear-push-site-status --cache=actionTokens
site clear-push-site-status --cache=authenticationSessions
site clear-push-site-status --cache=loginFailures
site clear-push-site-status --cache=work
# end::infinispan-crossdc-reset-push-state-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
@@ -122,12 +130,11 @@ metadata:
name: crossdc-clear-caches
namespace: keycloak
data:
batch: |+
batch: |-
clearcache actionTokens
clearcache authenticationSessions
clearcache loginFailures
clearcache work
# end::infinispan-crossdc-clear-caches[]
---
# Source: ispn-helm/templates/infinispan-alerts.yaml
@@ -184,7 +191,7 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
@@ -219,10 +226,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RootAuthenticationSessionEntity
backups:
site-a: # <3>
backup:
@@ -254,10 +265,14 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.LoginFailureEntity
backups:
site-a: # <3>
backup:
@@ -289,7 +304,7 @@ spec:
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_XA" # <1>
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
@@ -324,12 +339,14 @@ spec:
expose:
type: Route
configMapName: "cluster-config"
image: quay.io/infinispan-test/server:15.0.x
image: quay.io/infinispan/server:15.0.11.Final
version: 15.0.4
configListener:
enabled: false
container:
extraJvmOpts: '-Dorg.infinispan.openssl=false -Dinfinispan.cluster.name=ISPN -Djgroups.xsite.fd.interval=2000 -Djgroups.xsite.fd.timeout=10000'
cpu: 4:2
memory: 2Gi:1Gi
logging:
categories:
org.infinispan: info

579
docs/guides/high-availability/examples/generated/ispn-volatile.yaml Normal file
View File

@@ -0,0 +1,579 @@
---
# Source: ispn-helm/templates/infinispan-alerts.yaml
# tag::fencing-secret[]
apiVersion: v1
kind: Secret
type: kubernetes.io/basic-auth
metadata:
name: webhook-credentials
stringData:
username: 'keycloak' # <1>
password: 'changme' # <2>
# end::fencing-secret[]
---
# Source: ispn-helm/templates/infinispan.yaml
# There are several callouts in this YAML marked with `# <1>' etc. See 'running/infinispan-deployment.adoc` for the details.# tag::infinispan-credentials[]
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: connect-secret
namespace: keycloak
data:
identities.yaml: Y3JlZGVudGlhbHM6CiAgLSB1c2VybmFtZTogZGV2ZWxvcGVyCiAgICBwYXNzd29yZDogc3Ryb25nLXBhc3N3b3JkCiAgICByb2xlczoKICAgICAgLSBhZG1pbgo= # <1>
# end::infinispan-credentials[]
---
# Source: ispn-helm/templates/infinispan.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-config
namespace: keycloak
data:
infinispan-config.yaml: >
infinispan:
cacheContainer:
metrics:
namesAsTags: true
histograms: false
server:
endpoints:
- securityRealm: default
socketBinding: default
connectors:
rest:
restConnector:
authentication:
mechanisms: BASIC
hotrod:
hotrodConnector: null
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-status[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-status
namespace: keycloak
data:
batch: site status --all-caches --site=site-b
# end::infinispan-crossdc-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-disconnect[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-disconnect
namespace: keycloak
data:
batch: site take-offline --all-caches --site=site-b
# end::infinispan-crossdc-disconnect[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-connect[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-connect
namespace: keycloak
data:
batch: site bring-online --all-caches --site=site-b
# end::infinispan-crossdc-connect[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-push-state[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-push-state
namespace: keycloak
data:
batch: site push-site-state --all-caches --site=site-b
# end::infinispan-crossdc-push-state[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-push-state-status[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-push-state-status
namespace: keycloak
data:
batch: |-
site push-site-status --cache=actionTokens
site push-site-status --cache=authenticationSessions
site push-site-status --cache=clientSessions
site push-site-status --cache=loginFailures
site push-site-status --cache=offlineClientSessions
site push-site-status --cache=offlineSessions
site push-site-status --cache=sessions
site push-site-status --cache=work
# end::infinispan-crossdc-push-state-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-reset-push-state-status[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-reset-push-state-status
namespace: keycloak
data:
batch: |-
site clear-push-site-status --cache=actionTokens
site clear-push-site-status --cache=authenticationSessions
site clear-push-site-status --cache=clientSessions
site clear-push-site-status --cache=loginFailures
site clear-push-site-status --cache=offlineClientSessions
site clear-push-site-status --cache=offlineSessions
site clear-push-site-status --cache=sessions
site clear-push-site-status --cache=work
# end::infinispan-crossdc-reset-push-state-status[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc-clear-caches[]
apiVersion: v1
kind: ConfigMap
metadata:
name: crossdc-clear-caches
namespace: keycloak
data:
batch: |-
clearcache actionTokens
clearcache authenticationSessions
clearcache clientSessions
clearcache loginFailures
clearcache offlineClientSessions
clearcache offlineSessions
clearcache sessions
clearcache work
# end::infinispan-crossdc-clear-caches[]
---
# Source: ispn-helm/templates/infinispan-alerts.yaml
# tag::fencing-alert-manager-config[]
apiVersion: monitoring.coreos.com/v1beta1
kind: AlertmanagerConfig
metadata:
name: example-routing
spec:
route:
receiver: default
groupBy:
- accelerator
groupInterval: 90s
groupWait: 60s
matchers:
- matchType: =
name: alertname
value: SiteOffline
receivers:
- name: default
webhookConfigs:
- url: 'https://tjqr2vgc664b6noj6vugprakoq0oausj.lambda-url.eu-west-1.on.aws/' # <3>
httpConfig:
basicAuth:
username:
key: username
name: webhook-credentials
password:
key: password
name: webhook-credentials
tlsConfig:
insecureSkipVerify: true
# end::fencing-alert-manager-config[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-actionTokens[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: actiontokens
namespace: keycloak
spec:
clusterName: infinispan
name: actionTokens
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-actionTokens[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-authenticationSessions[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: authenticationsessions
namespace: keycloak
spec:
clusterName: infinispan
name: authenticationSessions
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RootAuthenticationSessionEntity
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-authenticationSessions[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-clientSessions[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: clientsessions
namespace: keycloak
spec:
clusterName: infinispan
name: clientSessions
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteAuthenticatedClientSessionEntity
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-clientSessions[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-loginFailures[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: loginfailures
namespace: keycloak
spec:
clusterName: infinispan
name: loginFailures
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.LoginFailureEntity
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-loginFailures[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-offlineClientSessions[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: offlineclientsessions
namespace: keycloak
spec:
clusterName: infinispan
name: offlineClientSessions
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteAuthenticatedClientSessionEntity
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-offlineClientSessions[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-offlineSessions[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: offlinesessions
namespace: keycloak
spec:
clusterName: infinispan
name: offlineSessions
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteUserSessionEntity
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-offlineSessions[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-sessions[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: sessions
namespace: keycloak
spec:
clusterName: infinispan
name: sessions
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
indexing:
enabled: true
indexed-entities:
- keycloak.RemoteUserSessionEntity
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-sessions[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-cache-work[]
apiVersion: infinispan.org/v2alpha1
kind: Cache
metadata:
name: work
namespace: keycloak
spec:
clusterName: infinispan
name: work
template: |-
distributedCache:
mode: "SYNC"
owners: "2"
statistics: "true"
remoteTimeout: "5000"
encoding:
media-type: "application/x-protostream"
locking:
acquireTimeout: "4000"
transaction:
mode: "NON_DURABLE_XA" # <1>
locking: "PESSIMISTIC" # <2>
stateTransfer:
chunkSize: "16"
backups:
site-b: # <3>
backup:
strategy: "SYNC" # <4>
timeout: "4500" # <5>
failurePolicy: "FAIL" # <6>
stateTransfer:
chunkSize: "16"
# end::infinispan-cache-work[]
---
# Source: ispn-helm/templates/infinispan.yaml
# tag::infinispan-crossdc[]
# tag::infinispan-single[]
apiVersion: infinispan.org/v1
kind: Infinispan
metadata:
name: infinispan # <1>
namespace: keycloak
annotations:
infinispan.org/monitoring: 'true' # <2>
spec:
replicas: 3
jmx:
enabled: true
# end::infinispan-single[]
# end::infinispan-crossdc[]
# This exposes the http endpoint to interact with its caches - more info - https://infinispan.org/docs/stable/titles/rest/rest.html
# We can optionally set the host in the below expose yaml block, otherwise it will be set to a default naming pattern.
expose:
type: Route
configMapName: "cluster-config"
image: quay.io/infinispan/server:15.0.11.Final
version: 15.0.4
configListener:
enabled: false
container:
extraJvmOpts: '-Dorg.infinispan.openssl=false -Dinfinispan.cluster.name=ISPN -Djgroups.xsite.fd.interval=2000 -Djgroups.xsite.fd.timeout=10000'
cpu: 4:2
memory: 2Gi:1Gi
logging:
categories:
org.infinispan: info
org.jgroups: info
# tag::infinispan-crossdc[]
# tag::infinispan-single[]
security:
endpointSecretName: connect-secret # <3>
service:
type: DataGrid
# end::infinispan-single[]
sites:
local:
name: site-1 # <4>
# end::infinispan-crossdc[]
discovery:
launchGossipRouter: true
heartbeats:
interval: 2000
timeout: 8000
# tag::infinispan-crossdc[]
expose:
type: Route # <5>
maxRelayNodes: 128
encryption:
transportKeyStore:
secretName: xsite-keystore-secret # <6>
alias: xsite # <7>
filename: keystore.p12 # <8>
routerKeyStore:
secretName: xsite-keystore-secret # <6>
alias: xsite # <7>
filename: keystore.p12 # <8>
trustStore:
secretName: xsite-truststore-secret # <9>
filename: truststore.p12 # <10>
locations:
- name: site-b # <11>
clusterName: infinispan
namespace: keycloak # <12>
url: openshift://api.site-b # <13>
secretName: xsite-token-secret # <14>
# end::infinispan-crossdc[]
---
# Source: ispn-helm/templates/infinispan-alerts.yaml
# tag::fencing-prometheus-rule[]
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: xsite-status
spec:
groups:
- name: xsite-status
rules:
- alert: SiteOffline
expr: 'min by (namespace, site) (vendor_jgroups_site_view_status{namespace="default",site="site-b"}) == 0' # <4>
labels:
severity: critical
reporter: site-1 # <5>
accelerator: a3da6a6cbd4e27b02.awsglobalaccelerator.com # <6>
# end::fencing-prometheus-rule[]

11
docs/guides/high-availability/examples/generated/keycloak-ispn.yaml
View File

@@ -54,7 +54,7 @@ metadata:
name: keycloak-providers
namespace: keycloak
binaryData:
keycloak-benchmark-dataset-0.14-SNAPSHOT.jar: ...
keycloak-benchmark-dataset-0.15-SNAPSHOT.jar: ...
---
# Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml
apiVersion: v1
@@ -451,6 +451,7 @@ spec:
startOptimized: false # <2>
features:
enabled:
- user-event-metrics
- multi-site # <3>
transaction:
xaEnabled: false # <4>
@@ -474,6 +475,8 @@ spec:
value: json
- name: metrics-enabled # <5>
value: 'true'
- name: event-metrics-user-enabled
value: 'true'
# tag::keycloak-ispn[]
- name: cache-remote-host # <1>
value: "infinispan.keycloak.svc"
@@ -500,7 +503,7 @@ spec:
podTemplate:
metadata:
annotations:
checksum/config: 90d2c8ddd9b32fd443c5823cee0ef790ce58657d13e9d668e48e1ad696b2403a-9bfd430c6539df907f0421bb34c92fb32194d461565bd342f7f96ff5a5408273-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/config: a6e4c8f98e1b1035942cd1121684f817d533021a392be90b5df784f474146350-9bfd430c6539df907f0421bb34c92fb32194d461565bd342f7f96ff5a5408273-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
spec:
containers:
- env:
@@ -531,8 +534,8 @@ spec:
# - 'true'
volumeMounts:
- name: keycloak-providers
mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.14-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.14-SNAPSHOT.jar
mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.15-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.15-SNAPSHOT.jar
readOnly: true
volumes:
- name: keycloak-providers

11
docs/guides/high-availability/examples/generated/keycloak.yaml
View File

@@ -41,7 +41,7 @@ metadata:
name: keycloak-providers
namespace: keycloak
binaryData:
keycloak-benchmark-dataset-0.14-SNAPSHOT.jar: ...
keycloak-benchmark-dataset-0.15-SNAPSHOT.jar: ...
---
# Source: keycloak/templates/postgres/postgres-exporter-configmap.yaml
apiVersion: v1
@@ -440,6 +440,7 @@ spec:
startOptimized: false # <2>
features:
enabled:
- user-event-metrics
- multi-site # <3>
transaction:
xaEnabled: false # <4>
@@ -463,6 +464,8 @@ spec:
value: json
- name: metrics-enabled # <5>
value: 'true'
- name: event-metrics-user-enabled
value: 'true'
# end::keycloak[]
# This block is just for documentation purposes as we need both versions of Infinispan config, with and without numbers to corresponding options
# tag::keycloak[]
@@ -490,7 +493,7 @@ spec:
podTemplate:
metadata:
annotations:
checksum/config: 90d2c8ddd9b32fd443c5823cee0ef790ce58657d13e9d668e48e1ad696b2403a-9af6f9e8393229798cfb789798e36f84e39803616fe3e51b2a38e3ce05830565-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/config: a6e4c8f98e1b1035942cd1121684f817d533021a392be90b5df784f474146350-9af6f9e8393229798cfb789798e36f84e39803616fe3e51b2a38e3ce05830565-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
spec:
containers:
- env:
@@ -521,8 +524,8 @@ spec:
# - 'true'
volumeMounts:
- name: keycloak-providers
mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.14-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.14-SNAPSHOT.jar
mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.15-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.15-SNAPSHOT.jar
readOnly: true
volumes:
- name: keycloak-providers