Document using AWS JDBC Wrapper in HA guide

Closes #27211

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
Michal Hajas 2024-02-26 13:15:04 +01:00 committed by GitHub
parent 03f6cda85a
commit eadd1c45c4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 59 additions and 22 deletions

View file

@ -54,7 +54,7 @@ include::partials/aurora/aurora-verify-peering-connections.adoc[]
Now that an Aurora database has been established and linked with all of your ROSA clusters, the next step is to deploy {project_name} as described in the <@links.ha id="deploy-keycloak-kubernetes" /> {section} with the JDBC url configured to use the Aurora database writer endpoint. Now that an Aurora database has been established and linked with all of your ROSA clusters, the next step is to deploy {project_name} as described in the <@links.ha id="deploy-keycloak-kubernetes" /> {section} with the JDBC url configured to use the Aurora database writer endpoint.
To do this, create a `{project_name}` CR with the following adjustments: To do this, create a `{project_name}` CR with the following adjustments:
. Update `spec.db.url` to be `jdbc:postgresql://$HOST:5432/keycloak` where `$HOST` is the . Update `spec.db.url` to be `jdbc:aws-wrapper:postgresql://$HOST:5432/keycloak` where `$HOST` is the
<<aurora-writer-url, Aurora writer endpoint URL>>. <<aurora-writer-url, Aurora writer endpoint URL>>.
. Ensure that the Secrets referenced by `spec.db.usernameSecret` and `spec.db.passwordSecret` contain usernames and passwords defined when creating Aurora. . Ensure that the Secrets referenced by `spec.db.usernameSecret` and `spec.db.passwordSecret` contain usernames and passwords defined when creating Aurora.

View file

@ -22,6 +22,10 @@ Use it together with the other building blocks outlined in the <@links.ha id="bb
. Install the {project_name} Operator as described in the <@links.operator id="installation" /> {section}. . Install the {project_name} Operator as described in the <@links.operator id="installation" /> {section}.
. Deploy Aurora AWS as described in the <@links.ha id="deploy-aurora-multi-az" /> {section}.
. Build a custom {project_name} image which is link:{links_server_db_url}#preparing-keycloak-for-amazon-aurora-postgresql[prepared for usage with the Amazon Aurora PostgreSQL database].
. Deploy the {project_name} CR with the following values with the resource requests and limits calculated in the first step: . Deploy the {project_name} CR with the following values with the resource requests and limits calculated in the first step:
+ +
[source,yaml] [source,yaml]
@ -32,11 +36,13 @@ include::examples/generated/keycloak.yaml[tag=keycloak]
Adjust this number to meet the needs of your system. Adjust this number to meet the needs of your system.
As most requests will not touch the database due to the {project_name} embedded cache, this change can server several hundreds of requests per second. As most requests will not touch the database due to the {project_name} embedded cache, this change can server several hundreds of requests per second.
See the <@links.ha id="concepts-database-connections" /> {section} for details. See the <@links.ha id="concepts-database-connections" /> {section} for details.
<2> Enable additional features for multi-site support like the loadbalancer probe `/lb-check`. <2> Specify the URL to your custom {project_name} image. If your image is optimized, set the `startOptimized` flag to `true.
<3> To be able to analyze the system under load, enable the metrics endpoint. <3> Enable additional features for multi-site support like the loadbalancer probe `/lb-check`.
<4> XA transactions are not supported by the https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/[Amazon Web Services JDBC Driver].
<5> To be able to analyze the system under load, enable the metrics endpoint.
The disadvantage of the setting is that the metrics will be available at the external {project_name} endpoint, so you must add a filter so that the endpoint is not available from the outside. The disadvantage of the setting is that the metrics will be available at the external {project_name} endpoint, so you must add a filter so that the endpoint is not available from the outside.
Use a reverse proxy in front of {project_name} to filter out those URLs. Use a reverse proxy in front of {project_name} to filter out those URLs.
<4> The default setting for the internal JGroup thread pools is 200 threads maximum. <6> The default setting for the internal JGroup thread pools is 200 threads maximum.
The number of all {project_name} threads in the StatefulSet should not exceed the number of JGroup threads to avoid a JGroup thread pool exhaustion which could stall {project_name} request processing. The number of all {project_name} threads in the StatefulSet should not exceed the number of JGroup threads to avoid a JGroup thread pool exhaustion which could stall {project_name} request processing.
You might consider limiting the number of {project_name} threads further because multiple concurrent threads will lead to throttling by Kubernetes once the requested CPU limit is reached. You might consider limiting the number of {project_name} threads further because multiple concurrent threads will lead to throttling by Kubernetes once the requested CPU limit is reached.
See the <@links.ha id="concepts-threads" /> {section} for details. See the <@links.ha id="concepts-threads" /> {section} for details.

View file

@ -720,7 +720,7 @@ metadata:
spec: spec:
# end::keycloak-ispn[] # end::keycloak-ispn[]
hostname: hostname:
hostname: keycloak-keycloak.minikube.nip.io hostname: <KEYCLOAK_URL_HERE>
resources: resources:
requests: requests:
memory: "1024M" memory: "1024M"
@ -728,7 +728,7 @@ spec:
memory: "1024M" memory: "1024M"
db: db:
vendor: postgres vendor: postgres
url: jdbc:postgresql://postgres:5432/keycloak url: jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
poolMinSize: 15 # <1> poolMinSize: 15 # <1>
poolInitialSize: 15 poolInitialSize: 15
poolMaxSize: 15 poolMaxSize: 15
@ -738,28 +738,31 @@ spec:
passwordSecret: passwordSecret:
name: keycloak-db-secret name: keycloak-db-secret
key: password key: password
image: <KEYCLOAK_IMAGE_HERE> # <2>
startOptimized: false # <2>
features: features:
enabled: enabled:
- multi-site # <2> - multi-site # <3>
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
cache: cache:
configMapFile: configMapFile:
name: kcb-infinispan-cache-config # <1> name: kcb-infinispan-cache-config # <1>
key: kcb-infinispan-cache-remote-store-config.xml # <1> key: kcb-infinispan-cache-remote-store-config.xml # <1>
# end::keycloak-ispn[] # end::keycloak-ispn[]
transaction:
xaEnabled: false # <4>
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
additionalOptions: additionalOptions:
# end::keycloak-ispn[] # end::keycloak-ispn[]
# tag::keycloak-queue-size[] # tag::keycloak-queue-size[]
- name: http-max-queued-requests - name: http-max-queued-requests
value: "1000" value: "1000"
# end::keycloak-queue-size[] # end::keycloak-queue-size[]
- name: log-console-output - name: log-console-output
value: json value: json
- name: metrics-enabled # <3> - name: metrics-enabled # <5>
value: 'true' value: 'true'
- name: http-pool-max-threads # <4> - name: http-pool-max-threads # <6>
value: "200" value: "200"
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
- name: remote-store-host # <2> - name: remote-store-host # <2>
@ -777,6 +780,8 @@ spec:
- name: spi-connections-infinispan-quarkus-site-name # <4> - name: spi-connections-infinispan-quarkus-site-name # <4>
value: keycloak value: keycloak
# end::keycloak-ispn[] # end::keycloak-ispn[]
- name: db-driver
value: software.amazon.jdbc.Driver
http: http:
tlsSecret: keycloak-tls-secret tlsSecret: keycloak-tls-secret
instances: 1 instances: 1
@ -785,7 +790,7 @@ spec:
podTemplate: podTemplate:
metadata: metadata:
annotations: annotations:
checksum/config: 299939d6a4cb95660bea957f7baeade00c9a27c83d97497645393afe991b752c-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3--56f92cd9012613402e2a7a61aded0f218d077b8c6345b22922ca7bf1a5c64984-v1.27.0 checksum/config: 2cae63c85a3485c135aebe1472971dd056b1dda42fb54ef2f891bc521e31fc1a-4832924b47210161956e3b1718daf07ff52d801545186a76c391485eaf1897d3-<KEYCLOAK_IMAGE_HERE>-56f92cd9012613402e2a7a61aded0f218d077b8c6345b22922ca7bf1a5c64984-v1.27.0
spec: spec:
containers: containers:
- env: - env:
@ -805,9 +810,19 @@ spec:
- name: JAVA_OPTS_APPEND # <5> - name: JAVA_OPTS_APPEND # <5>
value: "" value: ""
ports: ports:
# end::keycloak[]
# readinessProbe:
# exec:
# command:
# - 'true'
# livenessProbe:
# exec:
# command:
# - 'true'
volumeMounts: volumeMounts:
- name: keycloak-providers - name: keycloak-providers
mountPath: /opt/keycloak/providers mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
readOnly: true readOnly: true
volumes: volumes:
- name: keycloak-providers - name: keycloak-providers

View file

@ -414,7 +414,7 @@ metadata:
spec: spec:
# end::keycloak-ispn[] # end::keycloak-ispn[]
hostname: hostname:
hostname: keycloak-keycloak.minikube.nip.io hostname: <KEYCLOAK_URL_HERE>
resources: resources:
requests: requests:
cpu: "2" cpu: "2"
@ -424,7 +424,7 @@ spec:
memory: "2250M" memory: "2250M"
db: db:
vendor: postgres vendor: postgres
url: jdbc:postgresql://postgres:5432/keycloak url: jdbc:aws-wrapper:postgresql://<AWS_AURORA_URL_HERE>:5432/keycloak
poolMinSize: 30 # <1> poolMinSize: 30 # <1>
poolInitialSize: 30 poolInitialSize: 30
poolMaxSize: 30 poolMaxSize: 30
@ -434,23 +434,28 @@ spec:
passwordSecret: passwordSecret:
name: keycloak-db-secret name: keycloak-db-secret
key: password key: password
image: <KEYCLOAK_IMAGE_HERE> # <2>
startOptimized: false # <2>
features: features:
enabled: enabled:
- multi-site # <2> - multi-site # <3>
transaction:
xaEnabled: false # <4>
# tag::keycloak-ispn[] # tag::keycloak-ispn[]
additionalOptions: additionalOptions:
# end::keycloak-ispn[] # end::keycloak-ispn[]
# tag::keycloak-queue-size[] # tag::keycloak-queue-size[]
- name: http-max-queued-requests - name: http-max-queued-requests
value: "1000" value: "1000"
# end::keycloak-queue-size[] # end::keycloak-queue-size[]
- name: log-console-output - name: log-console-output
value: json value: json
- name: metrics-enabled # <3> - name: metrics-enabled # <5>
value: 'true' value: 'true'
- name: http-pool-max-threads # <4> - name: http-pool-max-threads # <6>
value: "66" value: "66"
- name: db-driver
value: software.amazon.jdbc.Driver
http: http:
tlsSecret: keycloak-tls-secret tlsSecret: keycloak-tls-secret
instances: 3 instances: 3
@ -459,7 +464,7 @@ spec:
podTemplate: podTemplate:
metadata: metadata:
annotations: annotations:
checksum/config: 299939d6a4cb95660bea957f7baeade00c9a27c83d97497645393afe991b752c-34c125a6d541ad11d915b6d4f128a9281329070f67d06de917c9c3201e9326c1--01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0 checksum/config: 2cae63c85a3485c135aebe1472971dd056b1dda42fb54ef2f891bc521e31fc1a-34c125a6d541ad11d915b6d4f128a9281329070f67d06de917c9c3201e9326c1-<KEYCLOAK_IMAGE_HERE>-01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b-v1.27.0
spec: spec:
containers: containers:
- env: - env:
@ -479,9 +484,19 @@ spec:
- name: JAVA_OPTS_APPEND # <5> - name: JAVA_OPTS_APPEND # <5>
value: "" value: ""
ports: ports:
# end::keycloak[]
# readinessProbe:
# exec:
# command:
# - 'true'
# livenessProbe:
# exec:
# command:
# - 'true'
volumeMounts: volumeMounts:
- name: keycloak-providers - name: keycloak-providers
mountPath: /opt/keycloak/providers mountPath: /opt/keycloak/providers/keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
subPath: keycloak-benchmark-dataset-0.12-SNAPSHOT.jar
readOnly: true readOnly: true
volumes: volumes:
- name: keycloak-providers - name: keycloak-providers

View file

@ -228,6 +228,7 @@ show server_encoding;
create database keycloak with encoding 'UTF8'; create database keycloak with encoding 'UTF8';
---- ----
[[preparing-keycloak-for-amazon-aurora-postgresql]]
== Preparing for Amazon Aurora PostgreSQL == Preparing for Amazon Aurora PostgreSQL
When using Amazon Aurora PostgreSQL, the https://github.com/awslabs/aws-advanced-jdbc-wrapper[Amazon Web Services JDBC Driver] offers additional features like transfer of database connections when a writer instance changes in a Multi-AZ setup. When using Amazon Aurora PostgreSQL, the https://github.com/awslabs/aws-advanced-jdbc-wrapper[Amazon Web Services JDBC Driver] offers additional features like transfer of database connections when a writer instance changes in a Multi-AZ setup.
@ -244,7 +245,7 @@ A minimal Dockerfile to build an image which can be used with the {project_name}
[source,dockerfile,subs="attributes+"] [source,dockerfile,subs="attributes+"]
---- ----
FROM quay.io/keycloak/keycloak:{containerlabel} FROM quay.io/keycloak/keycloak:{containerlabel}
ADD --chown=keycloak:keycloak https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${properties["aws-jdbc-wrapper.version"]}/aws-advanced-jdbc-wrapper-${properties["aws-jdbc-wrapper.version"]}.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar ADD --chmod=0666 https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${properties["aws-jdbc-wrapper.version"]}/aws-advanced-jdbc-wrapper-${properties["aws-jdbc-wrapper.version"]}.jar /opt/keycloak/providers/aws-advanced-jdbc-wrapper.jar
---- ----
+ +
See the <@links.server id="containers" /> {section} for details on how to build optimized images, and the <@links.operator id="customizing-keycloak" /> {section} on how to run optimized and non-optimized images with the {project_name} Operator. See the <@links.server id="containers" /> {section} for details on how to build optimized images, and the <@links.operator id="customizing-keycloak" /> {section} on how to run optimized and non-optimized images with the {project_name} Operator.