Use new remote-store options in HA guides
Fixes #27508 Signed-off-by: Pedro Ruivo <pruivo@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
Pedro Ruivo
GitHub
parent
be29be6741
commit
a5634b201c
3 changed files with 22 additions and 625 deletions
|
|
@ -4,10 +4,18 @@
|
|||
<@tmpl.guide
|
||||
title="Connect {project_name} with an external {jdgserver_name}"
|
||||
summary="Building block for an Infinispan deployment on Kubernetes"
|
||||
tileVisible="false" >
|
||||
tileVisible="false"
|
||||
includedOptions="cache-remote-*" >
|
||||
|
||||
This topic describes advanced {jdgserver_name} configurations for {project_name} on Kubernetes.
|
||||
|
||||
== Architecture
|
||||
|
||||
This connects {project_name} to {jdgserver_name} using TCP connections secured by TLS 1.3.
|
||||
It uses the {project_name}'s truststore to verify {jdgserver_name}'s server certificate.
|
||||
As {project_name} is deployed using its Operator on OpenShift in the prerequisites listed below, the Operator already added the `service-ca.crt` to the truststore which is used to sign {jdgserver_name}'s server certificates.
|
||||
In other environments, add the necessary certificates to {project_name}'s truststore.
|
||||
|
||||
== Prerequisites
|
||||
|
||||
* <@links.ha id="deploy-keycloak-kubernetes" /> as it will be extended.
|
||||
|
|
@ -15,35 +23,6 @@ This topic describes advanced {jdgserver_name} configurations for {project_name}
|
|||
|
||||
== Procedure
|
||||
|
||||
. Prepare an {jdgserver_name} Cache configuration XML from the file `cache-ispn.xml` which is part of the {project_name} distribution:
|
||||
.. For each `distributed-cache` entry, add the tags `<persistence />` as shown following.
|
||||
+
|
||||
[source,xml,indent=0]
|
||||
----
|
||||
include::examples/src/kcb-infinispan-cache-remote-store-config.xml[tag=keycloak-ispn-remotestore]
|
||||
----
|
||||
<1> New tag `<persistence />` to connect it to the remote store.
|
||||
<2> For the address to the remote store, reference two environment variables for host name and port number.
|
||||
<3> For authentication, reference two environment variables for username and password.
|
||||
<4> To secure the remote store connection, use the Kubernetes mechanisms of the pre-configured truststore.
|
||||
|
||||
.. Prepare an {jdgserver_name} Cache configuration XML from the file `cache-ispn.xml`, which is part of the {project_name} distribution.
|
||||
For each `replicated-cache` entry, add the tag `<persistence />` as shown below.
|
||||
For additional information on the infinispan configuration options, see the https://docs.jboss.org/infinispan/14.0/configdocs/infinispan-config-14.0.html[infinispan configuration schema reference].
|
||||
+
|
||||
[source,xml,indent=0]
|
||||
----
|
||||
include::examples/src/kcb-infinispan-cache-remote-store-config.xml[tag=keycloak-ispn-remotestore-work]
|
||||
----
|
||||
|
||||
. Place the {jdgserver_name} Cache configuration XML in a ConfigMap.
|
||||
+
|
||||
[source,yaml]
|
||||
----
|
||||
include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn-configmap]
|
||||
...
|
||||
----
|
||||
|
||||
. Create a Secret with the username and password to connect to the external {jdgserver_name} deployment:
|
||||
+
|
||||
[source,yaml]
|
||||
|
|
@ -55,9 +34,7 @@ include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn-secret]
|
|||
+
|
||||
[NOTE]
|
||||
====
|
||||
* The new `additionalOptions` entries starting with `remote-store` used here are not official {project_name} configurations.
|
||||
Instead, they provide their values to environment variables that are then referenced in the {jdgserver_name} XML configuration.
|
||||
* All the memory, resource and database configurations are skipped from the CR below as they have been described in <@links.ha id="deploy-keycloak-kubernetes" /> {section} already.
|
||||
All the memory, resource and database configurations are skipped from the CR below as they have been described in <@links.ha id="deploy-keycloak-kubernetes" /> {section} already.
|
||||
Administrators should leave those configurations untouched.
|
||||
====
|
||||
+
|
||||
|
|
@ -65,10 +42,12 @@ Administrators should leave those configurations untouched.
|
|||
----
|
||||
include::examples/generated/keycloak-ispn.yaml[tag=keycloak-ispn]
|
||||
----
|
||||
<1> The `name` and `key` of the ConfigMap with the {jdgserver_name} Cache configuration XML created in the previous step.
|
||||
<2> The hostname and port of the remote cache {jdgserver_name} cluster.
|
||||
<3> The credentials required, username and password, to access the remote cache {jdgserver_name} cluster.
|
||||
<4> The `spi-connections-infinispan-quarkus-site-name` is an arbitrary {jdgserver_name} site name which {project_name} needs for its embedded {jdgserver_name} deployment when a remote store is used.
|
||||
<1> The hostname of the remote {jdgserver_name} cluster.
|
||||
<2> The port of the remote {jdgserver_name} cluster.
|
||||
This is optional and it default to `11222`.
|
||||
<3> The Secret `name` and `key` with the {jdgserver_name} username credential.
|
||||
<4> The Secret `name` and `key` with the {jdgserver_name} password credential.
|
||||
<5> The `spi-connections-infinispan-quarkus-site-name` is an arbitrary {jdgserver_name} site name which {project_name} needs for its embedded {jdgserver_name} deployment when a remote store is used.
|
||||
This site-name is related only to the embedded {jdgserver_name} and does not need to match any value from the external {jdgserver_name} deployment.
|
||||
If you are using multiple sites for {project_name} in a cross-DC setup such as <@links.ha id="deploy-infinispan-kubernetes-crossdc" />, the site name must be different in each site.
|
||||
|
||||
|
|
|
|||
|
|
@ -47,299 +47,6 @@ metadata:
|
|||
namespace: keycloak
|
||||
type: kubernetes.io/tls
|
||||
---
|
||||
# Source: keycloak/templates/keycloak-infinispan-configmap.yaml
|
||||
# tag::keycloak-ispn-configmap[]
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: kcb-infinispan-cache-config
|
||||
namespace: keycloak
|
||||
data:
|
||||
kcb-infinispan-cache-remote-store-config.xml: |
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!-- end::keycloak-ispn-configmap[] -->
|
||||
|
||||
<!--
|
||||
~ Copyright 2019 Red Hat, Inc. and/or its affiliates
|
||||
~ and other contributors as indicated by the @author tags.
|
||||
~
|
||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ you may not use this file except in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing, software
|
||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ See the License for the specific language governing permissions and
|
||||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<!--tag::keycloak-ispn-configmap[] -->
|
||||
<infinispan
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="urn:infinispan:config:14.0 https://www.infinispan.org/schemas/infinispan-config-14.0.xsd
|
||||
urn:infinispan:config:store:remote:14.0 https://www.infinispan.org/schemas/infinispan-cachestore-remote-config-14.0.xsd"
|
||||
xmlns="urn:infinispan:config:14.0">
|
||||
<!--end::keycloak-ispn-configmap[] -->
|
||||
|
||||
<!-- the statistics="true" attribute is not part of the original KC config and was added by Keycloak Benchmark -->
|
||||
<cache-container name="keycloak" statistics="true">
|
||||
<transport lock-timeout="60000"/>
|
||||
<metrics names-as-tags="true" />
|
||||
<local-cache name="realms" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<memory max-count="10000"/>
|
||||
</local-cache>
|
||||
<local-cache name="users" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<memory max-count="10000"/>
|
||||
</local-cache>
|
||||
<!--tag::keycloak-ispn-remotestore[] -->
|
||||
<distributed-cache name="sessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false"> <!--1-->
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="sessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/> <!--2-->
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/> <!--3-->
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3"
|
||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/> <!--4-->
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<!--end::keycloak-ispn-remotestore[] -->
|
||||
<distributed-cache name="authenticationSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="authenticationSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3"
|
||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="offlineSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="offlineSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3"
|
||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="clientSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="clientSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="offlineClientSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="offlineClientSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="loginFailures" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="loginFailures"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<local-cache name="authorization" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<memory max-count="10000"/>
|
||||
</local-cache>
|
||||
<!--tag::keycloak-ispn-remotestore-work[] -->
|
||||
<replicated-cache name="work" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="work"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</replicated-cache>
|
||||
<!--end::keycloak-ispn-remotestore-work[] -->
|
||||
<local-cache name="keys" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<expiration max-idle="3600000"/>
|
||||
<memory max-count="1000"/>
|
||||
</local-cache>
|
||||
<distributed-cache name="actionTokens" owners="2" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
|
||||
<memory max-count="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="actionTokens"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
</cache-container>
|
||||
</infinispan>
|
||||
---
|
||||
# Source: keycloak/templates/keycloak-providers-configmap.yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
|
|
@ -743,12 +450,6 @@ spec:
|
|||
features:
|
||||
enabled:
|
||||
- multi-site # <3>
|
||||
# tag::keycloak-ispn[]
|
||||
cache:
|
||||
configMapFile:
|
||||
name: kcb-infinispan-cache-config # <1>
|
||||
key: kcb-infinispan-cache-remote-store-config.xml # <1>
|
||||
# end::keycloak-ispn[]
|
||||
transaction:
|
||||
xaEnabled: false # <4>
|
||||
# tag::keycloak-ispn[]
|
||||
|
|
@ -765,19 +466,19 @@ spec:
|
|||
- name: http-pool-max-threads # <6>
|
||||
value: "200"
|
||||
# tag::keycloak-ispn[]
|
||||
- name: remote-store-host # <2>
|
||||
- name: cache-remote-host # <1>
|
||||
value: "infinispan.keycloak.svc"
|
||||
- name: remote-store-port # <2>
|
||||
- name: cache-remote-port # <2>
|
||||
value: "11222"
|
||||
- name: remote-store-username # <3>
|
||||
- name: cache-remote-username # <3>
|
||||
secret:
|
||||
name: remote-store-secret
|
||||
key: username
|
||||
- name: remote-store-password # <3>
|
||||
- name: cache-remote-password # <4>
|
||||
secret:
|
||||
name: remote-store-secret
|
||||
key: password
|
||||
- name: spi-connections-infinispan-quarkus-site-name # <4>
|
||||
- name: spi-connections-infinispan-quarkus-site-name # <5>
|
||||
value: keycloak
|
||||
# end::keycloak-ispn[]
|
||||
- name: db-driver
|
||||
|
|
@ -790,7 +491,7 @@ spec:
|
|||
podTemplate:
|
||||
metadata:
|
||||
annotations:
|
||||
checksum/config: ebe9b8c121995f449a1a4e339af244b2bb67769af84b3cbdff61159948447e20-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-dbc855dd9b7f7c0b828760ea8cd7427e8a2f5a5be303fba7dee0c6bbb68258d4-v1.27.0
|
||||
checksum/config: 385f54cb8e4bf326f6970aa2a0c8e573d35d9071e69ab2baee252728748bca76-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
|
||||
spec:
|
||||
containers:
|
||||
- env:
|
||||
|
|
|
|||
|
|
@ -1,283 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!-- end::keycloak-ispn-configmap[] -->
|
||||
|
||||
<!--
|
||||
~ Copyright 2019 Red Hat, Inc. and/or its affiliates
|
||||
~ and other contributors as indicated by the @author tags.
|
||||
~
|
||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ you may not use this file except in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing, software
|
||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ See the License for the specific language governing permissions and
|
||||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<!--tag::keycloak-ispn-configmap[] -->
|
||||
<infinispan
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="urn:infinispan:config:14.0 https://www.infinispan.org/schemas/infinispan-config-14.0.xsd
|
||||
urn:infinispan:config:store:remote:14.0 https://www.infinispan.org/schemas/infinispan-cachestore-remote-config-14.0.xsd"
|
||||
xmlns="urn:infinispan:config:14.0">
|
||||
<!--end::keycloak-ispn-configmap[] -->
|
||||
|
||||
<!-- the statistics="true" attribute is not part of the original KC config and was added by Keycloak Benchmark -->
|
||||
<cache-container name="keycloak" statistics="true">
|
||||
<transport lock-timeout="60000"/>
|
||||
<metrics names-as-tags="true" />
|
||||
<local-cache name="realms" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<memory max-count="10000"/>
|
||||
</local-cache>
|
||||
<local-cache name="users" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<memory max-count="10000"/>
|
||||
</local-cache>
|
||||
<!--tag::keycloak-ispn-remotestore[] -->
|
||||
<distributed-cache name="sessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false"> <!--1-->
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="sessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/> <!--2-->
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/> <!--3-->
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3"
|
||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/> <!--4-->
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<!--end::keycloak-ispn-remotestore[] -->
|
||||
<distributed-cache name="authenticationSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="authenticationSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3"
|
||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="offlineSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="offlineSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3"
|
||||
sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="clientSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="clientSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="offlineClientSessions" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="offlineClientSessions"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<distributed-cache name="loginFailures" owners="2" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="loginFailures"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
<local-cache name="authorization" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<memory max-count="10000"/>
|
||||
</local-cache>
|
||||
<!--tag::keycloak-ispn-remotestore-work[] -->
|
||||
<replicated-cache name="work" statistics="true">
|
||||
<expiration lifespan="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="work"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</replicated-cache>
|
||||
<!--end::keycloak-ispn-remotestore-work[] -->
|
||||
<local-cache name="keys" simple-cache="true" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<expiration max-idle="3600000"/>
|
||||
<memory max-count="1000"/>
|
||||
</local-cache>
|
||||
<distributed-cache name="actionTokens" owners="2" statistics="true">
|
||||
<encoding>
|
||||
<key media-type="application/x-java-object"/>
|
||||
<value media-type="application/x-java-object"/>
|
||||
</encoding>
|
||||
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
|
||||
<memory max-count="-1"/>
|
||||
<persistence passivation="false">
|
||||
<remote-store xmlns="urn:infinispan:config:store:remote:14.0"
|
||||
cache="actionTokens"
|
||||
raw-values="true"
|
||||
shared="true"
|
||||
segmented="false">
|
||||
<remote-server host="${env.KC_REMOTE_STORE_HOST}"
|
||||
port="${env.KC_REMOTE_STORE_PORT}"/>
|
||||
<connection-pool max-active="16"
|
||||
exhausted-action="CREATE_NEW"/>
|
||||
<security>
|
||||
<authentication server-name="infinispan">
|
||||
<digest username="${env.KC_REMOTE_STORE_USERNAME}"
|
||||
password="${env.KC_REMOTE_STORE_PASSWORD}"
|
||||
realm="default"/>
|
||||
</authentication>
|
||||
<encryption protocol="TLSv1.3" sni-hostname="${env.KC_REMOTE_STORE_HOST}">
|
||||
<truststore filename="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
|
||||
type="pem"/>
|
||||
</encryption>
|
||||
</security>
|
||||
</remote-store>
|
||||
</persistence>
|
||||
</distributed-cache>
|
||||
</cache-container>
|
||||
</infinispan>
|
||||
Loading…
Reference in a new issue