[HN Gopher] Keycloak with PostgreSQL on Kubernetes
___________________________________________________________________
Keycloak with PostgreSQL on Kubernetes
Author : brakmic
Score : 83 points
Date : 2023-04-10 18:48 UTC (4 hours ago)
(HTM) web link (blog.brakmic.com)
(TXT) w3m dump (blog.brakmic.com)
| photonios wrote:
| If there's anyone reading this that is planning on deploying
| Keycloak in a high availability environment, I would highly
| recommend that you persist all sessions in the database as
| offline sessions.
|
| At work, I ran 9 Keycloak clusters in production, handling tens
| of millions of sessions where the cost of losing sessions was
| high. The amount of time we wasted on getting it to work reliably
| with its default configuration of storing the sessions in its
| distributed, in-memory cache (Infinispan) is insane. It just
| isn't designed to handle such a work load reliably. Unless you're
| willing to spent months tuning it for every possible scenario,
| you WILL lose sessions.
|
| If you are in this situation, shoot me an email. I have been
| through this pain and it took a lot of painstaking work to get to
| a highly reliable set up at scale.
| [deleted]
| ArchOversight wrote:
| Do you have a blog post or something detailing what you did and
| how you did it?
| rad_gruchalski wrote:
| I found this: https://www.janua.fr/offline-sessions-and-
| offline-tokens-wit.... janua.fr is a very solid Keycloak
| resource. The write up is for a pretty aged Keycloak version
| but there are probably some decent pointers in there.
| ahachete wrote:
| This is good and interesting recipe to get Keycloak and Postgres
| on Kubernetes.
|
| There is an important improvement, though: the Postgres deployed
| here is not production ready (high availability, backups,
| monitoring, etc).
|
| We run Keycloak on StackGres [1] which gives us production-ready
| Postgres setup (disclaimer: it's dogfooding). Happy to share the
| YAML manifests used to deploy Keycloak with StackGres. Maybe we
| will write a blog post as a follow-up to this one, for
| completeness.
|
| [1]: https://stackgres.io
| Turbots wrote:
| [dead]
| vsviridov wrote:
| As a possible alternative, I've recently started using Zitadel
| (https://zitadel.com/) which is a very full-fledged open source
| IDP, in active development.
| dariusj18 wrote:
| This looks very interesting, I have recently tried using auth0
| and was so horribly disappointed with how you go from 0 to
| enterprise as soon as you need any modern security feature.
| Plus I had assumed that they had a mature product, but is
| chaotic and difficult to know what you are doing for even the
| simplest use cases.
| mderazon wrote:
| Ory Hydra / Kratos is another good one
|
| https://www.ory.sh
| vsviridov wrote:
| I guess with Zitadel they don't paywall any features, and
| with self-hosted option you get essentially the same thing as
| with hosted. I think you can probably even do multi-instance,
| however maybe without a management interface for that part of
| it... When I read Ory language, it says to me "you can try it
| out locally and itegrate, but we want you in our hosted
| solution right after" (I could be wrong, I was just glancing
| casually...)
| jonas-w wrote:
| How does zitadel compare to authentik (https://goauthentik.io/)
| or authelia (https://www.authelia.com/)?
| vsviridov wrote:
| I don't think authelia has a UI, and it also has a mode where
| it integrates a bit more deeply with the routing mesh, to
| protect apps that do not do auth themselves. Authentik I've
| not looked into. It also seems that they differentiate self-
| hosted options into free and paid with different features...
| vxxzy wrote:
| Ah nice! I use Keycloak in conjunction with NetMaker. It seems to
| work well! I'd like to figure out a way to somehow get ssh
| authentication with keycloak. I've read of oauth + ssh certs, but
| all of it seems so cumbersome. It would be cool to have an open
| source alternative to StrongDM.
| bebop wrote:
| Super roughly, but you might be able to implement an
| Authentication SPI[0] and wire that into an Authorization Code
| flow.
|
| [0] -
| https://www.keycloak.org/docs/latest/server_development/#_au...
| hotpotamus wrote:
| I've been down this road a bit, though actually in Docker Swarm.
| One aspect I spend a lot of time digging into was running
| multiple keycloak containers with shared cache. On metal or a VM
| with multicast, they'll find each other no problem, and it works
| beautifully, but I'm not aware of any container orchestration
| that brings multicast out of the box (and I don't think AWS does
| either). Keycloak has a built in Kubernetes DNS discovery
| mechanism to find its peer containers and share cache which also
| worked quite well on Swarm, though I lost a day or two tweaking
| it.
| rad_gruchalski wrote:
| AWS supports multicast in VPCs.
| hotpotamus wrote:
| Curious - I've seen several references that it doesn't
| support it, and that keycloak has a dedicated ec2 cache
| discovery option. But I don't use AWS anyway, so I'm far from
| knowledgable about it.
| rad_gruchalski wrote:
| https://aws.amazon.com/blogs/networking-and-content-
| delivery...
| xupybd wrote:
| I've just started using Keycloak to provide OpenID for F# Safe
| stack applications.
|
| Wow the learning curve was steep on that one. Not having ever
| touched OpenID or anything other than forms based authentication
| and not knowing ASP.Net very well.
|
| But it's neat to get it all up and running. Still a few issues
| with getting Keycloak to redirect to HTTPS but we will get there.
| rad_gruchalski wrote:
| Maybe this will be helpful? https://gruchalski.com/posts/2022-0
| 2-20-keycloak-1700-with-t.... I'm the author.
| xupybd wrote:
| Thank you!
|
| That looks like the exact problem I'm facing. I'll try it out
| today!
|
| Thanks again!
| andix wrote:
| That's exactly what needs to be done. It is also in the
| keycloak documentation, but not as easy to find as in your
| post.
| rad_gruchalski wrote:
| Thanks. I have recently rolled out Keycloak on k8s with
| Istio and ACME cert-manager. I'm going to write an article
| about it and post here when I find some time.
| andix wrote:
| The most disappointing problem with asp.net for me was, that
| there is no backchannel logout. So you can't easily force-
| logout users from oidc/keycloak.
|
| Everything else was going pretty smooth, although the
| authentication documentation for asp.net really sucks.
___________________________________________________________________
(page generated 2023-04-10 23:00 UTC)