diff --git a/.github/styles/config/vocabularies/Base/accept.txt b/.github/styles/config/vocabularies/Base/accept.txt index da45452b9f..6f5a8bd1c6 100644 --- a/.github/styles/config/vocabularies/Base/accept.txt +++ b/.github/styles/config/vocabularies/Base/accept.txt @@ -4,6 +4,7 @@ CRD Ceph Glance JWT +Keycloak Manila MySQL Nova diff --git a/molecule/aio/group_vars/all/molecule.yml b/molecule/aio/group_vars/all/molecule.yml index a9be84db52..f3155e235e 100644 --- a/molecule/aio/group_vars/all/molecule.yml +++ b/molecule/aio/group_vars/all/molecule.yml @@ -37,6 +37,9 @@ percona_xtradb_cluster_spec: haproxy: size: 1 +keycloak_helm_values: + replicaCount: 2 + keystone_helm_values: conf: keystone: diff --git a/releasenotes/notes/scale-keycloak-552cac827abf1f73.yaml b/releasenotes/notes/scale-keycloak-552cac827abf1f73.yaml new file mode 100644 index 0000000000..b2ce170a50 --- /dev/null +++ b/releasenotes/notes/scale-keycloak-552cac827abf1f73.yaml @@ -0,0 +1,5 @@ +--- +features: + - Added Keycloak configuration for persistent in-memory session cache. + This unlocked the possibility to have a highly available Keycloak setup. + The role now sets the default `replicaCount` to 3 to support high availability. diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml index 3e17ab2b47..4179d6b8e1 100644 --- a/roles/defaults/vars/main.yml +++ b/roles/defaults/vars/main.yml @@ -1,16 +1,5 @@ -# Copyright (c) 2023 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# Copyright (c) 2025 VEXXHOST, Inc. +# SPDX-License-Identifier: Apache-2.0 atmosphere_release: main @@ -100,7 +89,7 @@ _atmosphere_images: ironic_retrive_cleaning_network: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/heat:{{ atmosphere_release }}" ironic_retrive_swift_config: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/heat:{{ atmosphere_release }}" keepalived: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/keepalived:{{ atmosphere_release }}" - keycloak: "{{ atmosphere_image_prefix }}quay.io/keycloak/keycloak:24.0.5-0" + keycloak: "{{ atmosphere_image_prefix }}quay.io/keycloak/keycloak:24.0.5-1" keystone_api: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/keystone:{{ atmosphere_release }}" keystone_credential_cleanup: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/heat:{{ atmosphere_release }}" keystone_credential_rotate: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/keystone:{{ atmosphere_release }}" diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index ae1f82ba64..7f2301ca37 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -1,16 +1,5 @@ -# Copyright (c) 2023 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# Copyright (c) 2025 VEXXHOST, Inc. +# SPDX-License-Identifier: Apache-2.0 keycloak_helm_release_name: keycloak keycloak_helm_chart_path: "../../charts/keycloak/" diff --git a/roles/keycloak/meta/main.yml b/roles/keycloak/meta/main.yml index c6cbb09062..a6d4201083 100644 --- a/roles/keycloak/meta/main.yml +++ b/roles/keycloak/meta/main.yml @@ -1,16 +1,5 @@ -# Copyright (c) 2024 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# Copyright (c) 2025 VEXXHOST, Inc. +# SPDX-License-Identifier: Apache-2.0 galaxy_info: author: VEXXHOST, Inc. diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index f1b8bba6b6..3ff46dedaa 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -1,16 +1,5 @@ -# Copyright (c) 2022 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# Copyright (c) 2025 VEXXHOST, Inc. +# SPDX-License-Identifier: Apache-2.0 - name: Get the Kuberentes service for Percona XtraDB Cluster run_once: true @@ -64,6 +53,31 @@ login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}" query: "set global pxc_strict_mode='PERMISSIVE'" +- name: Check if Keycloak StatefulSet already installed + run_once: true + kubernetes.core.k8s_info: + api_version: apps/v1 + kind: StatefulSet + name: "{{ keycloak_helm_release_name }}" + namespace: "{{ keycloak_helm_release_namespace }}" + register: _keycloak_sts_current + +- name: Set fact about current podManagementPolicy + run_once: true + ansible.builtin.set_fact: + _keycloak_pod_policy: "{{ _keycloak_sts_current.resources[0].spec.podManagementPolicy | default('') }}" + +- name: Delete Keycloak StatefulSet if podManagementPolicy is set to Parallel + run_once: true + kubernetes.core.k8s: + api_version: apps/v1 + kind: StatefulSet + name: "{{ keycloak_helm_release_name }}" + namespace: "{{ keycloak_helm_release_namespace }}" + state: absent + register: _keycloak_sts_delete + when: _keycloak_pod_policy == 'Parallel' + - name: Deploy Helm chart run_once: true kubernetes.core.helm: @@ -75,8 +89,10 @@ wait: true timeout: 10m values: "{{ _keycloak_helm_values | combine(keycloak_helm_values, recursive=True) }}" + force: "{{ _keycloak_sts_delete.changed }}" -- name: Wait until keycloak ready +- name: Wait until Keycloak ready + run_once: true kubernetes.core.k8s_info: api_version: apps/v1 kind: StatefulSet diff --git a/roles/keycloak/vars/main.yml b/roles/keycloak/vars/main.yml index ead80fbb75..c851361423 100644 --- a/roles/keycloak/vars/main.yml +++ b/roles/keycloak/vars/main.yml @@ -1,21 +1,15 @@ -# Copyright (c) 2022 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# Copyright (c) 2025 VEXXHOST, Inc. +# SPDX-License-Identifier: Apache-2.0 _keycloak_ingress_annotations: cert-manager.io/cluster-issuer: "{{ keycloak_ingress_cluster_issuer }}" _keycloak_helm_values: + replicaCount: 3 + # NOTE(fitbeard): Overriding Bitnami default which is 'Parallel' + # https://github.com/keycloak/keycloak/issues/21108 + # https://github.com/keycloak/keycloak/issues/28454 + podManagementPolicy: OrderedReady # NOTE(mnaser): These workarounds below are needed to allow the Bitnami Helm chart to work with # the upstream image. enableDefaultInitContainers: false @@ -41,6 +35,12 @@ _keycloak_helm_values: secretKeyRef: key: db-password name: keycloak-externaldb + - name: JAVA_OPTS_APPEND + value: "-Djgroups.dns.query=keycloak-headless.{{ keycloak_helm_release_namespace }}.svc" + - name: KC_CACHE_STACK + value: kubernetes + - name: KC_CACHE + value: ispn command: - /opt/keycloak/bin/kc.sh - --verbose @@ -70,6 +70,17 @@ _keycloak_helm_values: enabled: false production: true proxy: edge + cache: + enabled: true + service: + headless: + extraPorts: + - name: infinispan + port: 7800 + protocol: TCP + # NOTE(fitbeard): Name 'discovery' and port 7800 + # are hardcoded in the 'statefulset.yaml' template + targetPort: discovery startupProbe: enabled: true initialDelaySeconds: 5 diff --git a/roles/keystone/tasks/main.yml b/roles/keystone/tasks/main.yml index e5abcb07cc..c8b15ebe95 100644 --- a/roles/keystone/tasks/main.yml +++ b/roles/keystone/tasks/main.yml @@ -1,16 +1,5 @@ -# Copyright (c) 2022 VEXXHOST, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# Copyright (c) 2025 VEXXHOST, Inc. +# SPDX-License-Identifier: Apache-2.0 - name: Create Keycloak realms no_log: true