Document using AWS JDBC Wrapper in HA guide

Closes #27211 Signed-off-by: Michal Hajas <mhajas@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-26 13:15:04 +01:00 · 2024-02-26 13:15:04 +01:00 · eadd1c45c4
commit eadd1c45c4
parent 03f6cda85a
5 changed files with 59 additions and 22 deletions
--- a/docs/guides/high-availability/deploy-aurora-multi-az.adoc
+++ b/docs/guides/high-availability/deploy-aurora-multi-az.adoc
@ -54,7 +54,7 @@ include::partials/aurora/aurora-verify-peering-connections.adoc[]
 Now that an Aurora database has been established and linked with all of your ROSA clusters, the next step is to deploy {project_name} as described in the <@links.ha id="deploy-keycloak-kubernetes" /> {section} with the JDBC url configured to use the Aurora database writer endpoint.
 To do this, create a `{project_name}` CR with the following adjustments:

-. Update `spec.db.url` to be `jdbc:postgresql://$HOST:5432/keycloak` where `$HOST` is the
+. Update `spec.db.url` to be `jdbc:aws-wrapper:postgresql://$HOST:5432/keycloak` where `$HOST` is the
 <<aurora-writer-url, Aurora writer endpoint URL>>.

 . Ensure that the Secrets referenced by `spec.db.usernameSecret` and `spec.db.passwordSecret` contain usernames and passwords defined when creating Aurora.
--- a/docs/guides/high-availability/deploy-keycloak-kubernetes.adoc
+++ b/docs/guides/high-availability/deploy-keycloak-kubernetes.adoc
@ -22,6 +22,10 @@ Use it together with the other building blocks outlined in the <@links.ha id="bb

 . Install the {project_name} Operator as described in the <@links.operator id="installation" /> {section}.

+. Deploy Aurora AWS as described in the <@links.ha id="deploy-aurora-multi-az" /> {section}.
+
+. Build a custom {project_name} image which is link:{links_server_db_url}#preparing-keycloak-for-amazon-aurora-postgresql[prepared for usage with the Amazon Aurora PostgreSQL database].
+
 . Deploy the {project_name} CR with the following values with the resource requests and limits calculated in the first step:
 +
 [source,yaml]
@ -32,11 +36,13 @@ include::examples/generated/keycloak.yaml[tag=keycloak]
 Adjust this number to meet the needs of your system.
 As most requests will not touch the database due to the {project_name} embedded cache, this change can server several hundreds of requests per second.
 See the <@links.ha id="concepts-database-connections" /> {section} for details.
-<2> Enable additional features for multi-site support like the loadbalancer probe `/lb-check`.
-<3> To be able to analyze the system under load, enable the metrics endpoint.
+<2> Specify the URL to your custom {project_name} image. If your image is optimized, set the `startOptimized` flag to `true.
+<3> Enable additional features for multi-site support like the loadbalancer probe `/lb-check`.
+<4> XA transactions are not supported by the https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/[Amazon Web Services JDBC Driver].
+<5> To be able to analyze the system under load, enable the metrics endpoint.
 The disadvantage of the setting is that the metrics will be available at the external {project_name} endpoint, so you must add a filter so that the endpoint is not available from the outside.
 Use a reverse proxy in front of {project_name} to filter out those URLs.
-<4> The default setting for the internal JGroup thread pools is 200 threads maximum.
+<6> The default setting for the internal JGroup thread pools is 200 threads maximum.
 The number of all {project_name} threads in the StatefulSet should not exceed the number of JGroup threads to avoid a JGroup thread pool exhaustion which could stall {project_name} request processing.
 You might consider limiting the number of {project_name} threads further because multiple concurrent threads will lead to throttling by Kubernetes once the requested CPU limit is reached.
 See the <@links.ha id="concepts-threads" /> {section} for details.
--- a/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml
+++ b/docs/guides/high-availability/examples/generated/keycloak-ispn.yaml
@ -720,7 +720,7 @@ metadata:
 spec:
  # end::keycloak-ispn[]
  hostname:
-    hostname: keycloak-keycloak.minikube.nip.io
+    hostname: <KEYCLOAK_URL_HERE>
  resources:
    requests:
      memory: "1024M"
@ -728,7 +728,7 @@ spec:
      memory: "1024M"
  db:
    vendor: postgres
-    url: jdbc:postgresql://postgres:5432/keycloak
+    url: jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
    poolMinSize: 15 # <1>
    poolInitialSize: 15
    poolMaxSize: 15
@ -738,28 +738,31 @@ spec:
    passwordSecret:
      name: keycloak-db-secret
      key: password
+  image: <KEYCLOAK_IMAGE_HERE> # <2>
+  startOptimized: false # <2>
  features:
    enabled:
-      - multi-site # <2>
+      - multi-site # <3>
  # tag::keycloak-ispn[]
  cache:
    configMapFile:
      name: kcb-infinispan-cache-config # <1>
      key: kcb-infinispan-cache-remote-store-config.xml # <1>
  # end::keycloak-ispn[]
+  transaction:
+    xaEnabled: false # <4>
  # tag::keycloak-ispn[]
  additionalOptions:
    # end::keycloak-ispn[]
-
    # tag::keycloak-queue-size[]
    - name: http-max-queued-requests
      value: "1000"
    # end::keycloak-queue-size[]
    - name: log-console-output
      value: json
-    - name: metrics-enabled # <3>
+    - name: metrics-enabled # <5>
      value: 'true'
-    - name: http-pool-max-threads # <4>
+    - name: http-pool-max-threads # <6>
      value: "200"
    # tag::keycloak-ispn[]
    - name: remote-store-host # <2>
@ -776,7 +779,9 @@ spec:
        key: password
    - name: spi-connections-infinispan-quarkus-site-name # <4>
      value: keycloak
-      # end::keycloak-ispn[]
+    # end::keycloak-ispn[]
+    - name: db-driver
+      value: software.amazon.jdbc.Driver
  http:
    tlsSecret: keycloak-tls-secret
  instances: 1
@ -785,7 +790,7 @@ spec:
    podTemplate:
      metadata:
        annotations:
-          checksum/config: 299939d6a4cb95660bea957f7baeade00c9a27c83d97497645393afe991b752c-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3--56f92cd9012613402e2a7a61aded0f218d077b8c6345b22922ca7bf1a5c64984-v1.27.0
+          checksum/config: 2cae63c85a3485c135aebe1472971dd056b1dda42fb54ef2f891bc521e31fc1a-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-56f92cd9012613402e2a7a61aded0f218d077b8c6345b22922ca7bf1a5c64984-v1.27.0
      spec:
        containers:
          - env:
@ -805,9 +810,19 @@ spec:
              - name: JAVA_OPTS_APPEND # <5>
                value: ""
            ports:
+            # end::keycloak[]
+            # readinessProbe:
+            #   exec:
+            #     command:
+            #       - 'true'
+            # livenessProbe:
+            #   exec:
+            #     command:
+            #       - 'true'
            volumeMounts:
              - name: keycloak-providers
-                mountPath: /opt/keycloak/providers
+                mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
+                subPath: keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
                readOnly: true
        volumes:
          - name: keycloak-providers
--- a/docs/guides/high-availability/examples/generated/keycloak.yaml
+++ b/docs/guides/high-availability/examples/generated/keycloak.yaml
@ -414,7 +414,7 @@ metadata:
 spec:
  # end::keycloak-ispn[]
  hostname:
-    hostname: keycloak-keycloak.minikube.nip.io
+    hostname: <KEYCLOAK_URL_HERE>
  resources:
    requests:
      cpu: "2"
@ -424,7 +424,7 @@ spec:
      memory: "2250M"
  db:
    vendor: postgres
-    url: jdbc:postgresql://postgres:5432/keycloak
+    url: jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
    poolMinSize: 30 # <1>
    poolInitialSize: 30
    poolMaxSize: 30
@ -434,23 +434,28 @@ spec:
    passwordSecret:
      name: keycloak-db-secret
      key: password
+  image: <KEYCLOAK_IMAGE_HERE> # <2>
+  startOptimized: false # <2>
  features:
    enabled:
-      - multi-site # <2>
+      - multi-site # <3>
+  transaction:
+    xaEnabled: false # <4>
  # tag::keycloak-ispn[]
  additionalOptions:
    # end::keycloak-ispn[]
-
    # tag::keycloak-queue-size[]
    - name: http-max-queued-requests
      value: "1000"
    # end::keycloak-queue-size[]
    - name: log-console-output
      value: json
-    - name: metrics-enabled # <3>
+    - name: metrics-enabled # <5>
      value: 'true'
-    - name: http-pool-max-threads # <4>
+    - name: http-pool-max-threads # <6>
      value: "66"
+    - name: db-driver
+      value: software.amazon.jdbc.Driver
  http:
    tlsSecret: keycloak-tls-secret
  instances: 3
@ -459,7 +464,7 @@ spec:
    podTemplate:
      metadata:
        annotations:
-          checksum/config: 299939d6a4cb95660bea957f7baeade00c9a27c83d97497645393afe991b752c-34c125a6d541ad11d915b6d4f128a9281329070f67d06de917c9c3201e9326c1--01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
+          checksum/config: 2cae63c85a3485c135aebe1472971dd056b1dda42fb54ef2f891bc521e31fc1a-34c125a6d541ad11d915b6d4f128a9281329070f67d06de917c9c3201e9326c1-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
      spec:
        containers:
          - env:
@ -479,9 +484,19 @@ spec:
              - name: JAVA_OPTS_APPEND # <5>
                value: ""
            ports:
+            # end::keycloak[]
+            # readinessProbe:
+            #   exec:
+            #     command:
+            #       - 'true'
+            # livenessProbe:
+            #   exec:
+            #     command:
+            #       - 'true'
            volumeMounts:
              - name: keycloak-providers
-                mountPath: /opt/keycloak/providers
+                mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
+                subPath: keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
                readOnly: true
        volumes:
          - name: keycloak-providers
--- a/docs/guides/server/db.adoc
+++ b/docs/guides/server/db.adoc
@ -228,6 +228,7 @@ show server_encoding;
 create database keycloak with encoding 'UTF8';
 ----

+[[preparing-keycloak-for-amazon-aurora-postgresql]]
 == Preparing for Amazon Aurora PostgreSQL

 When using Amazon Aurora PostgreSQL, the https://github.com/awslabs/aws-advanced-jdbc-wrapper[Amazon Web Services JDBC Driver] offers additional features like transfer of database connections when a writer instance changes in a Multi-AZ setup.
@ -244,7 +245,7 @@ A minimal Dockerfile to build an image which can be used with the {project_name}
 [source,dockerfile,subs="attributes+"]
 ----
 FROM quay.io/keycloak/keycloak:{containerlabel}
-ADD --chown=keycloak:keycloak https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${properties["aws-jdbc-wrapper.version"]}/aws-advanced-jdbc-wrapper-${properties["aws-jdbc-wrapper.version"]}.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar
+ADD --chmod=0666 https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${properties["aws-jdbc-wrapper.version"]}/aws-advanced-jdbc-wrapper-${properties["aws-jdbc-wrapper.version"]}.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar
 ----
 +
 See the <@links.server id="containers" /> {section} for details on how to build optimized images, and the <@links.operator id="customizing-keycloak" /> {section} on how to run optimized and non-optimized images with the {project_name} Operator.