Keycloak standalone cluster on Cloud Foundry

问题

How to configure Keycloak standalone cluster on Cloud Foundry?

I tried to use docker image jboss/keycloak:4.5.0.Final with internal routing:

env:
- JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING
- JGROUPS_DISCOVERY_PROPERTIES: dns_query=keycloak-cluster-poc.apps.internal

all udp and tcp ports between app instances opened:

cf add-network-policy keycloak-cluster-poc --destination-app keycloak-cluster-poc --protocol tcp/udp --port 1-65535

It's not working. Should I expose additional ports?

<socket-binding name="jgroups-mping" interface="private" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
<socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
<socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>

回答1:

I finally found the answer to my own question.

Go to this keycloak4cf repo if you are looking for a quick solution.

Main problems that I had to face:

Keycloak minimal version

Use the jboss/keycloak:5.0.0 or newer/latest

There is hardcoded .svc.cluster.local DNS query suffix removed with JGRP-2295.

This fix was released in JGroups 4.0.15.Final, that is used in Infinispan Core 9.4.0.Final., released with Keycloak 5.0.0 (included inifnispan-core 9.4.3.Final).

Clustering

Clustering have to be done with TCP instead of multicast UDP (there is no multicast on Cloud Foundry - thank you @DanielMikusa for the tip).

To change this config use dns.DNS_PING.cli:

embed-server --server-config=standalone-ha.xml --std-out=echo
batch
/subsystem=jgroups:write-attribute(name=default-stack,value=tcp)
/subsystem=jgroups/channel=ee:write-attribute(name=stack,value=tcp)
/subsystem=jgroups/stack=udp/protocol=PING:remove()
/subsystem=jgroups/stack=udp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
/subsystem=jgroups/stack=tcp/protocol=MPING:remove()
/subsystem=jgroups/stack=tcp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
run-batch
stop-embedded-server

Add network policy to allow connections between cluster nodes:

cf add-network-policy keycloak-cluster-poc --destination-app keycloak-cluster-poc --protocol tcp --port 7600

来源：https://stackoverflow.com/questions/55851758/keycloak-standalone-cluster-on-cloud-foundry

标签

cloudfoundry

keycloak