from Hacker News

Keycloak with PostgreSQL on Kubernetes

by brakmic on 4/10/23, 6:48 PM with 77 comments

  • by photonios on 4/10/23, 8:26 PM

    If there's anyone reading this that is planning on deploying Keycloak in a high availability environment, I would highly recommend that you persist all sessions in the database as offline sessions.

    At work, I ran 9 Keycloak clusters in production, handling tens of millions of sessions where the cost of losing sessions was high. The amount of time we wasted on getting it to work reliably with its default configuration of storing the sessions in its distributed, in-memory cache (Infinispan) is insane. It just isn't designed to handle such a work load reliably. Unless you're willing to spent months tuning it for every possible scenario, you WILL lose sessions.

    If you are in this situation, shoot me an email. I have been through this pain and it took a lot of painstaking work to get to a highly reliable set up at scale.

  • by vsviridov on 4/10/23, 8:31 PM

    As a possible alternative, I've recently started using Zitadel (https://zitadel.com/) which is a very full-fledged open source IDP, in active development.

  • by ahachete on 4/10/23, 9:19 PM

    This is good and interesting recipe to get Keycloak and Postgres on Kubernetes.

    There is an important improvement, though: the Postgres deployed here is not production ready (high availability, backups, monitoring, etc).

    We run Keycloak on StackGres [1] which gives us production-ready Postgres setup (disclaimer: it's dogfooding). Happy to share the YAML manifests used to deploy Keycloak with StackGres. Maybe we will write a blog post as a follow-up to this one, for completeness.

    [1]: https://stackgres.io

  • by vbezhenar on 4/11/23, 2:50 AM

    I miss the ability to use some kind of GitOps with Keycloak. There's Terraform plugin, but I hate it (because of state). I wish there was some kind of config file which Keycloak would read at startup and create/update/delete its resources according to it. I know that I can initialize realm with JSON (with unreadable structure), but I can't maintain realm with config file.

  • by hotpotamus on 4/10/23, 8:20 PM

    I've been down this road a bit, though actually in Docker Swarm. One aspect I spend a lot of time digging into was running multiple keycloak containers with shared cache. On metal or a VM with multicast, they'll find each other no problem, and it works beautifully, but I'm not aware of any container orchestration that brings multicast out of the box (and I don't think AWS does either). Keycloak has a built in Kubernetes DNS discovery mechanism to find its peer containers and share cache which also worked quite well on Swarm, though I lost a day or two tweaking it.

  • by rubentanlz on 4/11/23, 1:18 AM

    Hopefully this doesn't come across as off-topic but the "smooth scrolling" or whatever that is that hijacks the normal scroll behavior is throwing off my scrollwheel, making the website nigh impossible to navigate. Only way I can scroll properly is by clicking on the scroll bar and dragging it up and down manually.

  • by Too on 4/11/23, 4:51 AM

    I may be wrong but is it not preferable to use StatefulSet for databases, rather than PV, PVC and Deployments?

    You will not be able to scale anything up anyway since it’s a single instance mounting the same data.

  • by xupybd on 4/10/23, 8:20 PM

    I've just started using Keycloak to provide OpenID for F# Safe stack applications.

    Wow the learning curve was steep on that one. Not having ever touched OpenID or anything other than forms based authentication and not knowing ASP.Net very well.

    But it's neat to get it all up and running. Still a few issues with getting Keycloak to redirect to HTTPS but we will get there.

  • by boris-ning-usds on 4/11/23, 1:47 AM

    I've been reading up on Keycloak recently, and had questions for hosting keycloak in prod.

    How do people in the field handle configuration updates with code? For example, if I want to set it up as an identity broker to an idp, I would want that configuration backed by code, reviewed by my team. Is anybody using the keycloak terraform provider https://registry.terraform.io/providers/mrparkers/keycloak/l... in production?

    Do people diff the realm json configuration as code and use that instead?

  • by vxxzy on 4/10/23, 7:50 PM

    Ah nice! I use Keycloak in conjunction with NetMaker. It seems to work well! I’d like to figure out a way to somehow get ssh authentication with keycloak. I’ve read of oauth + ssh certs, but all of it seems so cumbersome. It would be cool to have an open source alternative to StrongDM.

  • by hsn915 on 4/10/23, 11:31 PM

    Am I the only one for whom this kind of thing is painful to read?

    I am kinda curious though about the kind of personality type that enjoys this kind of stuff.

    Of course, I have never heard of "Keycloak" before, so I checked their homepage:

    "No need to deal with storing users or authenticating users."

    Wait a second, is dealing with storing users and authenticaing them _so much pain_ that you rather inflict yourself with the pain of setting up and managing a k8s cluster?

    I seriously don't get it.

  • by vbezhenar on 4/11/23, 2:48 AM

    Why postgres is running as privileged?