libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Use http-pool-max-threads in HA guides

Browse source 
Closes #26849

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
Michal Hajas 2024-02-13 11:01:59 +01:00 committed by GitHub
parent ee126f73e5
commit 83f3e91e4f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 13 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/guides/high-availability/concepts-threads.adoc
View file

@ -22,6 +22,8 @@ The Quarkus executor thread pool is configured in https://quarkus.io/guides/all-
Depending on the available CPU cores, it can grow even larger. Depending on the available CPU cores, it can grow even larger.
Threads are created as needed, and will end when no longer needed, so the system will scale up and down automatically. Threads are created as needed, and will end when no longer needed, so the system will scale up and down automatically.
{project_name} allows configuring the maximum thread pool size by the `http-pool-max-threads` configuration option. See <@links.ha id="deploy-keycloak-kubernetes" /> for an example.
When running on Kubernetes, adjust the number of worker threads to avoid creating more load than what the CPU limit allows for the Pod to avoid throttling, which would lead to congestion. When running on Kubernetes, adjust the number of worker threads to avoid creating more load than what the CPU limit allows for the Pod to avoid throttling, which would lead to congestion.
When running on physical machines, adjust the number of worker threads to avoid creating more load than the node can handle to avoid congestion. When running on physical machines, adjust the number of worker threads to avoid creating more load than the node can handle to avoid congestion.
Congestion would result in longer response times and an increased memory usage, and eventually an unstable system. Congestion would result in longer response times and an increased memory usage, and eventually an unstable system.

4
docs/guides/high-availability/deploy-keycloak-kubernetes.adoc
View file

@ -3,7 +3,7 @@
<@tmpl.guide <@tmpl.guide
title="Deploy {project_name} for HA with the {project_name} Operator" title="Deploy {project_name} for HA with the {project_name} Operator"
summary="Building block for a Keycloak deployment" summary="Building block for a {project_name} deployment"
preview="true" preview="true"
previewDiscussionLink="https://github.com/keycloak/keycloak/discussions/25269" previewDiscussionLink="https://github.com/keycloak/keycloak/discussions/25269"
tileVisible="false" > tileVisible="false" >
@ -76,7 +76,7 @@ When running load tests, or when having a reverse proxy in front of HAProxy, you
Add the following supplementary configuration under the `spec` in the {project_name} Custom Resource to disable sticky sessions. Add the following supplementary configuration under the `spec` in the {project_name} Custom Resource to disable sticky sessions.
[source,yaml] [source,yaml,subs="attributes+"]
---- ----
spec: spec:
ingress: ingress:

5
docs/guides/high-availability/examples/generated/keycloak-ispn.yaml
View file

@ -745,7 +745,6 @@ spec:
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
additionalOptions: additionalOptions:
# end::keycloak-ispn[] # end::keycloak-ispn[]
# tag::keycloak-queue-size[] # tag::keycloak-queue-size[]
- name: http-max-queued-requests - name: http-max-queued-requests
value: "1000" value: "1000"
@ -754,6 +753,8 @@ spec:
value: json value: json
- name: metrics-enabled # <3> - name: metrics-enabled # <3>
value: 'true' value: 'true'
- name: http-pool-max-threads # <4>
value: "200"
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
- name: remote-store-host # <2> - name: remote-store-host # <2>
value: "infinispan.keycloak.svc" value: "infinispan.keycloak.svc"
@ -783,8 +784,6 @@ spec:
spec: spec:
containers: containers:
- env: - env:
- name: 'QUARKUS_THREAD_POOL_MAX_THREADS' # <4>
value: "200"
# end::keycloak[] # end::keycloak[]
# We want to have an externally provided username and password, therefore, we override those two environment variables # We want to have an externally provided username and password, therefore, we override those two environment variables
- name: KEYCLOAK_ADMIN - name: KEYCLOAK_ADMIN

17
docs/guides/high-availability/examples/generated/keycloak.yaml
View file

@ -432,6 +432,7 @@ spec:
- multi-site # <2> - multi-site # <2>
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
additionalOptions: additionalOptions:
# end::keycloak-ispn[]
# tag::keycloak-queue-size[] # tag::keycloak-queue-size[]
- name: http-max-queued-requests - name: http-max-queued-requests
value: "1000" value: "1000"
@ -440,28 +441,21 @@ spec:
value: json value: json
- name: metrics-enabled # <3> - name: metrics-enabled # <3>
value: 'true' value: 'true'
- name: http-pool-max-threads # <4>
value: "66"
http: http:
tlsSecret: keycloak-tls-secret tlsSecret: keycloak-tls-secret
instances: 3 instances: 3
# tag::keycloak-ispn[]
unsupported: unsupported:
podTemplate: podTemplate:
# end::keycloak[] # end::keycloak[]
# end::keycloak-ispn[]
metadata: metadata:
annotations: annotations:
checksum/config: c73adcb155290b2da36c94852649862ca6c5ceab4be2f51bde509cd07276ca3d-34c125a6d541ad11d915b6d4f128a9281329070f67d06de917c9c3201e9326c1--01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0 checksum/config: c73adcb155290b2da36c94852649862ca6c5ceab4be2f51bde509cd07276ca3d-34c125a6d541ad11d915b6d4f128a9281329070f67d06de917c9c3201e9326c1--01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
# tag::keycloak[] # tag::keycloak[]
# tag::keycloak-ispn[]
spec: spec:
# end::keycloak-ispn[]
# tag::keycloak-ispn[]
containers: containers:
- env: - env:
# end::keycloak-ispn[]
- name: 'QUARKUS_THREAD_POOL_MAX_THREADS' # <4>
value: "66"
# end::keycloak[] # end::keycloak[]
# We want to have an externally provided username and password, therefore, we override those two environment variables # We want to have an externally provided username and password, therefore, we override those two environment variables
- name: KEYCLOAK_ADMIN - name: KEYCLOAK_ADMIN
@ -477,13 +471,10 @@ spec:
key: password key: password
optional: false optional: false
# tag::keycloak[] # tag::keycloak[]
# tag::keycloak-ispn[]
- name: JAVA_OPTS_APPEND # <5> - name: JAVA_OPTS_APPEND # <5>
value: > value: >
-Xms512m -Xmx1524m -Xms512m -Xmx1524m
# end::keycloak[] # end::keycloak[]
# end::keycloak-ispn[]
ports: ports:
# tag::keycloak[] # tag::keycloak[]
resources: resources:
@ -502,12 +493,10 @@ spec:
# exec: # exec:
# command: # command:
# - 'true' # - 'true'
# tag::keycloak-ispn[]
volumeMounts: volumeMounts:
- name: keycloak-providers - name: keycloak-providers
mountPath: /opt/keycloak/providers mountPath: /opt/keycloak/providers
readOnly: true readOnly: true
# tag::keycloak-ispn[]
volumes: volumes:
- name: keycloak-providers - name: keycloak-providers
configMap: configMap:

2
docs/guides/high-availability/partials/aurora/aurora-multiaz-create-procedure.adoc
View file

@ -241,7 +241,7 @@ aws rds create-db-cluster \
---- ----
+ +
NOTE: You should replace the `--master-username` and `--master-user-password` values. NOTE: You should replace the `--master-username` and `--master-user-password` values.
The values specified here must be used when configuring the Keycloak DB credentials. The values specified here must be used when configuring the {project_name} database credentials.
+ +
.Output: .Output:
[source,json] [source,json]

2
docs/guides/high-availability/partials/infinispan/infinispan-credentials.adoc
View file

@ -1,7 +1,7 @@
[[infinispan-credentials]] [[infinispan-credentials]]
. Configure the credential to access the Infinispan cluster. . Configure the credential to access the Infinispan cluster.
+ +
Keycloak needs this credential to be able to authenticate with the Infinispan cluster. {project_name} needs this credential to be able to authenticate with the Infinispan cluster.
The following `identities.yaml` file sets the username and password with admin permissions The following `identities.yaml` file sets the username and password with admin permissions
+ +
[source,yam,subs="+attributes"] [source,yam,subs="+attributes"]

4
docs/guides/high-availability/partials/threads/executor-jgroups-thread-calculation.adoc
View file

@ -1,5 +1,5 @@
The number of JGroup threads is `200` by default. The number of JGroup threads is `200` by default.
While it can be configured using the property Java system property `jgroups.thread_pool.max_threads`, we advise keeping it at this value. While it can be configured using the property Java system property `jgroups.thread_pool.max_threads`, we advise keeping it at this value.
As shown in experiments, the total number of Quarkus worker threads in the cluster must not exceed the number of threads in the JGroup thread pool of 200 in each node to avoid deadlocks in the JGroups communication. As shown in experiments, the total number of Quarkus worker threads in the cluster must not exceed the number of threads in the JGroup thread pool of 200 in each node to avoid deadlocks in the JGroups communication.
Given a Keycloak cluster with four Pods, each Pod should then have 50 Quarkus worker threads. Given a {project_name} cluster with four Pods, each Pod should then have 50 Quarkus worker threads.
Use the Quarkus configuration options `quarkus.thread-pool.max-threads` to configure the maximum number of Quarkus worker threads. Use the {project_name} configuration option `http-pool-max-threads` to configure the maximum number of Quarkus worker threads.