feat: HA Keycloak

.github/styles/config/vocabularies/Base/accept.txt

@@ -4,6 +4,7 @@ CRD
 Ceph
 Glance
 JWT
+Keycloak
 Manila
 MySQL
 Nova

molecule/aio/group_vars/all/molecule.yml

@@ -37,6 +37,9 @@ percona_xtradb_cluster_spec:
   haproxy:
     size: 1
 
+keycloak_helm_values:
+  replicaCount: 2
+
 keystone_helm_values:
   conf:
     keystone:

releasenotes/notes/scale-keycloak-552cac827abf1f73.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - Added Keycloak configuration for persistent in-memory session cache.
+    This unlocked the possibility to have a highly available Keycloak setup.
+    The role now sets the default `replicaCount` to 3 to support high availability.

roles/defaults/vars/main.yml

@@ -1,16 +1,5 @@
-# Copyright (c) 2023 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright (c) 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: Apache-2.0
 
 atmosphere_release: main
 
@@ -100,7 +89,7 @@ _atmosphere_images:
   ironic_retrive_cleaning_network: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/heat:{{ atmosphere_release }}"
   ironic_retrive_swift_config: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/heat:{{ atmosphere_release }}"
   keepalived: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/keepalived:{{ atmosphere_release }}"
-  keycloak: "{{ atmosphere_image_prefix }}quay.io/keycloak/keycloak:24.0.5-0"
+  keycloak: "{{ atmosphere_image_prefix }}quay.io/keycloak/keycloak:24.0.5-1"
   keystone_api: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/keystone:{{ atmosphere_release }}"
   keystone_credential_cleanup: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/heat:{{ atmosphere_release }}"
   keystone_credential_rotate: "{{ atmosphere_image_prefix }}registry.atmosphere.dev/library/keystone:{{ atmosphere_release }}"

roles/keycloak/defaults/main.yml

@@ -1,16 +1,5 @@
-# Copyright (c) 2023 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright (c) 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: Apache-2.0
 
 keycloak_helm_release_name: keycloak
 keycloak_helm_chart_path: "../../charts/keycloak/"

roles/keycloak/meta/main.yml

@@ -1,16 +1,5 @@
-# Copyright (c) 2024 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright (c) 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: Apache-2.0
 
 galaxy_info:
   author: VEXXHOST, Inc.

roles/keycloak/tasks/main.yml

@@ -1,16 +1,5 @@
-# Copyright (c) 2022 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright (c) 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: Apache-2.0
 
 - name: Get the Kuberentes service for Percona XtraDB Cluster
   run_once: true
@@ -64,6 +53,31 @@
     login_password: "{{ openstack_helm_endpoints.oslo_db.auth.admin.password }}"
     query: "set global pxc_strict_mode='PERMISSIVE'"
 
+- name: Check if Keycloak StatefulSet already installed
+  run_once: true
+  kubernetes.core.k8s_info:
+    api_version: apps/v1
+    kind: StatefulSet
+    name: "{{ keycloak_helm_release_name }}"
+    namespace: "{{ keycloak_helm_release_namespace }}"
+  register: _keycloak_sts_current
+
+- name: Set fact about current podManagementPolicy
+  run_once: true
+  ansible.builtin.set_fact:
+    _keycloak_pod_policy: "{{ _keycloak_sts_current.resources[0].spec.podManagementPolicy | default('') }}"
+
+- name: Delete Keycloak StatefulSet if podManagementPolicy is set to Parallel
+  run_once: true
+  kubernetes.core.k8s:
+    api_version: apps/v1
+    kind: StatefulSet
+    name: "{{ keycloak_helm_release_name }}"
+    namespace: "{{ keycloak_helm_release_namespace }}"
+    state: absent
+  register: _keycloak_sts_delete
+  when: _keycloak_pod_policy == 'Parallel'
+
 - name: Deploy Helm chart
   run_once: true
   kubernetes.core.helm:
@@ -75,8 +89,10 @@
     wait: true
     timeout: 10m
     values: "{{ _keycloak_helm_values | combine(keycloak_helm_values, recursive=True) }}"
+    force: "{{ _keycloak_sts_delete.changed }}"
 
-- name: Wait until keycloak ready
+- name: Wait until Keycloak ready
+  run_once: true
   kubernetes.core.k8s_info:
     api_version: apps/v1
     kind: StatefulSet

roles/keycloak/vars/main.yml

@@ -1,21 +1,15 @@
-# Copyright (c) 2022 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright (c) 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: Apache-2.0
 
 _keycloak_ingress_annotations:
   cert-manager.io/cluster-issuer: "{{ keycloak_ingress_cluster_issuer }}"
 
 _keycloak_helm_values:
+  replicaCount: 3
+  # NOTE(fitbeard): Overriding Bitnami default which is 'Parallel'
+  # https://github.com/keycloak/keycloak/issues/21108
+  # https://github.com/keycloak/keycloak/issues/28454
+  podManagementPolicy: OrderedReady
   # NOTE(mnaser): These workarounds below are needed to allow the Bitnami Helm chart to work with
   #               the upstream image.
   enableDefaultInitContainers: false
@@ -41,6 +35,12 @@ _keycloak_helm_values:
         secretKeyRef:
           key: db-password
           name: keycloak-externaldb
+    - name: JAVA_OPTS_APPEND
+      value: "-Djgroups.dns.query=keycloak-headless.{{ keycloak_helm_release_namespace }}.svc"
+    - name: KC_CACHE_STACK
+      value: kubernetes
+    - name: KC_CACHE
+      value: ispn
   command:
     - /opt/keycloak/bin/kc.sh
     - --verbose
@@ -70,6 +70,17 @@ _keycloak_helm_values:
     enabled: false
   production: true
   proxy: edge
+  cache:
+    enabled: true
+  service:
+    headless:
+      extraPorts:
+        - name: infinispan
+          port: 7800
+          protocol: TCP
+          # NOTE(fitbeard): Name 'discovery' and port 7800
+          # are hardcoded in the 'statefulset.yaml' template
+          targetPort: discovery
   startupProbe:
     enabled: true
     initialDelaySeconds: 5

roles/keystone/tasks/main.yml

@@ -1,16 +1,5 @@
-# Copyright (c) 2022 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright (c) 2025 VEXXHOST, Inc.
+# SPDX-License-Identifier: Apache-2.0
 
 - name: Create Keycloak realms
   no_log: true