implement Single site - Sessions stored in external Infinispan

2025-07-29 16:11:34 -07:00 · 2025-06-05 12:02:43 +02:00 · 2025-06-05 12:02:43 +02:00 · bcc961999c
commit bcc961999c
parent 3d4bd734f1
5 changed files with 26 additions and 7 deletions
--- a/molecule/quarkus_ha_remote/converge.yml
+++ b/molecule/quarkus_ha_remote/converge.yml
@ -12,6 +12,7 @@
      infinispan_jdbc_driver_version: 9.4.1212
      infinispan_jdbc_user: keycloak
      infinispan_jdbc_pass: mysecretpass
+      infinispan_bind_address: "{{ ansible_default_ipv4.address }}"
      infinispan_users:
        - { name: 'testuser', password: 'test', roles: 'observer' }

@ -41,9 +42,11 @@
    keycloak_quarkus_db_user: keycloak
    keycloak_quarkus_db_pass: mysecretpass
    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_cache_remote: true
    keycloak_quarkus_cache_remote_username: supervisor
    keycloak_quarkus_cache_remote_password: remembertochangeme
-    keycloak_quarkus_cache_remote_host: "infinispan1:11222"
+    keycloak_quarkus_cache_remote_host: "infinispan1"
+    keycloak_quarkus_cache_remote_port: 11222
    keycloak_quarkus_cache_remote_tls_enabled: false
    keycloak_quarkus_additional_env_vars:
      - key: KC_FEATURES
--- a/roles/keycloak_quarkus/README.md
+++ b/roles/keycloak_quarkus/README.md
@ -147,9 +147,11 @@ Role Defaults

 | Variable | Description | Default |
 |:---------|:------------|:--------|
+|`keycloak_quarkus_cache_remote` | Whether to connect to remote cache infinispan server | `false` |
 |`keycloak_quarkus_cache_remote_username` | Username for connecting to infinispan | `supervisor` |
 |`keycloak_quarkus_cache_remote_password` | Password for connecting to infinispan | `supervisor` |
-|`keycloak_quarkus_cache_remote_host` | host name/port for connecting to infinispan, eg. host1:11222;host2:11222 | `localhost:11222` |
+|`keycloak_quarkus_cache_remote_host` | Hostname for connecting to infinispan | `localhost` |
+|`keycloak_quarkus_cache_remote_port`| Port for connecting to infinispan | `11222` |
 |`keycloak_quarkus_cache_remote_sasl_mechanism` | Infinispan auth mechanism | `SCRAM-SHA-512` |
 |`keycloak_quarkus_cache_remote_tls_enabled` | Whether infinispan uses TLS connection | `false` |

--- a/roles/keycloak_quarkus/defaults/main.yml
+++ b/roles/keycloak_quarkus/defaults/main.yml
@ -139,9 +139,11 @@ keycloak_quarkus_cache_embedded_mtls_trust_store_password: ''

 ### infinispan remote caches access (hotrod)
 # https://www.keycloak.org/server/caching#_remote_cache
+keycloak_quarkus_cache_remote: false
 keycloak_quarkus_cache_remote_username: supervisor
 keycloak_quarkus_cache_remote_password: supervisor
-keycloak_quarkus_cache_remote_host: "localhost:11222"
+keycloak_quarkus_cache_remote_host: localhost
+keycloak_quarkus_cache_remote_port: 11222
 keycloak_quarkus_cache_remote_tls_enabled: false
 keycloak_quarkus_cache_remote_sasl_mechanism: SCRAM-SHA-512

--- a/roles/keycloak_quarkus/meta/argument_specs.yml
+++ b/roles/keycloak_quarkus/meta/argument_specs.yml
@ -255,6 +255,10 @@ argument_specs:
                default: true
                description: "If the server should expose health check endpoints on the management interface"
                type: "bool"
+            keycloak_quarkus_cache_remote:
+                description: "Whether to connect to remote cache infinispan server"
+                default: false
+                type: 'bool'
            keycloak_quarkus_cache_remote_username:
                default: "supervisor"
                description: "Username for connecting to infinispan"
@ -264,8 +268,12 @@ argument_specs:
                description: "Password for connecting to infinispan"
                type: "str"
            keycloak_quarkus_cache_remote_host:
-                default: "localhost:11222"
-                description: "host name/port for connecting to infinispan, eg. host1:11222;host2:11222"
+                default: "localhost"
+                description: "Hostname for connecting to infinispan"
+                type: "str"
+            keycloak_quarkus_cache_remote_port:
+                default: "11222"
+                description: "Port for connecting to infinispan"
                type: "str"
            keycloak_quarkus_cache_remote_sasl_mechanism:
                default: "SCRAM-SHA-512"
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@ -59,8 +59,12 @@ hostname-backchannel-dynamic={{ keycloak_quarkus_hostname_backchannel_dynamic |
 {% if keycloak_quarkus_ha_enabled %}
 cache=ispn
 cache-config-file=cache-ispn.xml
-{% if keycloak_quarkus_ha_enabled and keycloak_quarkus_ha_discovery == 'TCPPING' %}
-# cache-stack=tcp # configured directly in `cache-ispn.xml`
+{% if keycloak_quarkus_cache_remote %}
+cache-remote-username={{ keycloak_quarkus_cache_remote_username }}
+cache-remote-password={{ keycloak_quarkus_cache_remote_password }}
+cache-remote-host={{ keycloak_quarkus_cache_remote_host }}
+cache-remote-port={{ keycloak_quarkus_cache_remote_port }}
+cache-remote-tls-enabled={{ keycloak_quarkus_cache_remote_tls_enabled | lower }}
 {% endif %}
 {% endif %}