From a5634b201c4e32921af0aa77808077f5205fc072 Mon Sep 17 00:00:00 2001 From: Pedro Ruivo Date: Thu, 14 Mar 2024 11:47:35 +0000 Subject: [PATCH] Use new remote-store options in HA guides Fixes #27508 Signed-off-by: Pedro Ruivo Signed-off-by: Alexander Schwartz Co-authored-by: Alexander Schwartz --- ...nnect-keycloak-to-external-infinispan.adoc | 53 +-- .../examples/generated/keycloak-ispn.yaml | 311 +----------------- ...b-infinispan-cache-remote-store-config.xml | 283 ---------------- 3 files changed, 22 insertions(+), 625 deletions(-) delete mode 100644 docs/guides/high-availability/examples/src/kcb-infinispan-cache-remote-store-config.xml diff --git a/docs/guides/high-availability/connect-keycloak-to-external-infinispan.adoc b/docs/guides/high-availability/connect-keycloak-to-external-infinispan.adoc index 831c2fd797..b3e661521d 100644 --- a/docs/guides/high-availability/connect-keycloak-to-external-infinispan.adoc +++ b/docs/guides/high-availability/connect-keycloak-to-external-infinispan.adoc @@ -4,10 +4,18 @@ <@tmpl.guide title="Connect {project_name} with an external {jdgserver_name}" summary="Building block for an Infinispan deployment on Kubernetes" -tileVisible="false" > +tileVisible="false" +includedOptions="cache-remote-*" > This topic describes advanced {jdgserver_name} configurations for {project_name} on Kubernetes. +== Architecture + +This connects {project_name} to {jdgserver_name} using TCP connections secured by TLS 1.3. +It uses the {project_name}'s truststore to verify {jdgserver_name}'s server certificate. +As {project_name} is deployed using its Operator on OpenShift in the prerequisites listed below, the Operator already added the `service-ca.crt` to the truststore which is used to sign {jdgserver_name}'s server certificates. +In other environments, add the necessary certificates to {project_name}'s truststore. + == Prerequisites * <@links.ha id="deploy-keycloak-kubernetes" /> as it will be extended. @@ -15,35 +23,6 @@ This topic describes advanced {jdgserver_name} configurations for {project_name} == Procedure -. Prepare an {jdgserver_name} Cache configuration XML from the file `cache-ispn.xml` which is part of the {project_name} distribution: -.. For each `distributed-cache` entry, add the tags `` as shown following. -+ -[source,xml,indent=0] ----- -include::examples/src/kcb-infinispan-cache-remote-store-config.xml[tag=keycloak-ispn-remotestore] ----- -<1> New tag `` to connect it to the remote store. -<2> For the address to the remote store, reference two environment variables for host name and port number. -<3> For authentication, reference two environment variables for username and password. -<4> To secure the remote store connection, use the Kubernetes mechanisms of the pre-configured truststore. - -.. Prepare an {jdgserver_name} Cache configuration XML from the file `cache-ispn.xml`, which is part of the {project_name} distribution. -For each `replicated-cache` entry, add the tag `` as shown below. -For additional information on the infinispan configuration options, see the https://docs.jboss.org/infinispan/14.0/configdocs/infinispan-config-14.0.html[infinispan configuration schema reference]. -+ -[source,xml,indent=0] ----- -include::examples/src/kcb-infinispan-cache-remote-store-config.xml[tag=keycloak-ispn-remotestore-work] ----- - -. Place the {jdgserver_name} Cache configuration XML in a ConfigMap. -+ -[source,yaml] ----- -include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn-configmap] -... ----- - . Create a Secret with the username and password to connect to the external {jdgserver_name} deployment: + [source,yaml] @@ -55,9 +34,7 @@ include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn-secret] + [NOTE] ==== -* The new `additionalOptions` entries starting with `remote-store` used here are not official {project_name} configurations. -Instead, they provide their values to environment variables that are then referenced in the {jdgserver_name} XML configuration. -* All the memory, resource and database configurations are skipped from the CR below as they have been described in <@links.ha id="deploy-keycloak-kubernetes" /> {section} already. +All the memory, resource and database configurations are skipped from the CR below as they have been described in <@links.ha id="deploy-keycloak-kubernetes" /> {section} already. Administrators should leave those configurations untouched. ==== + @@ -65,10 +42,12 @@ Administrators should leave those configurations untouched. ---- include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn] ---- -<1> The `name` and `key` of the ConfigMap with the {jdgserver_name} Cache configuration XML created in the previous step. -<2> The hostname and port of the remote cache {jdgserver_name} cluster. -<3> The credentials required, username and password, to access the remote cache {jdgserver_name} cluster. -<4> The `spi-connections-infinispan-quarkus-site-name` is an arbitrary {jdgserver_name} site name which {project_name} needs for its embedded {jdgserver_name} deployment when a remote store is used. +<1> The hostname of the remote {jdgserver_name} cluster. +<2> The port of the remote {jdgserver_name} cluster. +This is optional and it default to `11222`. +<3> The Secret `name` and `key` with the {jdgserver_name} username credential. +<4> The Secret `name` and `key` with the {jdgserver_name} password credential. +<5> The `spi-connections-infinispan-quarkus-site-name` is an arbitrary {jdgserver_name} site name which {project_name} needs for its embedded {jdgserver_name} deployment when a remote store is used. This site-name is related only to the embedded {jdgserver_name} and does not need to match any value from the external {jdgserver_name} deployment. If you are using multiple sites for {project_name} in a cross-DC setup such as <@links.ha id="deploy-infinispan-kubernetes-crossdc" />, the site name must be different in each site. diff --git a/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml b/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml index c090921372..b52e8571f2 100644 --- a/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml +++ b/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml @@ -47,299 +47,6 @@ metadata: namespace: keycloak type: kubernetes.io/tls --- -# Source: keycloak/templates/keycloak-infinispan-configmap.yaml -# tag::keycloak-ispn-configmap[] -apiVersion: v1 -kind: ConfigMap -metadata: - name: kcb-infinispan-cache-config - namespace: keycloak -data: - kcb-infinispan-cache-remote-store-config.xml: | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---- # Source: keycloak/templates/keycloak-providers-configmap.yaml apiVersion: v1 kind: ConfigMap @@ -743,12 +450,6 @@ spec: features: enabled: - multi-site # <3> - # tag::keycloak-ispn[] - cache: - configMapFile: - name: kcb-infinispan-cache-config # <1> - key: kcb-infinispan-cache-remote-store-config.xml # <1> - # end::keycloak-ispn[] transaction: xaEnabled: false # <4> # tag::keycloak-ispn[] @@ -765,19 +466,19 @@ spec: - name: http-pool-max-threads # <6> value: "200" # tag::keycloak-ispn[] - - name: remote-store-host # <2> + - name: cache-remote-host # <1> value: "infinispan.keycloak.svc" - - name: remote-store-port # <2> + - name: cache-remote-port # <2> value: "11222" - - name: remote-store-username # <3> + - name: cache-remote-username # <3> secret: name: remote-store-secret key: username - - name: remote-store-password # <3> + - name: cache-remote-password # <4> secret: name: remote-store-secret key: password - - name: spi-connections-infinispan-quarkus-site-name # <4> + - name: spi-connections-infinispan-quarkus-site-name # <5> value: keycloak # end::keycloak-ispn[] - name: db-driver @@ -790,7 +491,7 @@ spec: podTemplate: metadata: annotations: - checksum/config: ebe9b8c121995f449a1a4e339af244b2bb67769af84b3cbdff61159948447e20-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3--dbc855dd9b7f7c0b828760ea8cd7427e8a2f5a5be303fba7dee0c6bbb68258d4-v1.27.0 + checksum/config: 385f54cb8e4bf326f6970aa2a0c8e573d35d9071e69ab2baee252728748bca76-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3--01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0 spec: containers: - env: diff --git a/docs/guides/high-availability/examples/src/kcb-infinispan-cache-remote-store-config.xml b/docs/guides/high-availability/examples/src/kcb-infinispan-cache-remote-store-config.xml deleted file mode 100644 index bdf643136f..0000000000 --- a/docs/guides/high-availability/examples/src/kcb-infinispan-cache-remote-store-config.xml +++ /dev/null @@ -1,283 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -