Use new remote-store options in HA guides
Fixes #27508 Signed-off-by: Pedro Ruivo <pruivo@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
parent
be29be6741
commit
a5634b201c
3 changed files with 22 additions and 625 deletions
|
@ -4,10 +4,18 @@
|
||||||
<@tmpl.guide
|
<@tmpl.guide
|
||||||
title="Connect {project_name} with an external {jdgserver_name}"
|
title="Connect {project_name} with an external {jdgserver_name}"
|
||||||
summary="Building block for an Infinispan deployment on Kubernetes"
|
summary="Building block for an Infinispan deployment on Kubernetes"
|
||||||
tileVisible="false" >
|
tileVisible="false"
|
||||||
|
includedOptions="cache-remote-*" >
|
||||||
|
|
||||||
This topic describes advanced {jdgserver_name} configurations for {project_name} on Kubernetes.
|
This topic describes advanced {jdgserver_name} configurations for {project_name} on Kubernetes.
|
||||||
|
|
||||||
|
== Architecture
|
||||||
|
|
||||||
|
This connects {project_name} to {jdgserver_name} using TCP connections secured by TLS 1.3.
|
||||||
|
It uses the {project_name}'s truststore to verify {jdgserver_name}'s server certificate.
|
||||||
|
As {project_name} is deployed using its Operator on OpenShift in the prerequisites listed below, the Operator already added the `service-ca.crt` to the truststore which is used to sign {jdgserver_name}'s server certificates.
|
||||||
|
In other environments, add the necessary certificates to {project_name}'s truststore.
|
||||||
|
|
||||||
== Prerequisites
|
== Prerequisites
|
||||||
|
|
||||||
* <@links.ha id="deploy-keycloak-kubernetes" /> as it will be extended.
|
* <@links.ha id="deploy-keycloak-kubernetes" /> as it will be extended.
|
||||||
|
@ -15,35 +23,6 @@ This topic describes advanced {jdgserver_name} configurations for {project_name}
|
||||||
|
|
||||||
== Procedure
|
== Procedure
|
||||||
|
|
||||||
. Prepare an {jdgserver_name} Cache configuration XML from the file `cache-ispn.xml` which is part of the {project_name} distribution:
|
|
||||||
.. For each `distributed-cache` entry, add the tags `<persistence />` as shown following.
|
|
||||||
+
|
|
||||||
[source,xml,indent=0]
|
|
||||||
----
|
|
||||||
include::examples/src/kcb-infinispan-cache-remote-store-config.xml[tag=keycloak-ispn-remotestore]
|
|
||||||
----
|
|
||||||
<1> New tag `<persistence />` to connect it to the remote store.
|
|
||||||
<2> For the address to the remote store, reference two environment variables for host name and port number.
|
|
||||||
<3> For authentication, reference two environment variables for username and password.
|
|
||||||
<4> To secure the remote store connection, use the Kubernetes mechanisms of the pre-configured truststore.
|
|
||||||
|
|
||||||
.. Prepare an {jdgserver_name} Cache configuration XML from the file `cache-ispn.xml`, which is part of the {project_name} distribution.
|
|
||||||
For each `replicated-cache` entry, add the tag `<persistence />` as shown below.
|
|
||||||
For additional information on the infinispan configuration options, see the https://docs.jboss.org/infinispan/14.0/configdocs/infinispan-config-14.0.html[infinispan configuration schema reference].
|
|
||||||
+
|
|
||||||
[source,xml,indent=0]
|
|
||||||
----
|
|
||||||
include::examples/src/kcb-infinispan-cache-remote-store-config.xml[tag=keycloak-ispn-remotestore-work]
|
|
||||||
----
|
|
||||||
|
|
||||||
. Place the {jdgserver_name} Cache configuration XML in a ConfigMap.
|
|
||||||
+
|
|
||||||
[source,yaml]
|
|
||||||
----
|
|
||||||
include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn-configmap]
|
|
||||||
...
|
|
||||||
----
|
|
||||||
|
|
||||||
. Create a Secret with the username and password to connect to the external {jdgserver_name} deployment:
|
. Create a Secret with the username and password to connect to the external {jdgserver_name} deployment:
|
||||||
+
|
+
|
||||||
[source,yaml]
|
[source,yaml]
|
||||||
|
@ -55,9 +34,7 @@ include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn-secret]
|
||||||
+
|
+
|
||||||
[NOTE]
|
[NOTE]
|
||||||
====
|
====
|
||||||
* The new `additionalOptions` entries starting with `remote-store` used here are not official {project_name} configurations.
|
All the memory, resource and database configurations are skipped from the CR below as they have been described in <@links.ha id="deploy-keycloak-kubernetes" /> {section} already.
|
||||||
Instead, they provide their values to environment variables that are then referenced in the {jdgserver_name} XML configuration.
|
|
||||||
* All the memory, resource and database configurations are skipped from the CR below as they have been described in <@links.ha id="deploy-keycloak-kubernetes" /> {section} already.
|
|
||||||
Administrators should leave those configurations untouched.
|
Administrators should leave those configurations untouched.
|
||||||
====
|
====
|
||||||
+
|
+
|
||||||
|
@ -65,10 +42,12 @@ Administrators should leave those configurations untouched.
|
||||||
----
|
----
|
||||||
include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn]
|
include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn]
|
||||||
----
|
----
|
||||||
<1> The `name` and `key` of the ConfigMap with the {jdgserver_name} Cache configuration XML created in the previous step.
|
<1> The hostname of the remote {jdgserver_name} cluster.
|
||||||
<2> The hostname and port of the remote cache {jdgserver_name} cluster.
|
<2> The port of the remote {jdgserver_name} cluster.
|
||||||
<3> The credentials required, username and password, to access the remote cache {jdgserver_name} cluster.
|
This is optional and it default to `11222`.
|
||||||
<4> The `spi-connections-infinispan-quarkus-site-name` is an arbitrary {jdgserver_name} site name which {project_name} needs for its embedded {jdgserver_name} deployment when a remote store is used.
|
<3> The Secret `name` and `key` with the {jdgserver_name} username credential.
|
||||||
|
<4> The Secret `name` and `key` with the {jdgserver_name} password credential.
|
||||||
|
<5> The `spi-connections-infinispan-quarkus-site-name` is an arbitrary {jdgserver_name} site name which {project_name} needs for its embedded {jdgserver_name} deployment when a remote store is used.
|
||||||
This site-name is related only to the embedded {jdgserver_name} and does not need to match any value from the external {jdgserver_name} deployment.
|
This site-name is related only to the embedded {jdgserver_name} and does not need to match any value from the external {jdgserver_name} deployment.
|
||||||
If you are using multiple sites for {project_name} in a cross-DC setup such as <@links.ha id="deploy-infinispan-kubernetes-crossdc" />, the site name must be different in each site.
|
If you are using multiple sites for {project_name} in a cross-DC setup such as <@links.ha id="deploy-infinispan-kubernetes-crossdc" />, the site name must be different in each site.
|
||||||
|
|
||||||
|
|
|
@ -47,299 +47,6 @@ metadata:
|
||||||
namespace: keycloak
|
namespace: keycloak
|
||||||
type: kubernetes.io/tls
|
type: kubernetes.io/tls
|
||||||
---
|
---
|
||||||
# Source: keycloak/templates/keycloak-infinispan-configmap.yaml
|
|
||||||
# tag::keycloak-ispn-configmap[]
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: kcb-infinispan-cache-config
|
|
||||||
namespace: keycloak
|
|
||||||
data:
|
|
||||||
kcb-infinispan-cache-remote-store-config.xml: |
|
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!-- end::keycloak-ispn-configmap[] -->
|
|
||||||
|
|
||||||
<!--
|
|
||||||
~ Copyright 2019 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!--tag::keycloak-ispn-configmap[] -->
|
|
||||||
<infinispan
|
|
||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="urn:infinispan:config:14.0 https://www.infinispan.org/schemas/infinispan-config-14.0.xsd
|
|
||||||
urn:infinispan:config:store:remote:14.0 https://www.infinispan.org/schemas/infinispan-cachestore-remote-config-14.0.xsd"
|
|
||||||
xmlns="urn:infinispan:config:14.0">
|
|
||||||
<!--end::keycloak-ispn-configmap[] -->
|
|
||||||
|
|
||||||
<!-- the statistics="true" attribute is not part of the original KC config and was added by Keycloak Benchmark -->
|
|
||||||
<cache-container name="keycloak" statistics="true">
|
|
||||||
<transport lock-timeout="60000"/>
|
|
||||||
<metrics names-as-tags="true" />
|
|
||||||
<local-cache name="realms" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<memory max-count="10000"/>
|
|
||||||
</local-cache>
|
|
||||||
<local-cache name="users" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<memory max-count="10000"/>
|
|
||||||
</local-cache>
|
|
||||||
<!--tag::keycloak-ispn-remotestore[] -->
|
|
||||||
<distributed-cache name="sessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false"> <!--1-->
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="sessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/> <!--2-->
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/> <!--3-->
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3"
|
|
||||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/> <!--4-->
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<!--end::keycloak-ispn-remotestore[] -->
|
|
||||||
<distributed-cache name="authenticationSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="authenticationSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3"
|
|
||||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="offlineSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="offlineSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3"
|
|
||||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="clientSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="clientSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="offlineClientSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="offlineClientSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="loginFailures" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="loginFailures"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<local-cache name="authorization" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<memory max-count="10000"/>
|
|
||||||
</local-cache>
|
|
||||||
<!--tag::keycloak-ispn-remotestore-work[] -->
|
|
||||||
<replicated-cache name="work" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="work"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</replicated-cache>
|
|
||||||
<!--end::keycloak-ispn-remotestore-work[] -->
|
|
||||||
<local-cache name="keys" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<expiration max-idle="3600000"/>
|
|
||||||
<memory max-count="1000"/>
|
|
||||||
</local-cache>
|
|
||||||
<distributed-cache name="actionTokens" owners="2" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
|
|
||||||
<memory max-count="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="actionTokens"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
</cache-container>
|
|
||||||
</infinispan>
|
|
||||||
---
|
|
||||||
# Source: keycloak/templates/keycloak-providers-configmap.yaml
|
# Source: keycloak/templates/keycloak-providers-configmap.yaml
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
@ -743,12 +450,6 @@ spec:
|
||||||
features:
|
features:
|
||||||
enabled:
|
enabled:
|
||||||
- multi-site # <3>
|
- multi-site # <3>
|
||||||
# tag::keycloak-ispn[]
|
|
||||||
cache:
|
|
||||||
configMapFile:
|
|
||||||
name: kcb-infinispan-cache-config # <1>
|
|
||||||
key: kcb-infinispan-cache-remote-store-config.xml # <1>
|
|
||||||
# end::keycloak-ispn[]
|
|
||||||
transaction:
|
transaction:
|
||||||
xaEnabled: false # <4>
|
xaEnabled: false # <4>
|
||||||
# tag::keycloak-ispn[]
|
# tag::keycloak-ispn[]
|
||||||
|
@ -765,19 +466,19 @@ spec:
|
||||||
- name: http-pool-max-threads # <6>
|
- name: http-pool-max-threads # <6>
|
||||||
value: "200"
|
value: "200"
|
||||||
# tag::keycloak-ispn[]
|
# tag::keycloak-ispn[]
|
||||||
- name: remote-store-host # <2>
|
- name: cache-remote-host # <1>
|
||||||
value: "infinispan.keycloak.svc"
|
value: "infinispan.keycloak.svc"
|
||||||
- name: remote-store-port # <2>
|
- name: cache-remote-port # <2>
|
||||||
value: "11222"
|
value: "11222"
|
||||||
- name: remote-store-username # <3>
|
- name: cache-remote-username # <3>
|
||||||
secret:
|
secret:
|
||||||
name: remote-store-secret
|
name: remote-store-secret
|
||||||
key: username
|
key: username
|
||||||
- name: remote-store-password # <3>
|
- name: cache-remote-password # <4>
|
||||||
secret:
|
secret:
|
||||||
name: remote-store-secret
|
name: remote-store-secret
|
||||||
key: password
|
key: password
|
||||||
- name: spi-connections-infinispan-quarkus-site-name # <4>
|
- name: spi-connections-infinispan-quarkus-site-name # <5>
|
||||||
value: keycloak
|
value: keycloak
|
||||||
# end::keycloak-ispn[]
|
# end::keycloak-ispn[]
|
||||||
- name: db-driver
|
- name: db-driver
|
||||||
|
@ -790,7 +491,7 @@ spec:
|
||||||
podTemplate:
|
podTemplate:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
checksum/config: ebe9b8c121995f449a1a4e339af244b2bb67769af84b3cbdff61159948447e20-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-dbc855dd9b7f7c0b828760ea8cd7427e8a2f5a5be303fba7dee0c6bbb68258d4-v1.27.0
|
checksum/config: 385f54cb8e4bf326f6970aa2a0c8e573d35d9071e69ab2baee252728748bca76-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- env:
|
- env:
|
||||||
|
|
|
@ -1,283 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!-- end::keycloak-ispn-configmap[] -->
|
|
||||||
|
|
||||||
<!--
|
|
||||||
~ Copyright 2019 Red Hat, Inc. and/or its affiliates
|
|
||||||
~ and other contributors as indicated by the @author tags.
|
|
||||||
~
|
|
||||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
~ you may not use this file except in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing, software
|
|
||||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
~ See the License for the specific language governing permissions and
|
|
||||||
~ limitations under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!--tag::keycloak-ispn-configmap[] -->
|
|
||||||
<infinispan
|
|
||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
||||||
xsi:schemaLocation="urn:infinispan:config:14.0 https://www.infinispan.org/schemas/infinispan-config-14.0.xsd
|
|
||||||
urn:infinispan:config:store:remote:14.0 https://www.infinispan.org/schemas/infinispan-cachestore-remote-config-14.0.xsd"
|
|
||||||
xmlns="urn:infinispan:config:14.0">
|
|
||||||
<!--end::keycloak-ispn-configmap[] -->
|
|
||||||
|
|
||||||
<!-- the statistics="true" attribute is not part of the original KC config and was added by Keycloak Benchmark -->
|
|
||||||
<cache-container name="keycloak" statistics="true">
|
|
||||||
<transport lock-timeout="60000"/>
|
|
||||||
<metrics names-as-tags="true" />
|
|
||||||
<local-cache name="realms" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<memory max-count="10000"/>
|
|
||||||
</local-cache>
|
|
||||||
<local-cache name="users" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<memory max-count="10000"/>
|
|
||||||
</local-cache>
|
|
||||||
<!--tag::keycloak-ispn-remotestore[] -->
|
|
||||||
<distributed-cache name="sessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false"> <!--1-->
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="sessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/> <!--2-->
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/> <!--3-->
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3"
|
|
||||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/> <!--4-->
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<!--end::keycloak-ispn-remotestore[] -->
|
|
||||||
<distributed-cache name="authenticationSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="authenticationSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3"
|
|
||||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="offlineSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="offlineSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3"
|
|
||||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="clientSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="clientSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="offlineClientSessions" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="offlineClientSessions"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<distributed-cache name="loginFailures" owners="2" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="loginFailures"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
<local-cache name="authorization" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<memory max-count="10000"/>
|
|
||||||
</local-cache>
|
|
||||||
<!--tag::keycloak-ispn-remotestore-work[] -->
|
|
||||||
<replicated-cache name="work" statistics="true">
|
|
||||||
<expiration lifespan="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="work"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</replicated-cache>
|
|
||||||
<!--end::keycloak-ispn-remotestore-work[] -->
|
|
||||||
<local-cache name="keys" simple-cache="true" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<expiration max-idle="3600000"/>
|
|
||||||
<memory max-count="1000"/>
|
|
||||||
</local-cache>
|
|
||||||
<distributed-cache name="actionTokens" owners="2" statistics="true">
|
|
||||||
<encoding>
|
|
||||||
<key media-type="application/x-java-object"/>
|
|
||||||
<value media-type="application/x-java-object"/>
|
|
||||||
</encoding>
|
|
||||||
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
|
|
||||||
<memory max-count="-1"/>
|
|
||||||
<persistence passivation="false">
|
|
||||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
|
||||||
cache="actionTokens"
|
|
||||||
raw-values="true"
|
|
||||||
shared="true"
|
|
||||||
segmented="false">
|
|
||||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
|
||||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
|
||||||
<connection-pool max-active="16"
|
|
||||||
exhausted-action="CREATE_NEW"/>
|
|
||||||
<security>
|
|
||||||
<authentication server-name="infinispan">
|
|
||||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
|
||||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
|
||||||
realm="default"/>
|
|
||||||
</authentication>
|
|
||||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
|
||||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
|
||||||
type="pem"/>
|
|
||||||
</encryption>
|
|
||||||
</security>
|
|
||||||
</remote-store>
|
|
||||||
</persistence>
|
|
||||||
</distributed-cache>
|
|
||||||
</cache-container>
|
|
||||||
</infinispan>
|
|
Loading…
Reference in a new issue