Add jdbc persistence for keycloak remote caches

The new flag jdg_keycloak_persistence (default: false) allows to setup the keycloak datasource for persistence of keycloak caches. Also, switch from replicated-cache to distributed-cache for keycloak when crossDC replication (RELAY2 protocol) is enabled.
ansible-middleware · Dec 29, 2021 · fbaa165 · fbaa165
1 parent 1943840
commit fbaa165
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 11 deletions.
diff --git a/roles/infinispan/README.md b/roles/infinispan/README.md
@@ -18,7 +18,9 @@ Role Defaults
 |`jdg_jgroups_relay_sites`| List of site names for cross-DC relaying | `[]` |
 |`jdg_jgroups_relay_site`| Site the inventory host is in when cross-DC is enabled | `''` |
 |`jdg_jgroups_jdbcping`| Enable clustering using JDBC PING discovery | `False` |
-
+|`jdg_keycloak_persistence`| Enable persitence datasource for keycloak caches | `False` |
+|`jdg_service_user`| posix account for the service installation | `jdg` |
+|`jdg_service_group`| posix group for the service installation | `jdg` |
 
 
 Role Variables

diff --git a/roles/infinispan/defaults/main.yml b/roles/infinispan/defaults/main.yml
@@ -19,6 +19,8 @@ jdg_bind_address: localhost
 jdg_port: 11222
 jdg_jgroups_port: 7800
 jdg_jgroups_relay_port: 7801
+jdg_service_user: jdg
+jdg_service_group: jdg
 
 # flag to enable protocol encryption
 jdg_default_realm_tls: False
@@ -34,3 +36,6 @@ jdg_jgroups_relay_site: ''
 
 # flag to enable keycloak integration
 infinispan_keycloak_caches: False
+
+# flag to enable datasource for keycloak integration
+jdg_keycloak_persistence: False
diff --git a/roles/infinispan/handlers/main.yml b/roles/infinispan/handlers/main.yml
@@ -1,5 +1,6 @@
 ---
 - name: restart infinispan
+  throttle: 1
   systemd:
     name: "{{ jdg.service.name }}" 
     state: restarted  
diff --git a/roles/infinispan/templates/infinispan.xml.j2 b/roles/infinispan/templates/infinispan.xml.j2
@@ -83,25 +83,53 @@
     <cache-container name="keycloak" statistics="true">
 {% if jdg_jgroups_relay %}
       <transport cluster="{{ jdg_jgroups_relay_site }}" stack="xsite" node-name="{{ inventory_hostname }}"  machine="{{ inventory_hostname }}" site="{{ jdg_jgroups_relay_site }}"/>
-{% else %}
-      <transport cluster="datagrid" stack="datagrid" node-name="{{ inventory_hostname }}" machine="{{ inventory_hostname }}"/>
-{% endif %}
+      <replicated-cache name="work"/>
 {% for keycloak_cache in jdg_keycloak_cache.caches %}
-      <replicated-cache name="{{ keycloak_cache }}" mode="SYNC">
+      <distributed-cache name="{{ keycloak_cache }}" mode="SYNC" owners="2" xmlns:jdbc="urn:infinispan:config:store:jdbc:12.0">
+{% if jdg_keycloak_persistence %}
+        <persistence passivation="false">
+           <jdbc:string-keyed-jdbc-store fetch-state="false" shared="true" preload="false">
+               <jdbc:data-source jndi-url="jdbc/datasource"/>
+               <jdbc:string-keyed-table drop-on-exit="false" create-on-start="true" prefix="DATAGRID">
+                   <jdbc:id-column name="id" type="VARCHAR(255)"/>
+                   <jdbc:data-column name="datum" type="VARBINARY(4000)"/>
+                   <jdbc:timestamp-column name="version" type="BIGINT"/>
+                   <jdbc:segment-column name="S" type="INT"/>
+               </jdbc:string-keyed-table>
+            </jdbc:string-keyed-jdbc-store>
+        </persistence>
+{% else %}
         <transaction mode="NONE" locking="PESSIMISTIC"/>
         <locking acquire-timeout="0" />
+{% endif %}
         <backups>
 {% for site in jdg_jgroups_relay_sites %}
-            {% if site != jdg_jgroups_relay_site %}<backup site="{{ site }}" strategy="ASYNC"/>{% endif %}
+{% if site != jdg_jgroups_relay_site %}            <backup site="{{ site }}" strategy="ASYNC"/>
+{% endif %}
 {% endfor %}
         </backups>
-      </replicated-cache>
+      </distributed-cache>
+{% endfor %}
       <security>
         <authorization>
           <role name="{{ jdg_supervisor.name }}" permissions="READ WRITE EXEC CREATE"/>
         </authorization>
       </security>
+{% else %}
+      <transport cluster="datagrid" stack="datagrid" node-name="{{ inventory_hostname }}" machine="{{ inventory_hostname }}"/>
+      <replicated-cache name="work"/>
+{% for keycloak_cache in jdg_keycloak_cache.caches %}
+      <replicated-cache name="{{ keycloak_cache }}" mode="SYNC">
+        <transaction mode="NONE" locking="PESSIMISTIC"/>
+        <locking acquire-timeout="0" />
+      </replicated-cache>
 {% endfor %}
+      <security>
+        <authorization>
+          <role name="{{ jdg_supervisor.name }}" permissions="READ WRITE EXEC CREATE"/>
+        </authorization>
+      </security>
+{% endif %}
     </cache-container>
 {% endif %}
    <server xmlns="urn:infinispan:server:12.1">
@@ -140,7 +168,19 @@
             </security-realm>
          </security-realms>
       </security>
-
+{% if jdg_keycloak_persistence %}
+      <data-sources>
+        <data-source name="KeycloakDS" jndi-name="jdbc/datasource" statistics="true">
+          <connection-factory driver="{{ jdg_jgroups_jdbc.mariadb.driver_class }}"
+                              username="{{ jdg_jgroups_jdbc.mariadb.db_user }}"
+                              password="{{ jdg_jgroups_jdbc.mariadb.db_password }}"
+                              url="{{ jdg_jgroups_jdbc.mariadb.connection_url }}?useUnicode=true&amp;characterEncoding=UTF-8"
+                              new-connection-sql="SELECT 1" transaction-isolation="READ_COMMITTED">
+          </connection-factory>
+          <connection-pool initial-size="1" max-size="10"  min-size="3" background-validation="1000" idle-removal="1" blocking-timeout="1000" leak-detection="10000"/>
+        </data-source>
+      </data-sources>
+{% endif %}
       <endpoints socket-binding="default" security-realm="default">
         <hotrod-connector name="hotrod"/>
         <rest-connector name="rest">

diff --git a/roles/infinispan/vars/main.yml b/roles/infinispan/vars/main.yml
@@ -22,9 +22,9 @@ jdg:
     users: "{{ override_jdg_config_users_properties | default('users.properties') }}"
     groups: "{{ override_jdg_config_group_properties | default('groups.properties') }}"
   user:
-    name: "{{ override_jdg_user | default('jdg') }}"
+    name: "{{ jdg_service_user }}"
   group:
-    name: "{{ override_jdg_group | default('jdg') }}"
+    name: "{{ jdg_service_group }}"
   service:
     name: "{{ override_jdg_service_name | default('jdg' if jdg_rhn_id is defined else 'infinispan') }}"
   users: "{{ [ jdg_supervisor ] + infinispan_users }}"
@@ -48,4 +48,3 @@ jdg_keycloak_cache:
     - offlineClientSessions
     - loginFailures
     - actionTokens
-    - work