[Supported in Kublr 1.20.0 and later]



In order to run keycloak in HA mode you need to use following configuration in the cluster specification:

spec:
  features:
    controlPlane:
      ...
      values:
        app-keycloak:
          keycloak:
            replicas: 3
            extraEnv:  |
              - name: PROXY_ADDRESS_FORWARDING
                value: "true"
              - name: CACHE_OWNERS
                value: "3"


This code means that you will have 3 replicas of keycloak and all caches will share among them. In this case you will be able to authenticate even if only one of keycloaks is alive.


Please note, keycloak helm chart will automatically add the following anti-affinity rules:

  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              {{- include "keycloak.selectorLabels" . | nindent 10 }}
            matchExpressions:
              - key: role
                operator: NotIn
                values:
                  - test
          topologyKey: kubernetes.io/hostname
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          podAffinityTerm:
            labelSelector:
              matchLabels:
                {{- include "keycloak.selectorLabels" . | nindent 12 }}
              matchExpressions:
                - key: role
                  operator: NotIn
                  values:
                    - test
            topologyKey: failure-domain.beta.kubernetes.io/zone


This will schedule keycloak pods on different nodes and will try to schedule them on different failure-domain zones. If you want to override this value (e.g. you have 1-2 node cluster) nullify affinity rules (or replace with your own) in the cluster specification:

spec:
  features:
    controlPlane:
      ...
      values:
        app-keycloak:
          keycloak:
            affinity: null


Please note also, that it is highly recommended to provide at least 2-3 replicas of Postgresql db used by keycloak as a backend.

This can also be configured via the cluster specification as follows:

spec:
  features:
    controlPlane:
      ...
      values:
        app-keycloak:
          keycloak:
            persistence:
              kubedb:
                replicas: 3