Re: RFC: Keycloak project presentation
sthorger@...
Actually, domain-mode is not relevant. Domain-mode is a feature of WildFly that allows creating and managing a group of servers, but this is not relevant in Kubernetes since it already has this capability. The relevant section of the documentation is https://www.keycloak.org/docs/latest/server_installation/index.html#_standalone-ha-mode as well as the documentation for the container image https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md.
For HA and scalability Keycloak relies on the embedded Infinispan server, which in turn relies on JGroups. Infinispan (https://infinispan.org/) is a distributed in-memory key/value data store, and JGroups (http://www.jgroups.org/) is a toolkit for reliable messaging. JGroups supports both UDP and TCP for transport and has a range of discovery protocols it supports for different environments.
Keycloak uses Infinispan for two purposes. Firstly, it is used as an invalidation cache which allows us to heavily cache data from the database. Secondly, it is used as a distributed cache for sessions. By default sessions are distributed to the nodes in the cluster and each session is stored in one node, but it is easy to enable replication of sessions where more than one node holds a replica.
We have plenty of large companies using both Keycloak as well as customers of Red Hat using RH-SSO (Red Hat's supported build of Keycloak, I will send a separate mail further explaining the difference here) that are deploying it in HA within a single site and we have quite a few that are deploying it to multiple-sites as well. Red Hat itself relies on RH-SSO as both are internal IdP and our external IdP (https://developers.redhat.com/blog/2019/02/14/red-hat-sso-high-availability-hybrid-cloud/). We also have several community users and customers that are deploying Keycloak with millions of users.
During one of the keynotes (https://www.redhat.com/fr/about/videos/summit-2018-keynote-emerging-technology-and-innovation-chris-wright) at last years Red Hat Summit we demonstrated RH-SSO running not just multi-site, but multi-cloud. We had RH-SSO available in AWS, Azure and a private cloud, with load balanced between the 3 clouds and also showed fail-over during the keynote.
I hope this answers the concerns around HA and scalability, but I'm happy to follow-up if there are still some questions around this.
On Tue, 9 Apr 2019 at 19:39, Quinton Hoole <quinton.hoole@...> wrote:
Thanks for the presentation. Very informative.
The questions I (and Joe) had around HA and scalability are at least partially answered in the installation documentation:
https://www.keycloak.org/docs/latest/server_installation/index.html#_domain-mode
If there is any more detailed information available on the HA and scalability design, and what's happening under the hood in that area, that would be useful.
Q
________________________________________
From: cncf-toc@... [cncf-toc@...] on behalf of boleslaw.dawidowicz@... [boleslaw.dawidowicz@...]
Sent: Tuesday, April 09, 2019 8:55 AM
To: Chris Aniszczyk
Cc: CNCF TOC
Subject: Re: [cncf-toc] RFC: Keycloak project presentation
There is nothing RHT enterprise specific and it is backed fully by
proven upstream technologies with active communities.
Regarding clustering and concerns expressed in the chat there is a way
to configure clustering on Kubernetes. We have people in the commnity
running deployments like that. Same for cross site replication.
If there is need to address more specific questions or perform a a
deeper dive we would be happy to do so.
Would like to thank for the opportunity to present the project to the
TOC today.
On Tue, Apr 9, 2019 at 5:47 PM Chris Aniszczyk
<caniszczyk@...> wrote:
>
> The Keycloak project presented today:
> https://github.com/cncf/toc/pull/176
>
> The TOC, especially Joe had some questions on how Keycloak was
> deployed on Wildfly (vs the RHT enterprise version of that). This
> project is also fairly high up the stack compared to what we normally
> accept in CNCF imho. We also didn't have a full roster of TOC members
> so I'd like to ensure we have a wide set of eyes on this topic.
>
> Jeff was also interested in being one of the sponsors for the sandbox
> potentially.
>
> Anyways, wanted to move the discussion to the mailing list.
>
> --
> Chris Aniszczyk (@cra) | +1-512-961-6719
>
>
>