From 3de96a6666131d5ba808e3fb8043fed9c1ad39ad Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Thu, 29 May 2025 21:37:11 +0200 Subject: [PATCH] single site remote cache --- molecule/quarkus_ha_remote/converge.yml | 5 ++++ roles/keycloak_quarkus/defaults/main.yml | 38 ++++++++++++++++++++---- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/molecule/quarkus_ha_remote/converge.yml b/molecule/quarkus_ha_remote/converge.yml index e31ad72..8df6679 100644 --- a/molecule/quarkus_ha_remote/converge.yml +++ b/molecule/quarkus_ha_remote/converge.yml @@ -45,5 +45,10 @@ keycloak_quarkus_cache_remote_password: remembertochangeme keycloak_quarkus_cache_remote_host: "infinispan1:11222" keycloak_quarkus_cache_remote_tls_enabled: false + keycloak_quarkus_additional_env_vars: + - key: KC_FEATURES + value: clusterless + - key: KC_FEATURES_DISABLED + value: persistent-user-sessions roles: - role: keycloak_quarkus diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index ee12214..0858def 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -38,14 +38,21 @@ keycloak_quarkus_http_enabled: true keycloak_quarkus_http_port: 8080 keycloak_quarkus_https_port: 8443 keycloak_quarkus_http_management_port: 9000 -keycloak_quarkus_jgroups_ip: "{{ ansible_default_ipv4.address }}" keycloak_quarkus_jgroups_port: 7800 +keycloak_quarkus_jgroups_bind_address: "{{ ansible_default_ipv4.address }}" +keycloak_quarkus_jgroups_external_addr: "{{ keycloak_quarkus_jgroups_bind_address }}" +keycloak_quarkus_jgroups_external_port: "{{ keycloak_quarkus_jgroups_port }}" keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx2048m" -keycloak_quarkus_java_jvm_opts: "-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 +keycloak_quarkus_java_jvm_opts: > + -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 - -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512" -keycloak_quarkus_java_opts: "{{ keycloak_quarkus_java_heap_opts + ' ' + keycloak_quarkus_java_jvm_opts }}" + -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 +keycloak_quarkus_jgroups_opts: > + -Djgroups.bind.address={{ keycloak_quarkus_jgroups_bind_address }} + -Djgroups.external_port={{ keycloak_quarkus_jgroups_external_port }} + -Djgroups.external_addr={{ keycloak_quarkus_jgroups_external_addr }} +keycloak_quarkus_java_opts: "{{ ' '.join(keycloak_quarkus_jgroups_opts, keycloak_quarkus_java_heap_opts, keycloak_quarkus_java_jvm_opts }}" keycloak_quarkus_additional_env_vars: [] ### TLS/HTTPS configuration @@ -86,7 +93,7 @@ keycloak_quarkus_hostname_admin: ### Set the path relative to / for serving resources. The path must start with a / ### (set to `/auth` for retrocompatibility with pre-quarkus releases) keycloak_quarkus_http_relative_path: / - +f # Disables dynamically resolving the hostname from request headers. # Should always be set to true in production, unless proxy verifies the Host header. keycloak_quarkus_hostname_strict: true @@ -110,7 +117,28 @@ keycloak_quarkus_spi_sticky_session_encoder_infinispan_should_attach_route: true keycloak_quarkus_metrics_enabled: false keycloak_quarkus_health_enabled: true +### caches; must read: https://www.keycloak.org/2024/12/storing-sessions-in-kc26 +### embedded caches +# https://www.keycloak.org/server/caching +keycloak_quarkus_cache_metrics_enabled: false +keycloak_quarkus_cache_embedded_authorization_max_count: +keycloak_quarkus_cache_embedded_client_sessions_max_count: +keycloak_quarkus_cache_embedded_crl_max_count: +keycloak_quarkus_cache_embedded_keys_max_count: +keycloak_quarkus_cache_embedded_offline_client_sessions_max_count: +keycloak_quarkus_cache_embedded_offline_sessions_max_count: +keycloak_quarkus_cache_embedded_realms_max_count: +keycloak_quarkus_cache_embedded_sessions_max_count: +keycloak_quarkus_cache_embedded_users_max_count: +keycloak_quarkus_cache_embedded_mtls_enabled: true +keycloak_quarkus_cache_embedded_mtls_key_store_file: "{{ keycloak.home }}/conf/cache_key_store.p12" +keycloak_quarkus_cache_embedded_mtls_key_store_password: '' +keycloak_quarkus_cache_embedded_mtls_rotation_interval_days: 30 +keycloak_quarkus_cache_embedded_mtls_trust_store_file: "{{ keycloak.home }}/conf/cache_trust_store.p12" +keycloak_quarkus_cache_embedded_mtls_trust_store_password: '' + ### infinispan remote caches access (hotrod) +# https://www.keycloak.org/server/caching#_remote_cache keycloak_quarkus_cache_remote_username: supervisor keycloak_quarkus_cache_remote_password: supervisor keycloak_quarkus_cache_remote_host: "localhost:11222"