implement Single site - Sessions stored in external Infinispan

molecule/quarkus_ha_remote/converge.yml

@@ -12,6 +12,7 @@
       infinispan_jdbc_driver_version: 9.4.1212
       infinispan_jdbc_user: keycloak
       infinispan_jdbc_pass: mysecretpass
+      infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
       infinispan_users:
         - { name: 'testuser', password: 'test', roles: 'observer' }
 
@@ -41,9 +42,11 @@
     keycloak_quarkus_db_user: keycloak
     keycloak_quarkus_db_pass: mysecretpass
     keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_cache_remote: true
     keycloak_quarkus_cache_remote_username: supervisor
     keycloak_quarkus_cache_remote_password: remembertochangeme
-    keycloak_quarkus_cache_remote_host: "infinispan1:11222"
+    keycloak_quarkus_cache_remote_host: "infinispan1"
+    keycloak_quarkus_cache_remote_port: 11222
     keycloak_quarkus_cache_remote_tls_enabled: false
     keycloak_quarkus_additional_env_vars:
       - key: KC_FEATURES

roles/keycloak_quarkus/README.md

@@ -147,9 +147,11 @@ Role Defaults
 
 | Variable | Description | Default |
 |:---------|:------------|:--------|
+|`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` |
 |`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` |
 |`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_cache_remote_host` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
+|`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` |
 |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
 |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` |
 

roles/keycloak_quarkus/defaults/main.yml

@@ -139,9 +139,11 @@ keycloak_quarkus_cache_embedded_mtls_trust_store_password: ''
 
 ### infinispan remote caches access (hotrod)
 # https://www.keycloak.org/server/caching#_remote_cache
+keycloak_quarkus_cache_remote: false
 keycloak_quarkus_cache_remote_username: supervisor
 keycloak_quarkus_cache_remote_password: supervisor
-keycloak_quarkus_cache_remote_host: "localhost:11222"
+keycloak_quarkus_cache_remote_host: localhost
+keycloak_quarkus_cache_remote_port: 11222
 keycloak_quarkus_cache_remote_tls_enabled: false
 keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512
 

roles/keycloak_quarkus/meta/argument_specs.yml

@@ -255,6 +255,10 @@ argument_specs:
                 default: true
                 description: "If the server should expose health check endpoints on the management interface"
                 type: "bool"
+            keycloak_quarkus_cache_remote:
+                description: "Whether to connect to remote cache infinispan server"
+                default: false
+                type: 'bool'
             keycloak_quarkus_cache_remote_username:
                 default: "supervisor"
                 description: "Username for connecting to infinispan"
@@ -264,8 +268,12 @@ argument_specs:
                 description: "Password for connecting to infinispan"
                 type: "str"
             keycloak_quarkus_cache_remote_host:
-                default: "localhost:11222"
+                default: "localhost"
-                description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
+                description: "Hostname for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_cache_remote_port:
+                default: "11222"
+                description: "Port for connecting to infinispan"
                 type: "str"
             keycloak_quarkus_cache_remote_sasl_mechanism:
                 default: "SCRAM-SHA-512"

roles/keycloak_quarkus/templates/keycloak.conf.j2

@@ -59,8 +59,12 @@ hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic |
 {% if keycloak_quarkus_ha_enabled %}
 cache=ispn
 cache-config-file=cache-ispn.xml
-{% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
+{% if keycloak_quarkus_cache_remote %}
-# cache-stack=tcp # configured directly in `cache-ispn.xml`
+cache-remote-username={{ keycloak_quarkus_cache_remote_username }}
+cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
+cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
+cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
+cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
 {% endif %}
 {% endif %}