[Supported in Kublr 1.20.0 and later]
In order to run keycloak in HA mode you need to use following configuration in the cluster specification:
spec:
features:
controlPlane:
...
values:
app-keycloak:
keycloak:
replicas: 3
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: CACHE_OWNERS
value: "3"This code means that you will have 3 replicas of keycloak and all caches will share among them. In this case you will be able to authenticate even if only one of keycloaks is alive.
Please note, keycloak helm chart will automatically add the following anti-affinity rules:
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 10 }}
matchExpressions:
- key: role
operator: NotIn
values:
- test
topologyKey: kubernetes.io/hostname
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 12 }}
matchExpressions:
- key: role
operator: NotIn
values:
- test
topologyKey: failure-domain.beta.kubernetes.io/zoneThis will schedule keycloak pods on different nodes and will try to schedule them on different failure-domain zones. If you want to override this value (e.g. you have 1-2 node cluster) nullify affinity rules (or replace with your own) in the cluster specification:
spec:
features:
controlPlane:
...
values:
app-keycloak:
keycloak:
affinity: nullPlease note also, that it is highly recommended to provide at least 2-3 replicas of Postgresql db used by keycloak as a backend.
This can also be configured via the cluster specification as follows:
spec:
features:
controlPlane:
...
values:
app-keycloak:
keycloak:
persistence:
kubedb:
replicas: 3