From f4b3d0a50e5d2db4d27ba0dbd2a9d59db559288d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beatrice=20Dellac=C3=A0?= <hello@beatrice.wtf>
Date: Sun, 30 Mar 2025 17:55:43 +0200
Subject: [PATCH] update HA for keycloak

---
 deploy/keycloak/keycloak-ingress.yaml |  1 +
 deploy/keycloak/keycloak.yaml         | 73 ++++++++++++++++++++++++---
 2 files changed, 67 insertions(+), 7 deletions(-)

diff --git a/deploy/keycloak/keycloak-ingress.yaml b/deploy/keycloak/keycloak-ingress.yaml
index 2beb292..c045783 100644
--- a/deploy/keycloak/keycloak-ingress.yaml
+++ b/deploy/keycloak/keycloak-ingress.yaml
@@ -4,6 +4,7 @@ metadata:
   name: keycloak
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
   ingressClassName: nginx
diff --git a/deploy/keycloak/keycloak.yaml b/deploy/keycloak/keycloak.yaml
index 53e4253..71cb723 100644
--- a/deploy/keycloak/keycloak.yaml
+++ b/deploy/keycloak/keycloak.yaml
@@ -1,18 +1,33 @@
 apiVersion: v1
 kind: Service
+metadata:
+  name: keycloak-headless
+  labels:
+    app: keycloak
+spec:
+  clusterIP: None                # Headless service for DNS discovery (returns pod IPs)
+  selector:
+    app: keycloak
+  ports:
+    - name: jgroups
+      port: 7600
+      targetPort: 7600
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
 metadata:
   name: keycloak
-  namespace: keycloak
   labels:
     app: keycloak
 spec:
+  type: ClusterIP                # Internal service for Keycloak (ingress will use this)
+  selector:
+    app: keycloak
   ports:
     - name: http
       port: 8080
       targetPort: 8080
-  selector:
-    app: keycloak
-  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -22,7 +37,7 @@ metadata:
   labels:
     app: keycloak
 spec:
-  replicas: 1
+  replicas: 3
   selector:
     matchLabels:
       app: keycloak
@@ -34,7 +49,9 @@ spec:
       containers:
         - name: keycloak
           image: quay.io/keycloak/keycloak:26.1.4
-          args: ["start"]
+          args:
+            - "start"
+            - "--cache=ispn"                      # Enable distributed Infinispan cache (HA mode) [oai_citation_attribution:0‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=When%20you%20start%20Keycloak%20in,in%20your%20network%20are%20discovered)
           env:
             - name: KEYCLOAK_ADMIN
               value: "admin"
@@ -62,10 +79,52 @@ spec:
                 secretKeyRef:
                   name: keycloak-db-secret
                   key: password
+            # --- Clustering and caching settings ---
+            - name: KC_CACHE_STACK
+              value: "kubernetes"
+            - name: jgroups.dns.query
+              value: "keycloak-headless"           # DNS name for JGroups discovery (headless service) [oai_citation_attribution:2‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=DNS%20resolution%20using%20the%20JGroups,to%20the%20headless%20service%20FQDN)
+            - name: CACHE_OWNERS_COUNT
+              value: "2"
+            - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
+              value: "2"
+            # Enable proxy address forwarding since Keycloak is behind an NGINX proxy
+            - name: PROXY_ADDRESS_FORWARDING
+              value: "true"                        # Trust X-Forwarded-* headers [oai_citation_attribution:3‡github.com](https://github.com/codecentric/helm-charts/issues/325#:~:text=extraEnv%3A%20%7C%20,name%3A%20CACHE_OWNERS_AUTH_SESSIONS_COUNT)
+            - name: KC_PROXY
+              value: "edge"                        # Keycloak is behind an edge (TLS termination) proxy
+            - name: KC_HOSTNAME_STRICT
+              value: "false"                       # Disable strict host check (allow internal/external host differences)
+            # (Optional) Enable health and metrics endpoints for monitoring:
+            - name: KC_HEALTH_ENABLED
+              value: "true"
+            - name: KC_METRICS_ENABLED
+              value: "true"
           ports:
             - name: http
               containerPort: 8080
+            - name: jgroups
+              containerPort: 7600                   # JGroups cluster communication port [oai_citation_attribution:4‡github.com](https://github.com/codecentric/helm-charts/issues/325#:~:text=authSessionTabId%3Dl06agEOwVB4)
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health/live
+              port: 8080
+            initialDelaySeconds: 60
+            periodSeconds: 30
           readinessProbe:
             httpGet:
               path: /health/ready
-              port: 9000
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 15
+      affinity:
+        # Spread pods across different nodes for higher availability
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                topologyKey: "kubernetes.io/hostname"
+                labelSelector:
+                  matchLabels:
+                      app: keycloak