Dear all,
As you probably know, Keycloak Operator spins a Postgresql database up for Keycloak Pods. After several discussions with Stian, we came to a conclusion that we (as Keycloak Team) can not reliably host and maintain it. None of us is a database expert and managing things like database backup, restore, HA configuration maintenance is far beyond our knowledge. Our proposal is to remove this functionality from future versions.
During the next couple of days/weeks, I'll write up a Design Document and create proper JIRAs. For the time being, I'd like to gather the first round of feedback from the community.
Currently Keycloak Operator supports external Postgresql database [1]. This setup requires creating a Secret with database credentials (described in the manual). This approach needs to be enhanced as it's a bit too complicated to be used as a default option. I propose to modify our Keycloak CR to contain a mandatory field with explicit external database credentials Secret. It also goes without saying, this is a big behavioral change and requires increasing api version. Here's a proposed Keycloak CR example along with a credential Secret:
apiVersion:
keycloak.org/v1alpha2kind: Keycloak
metadata:
...
spec:
externalDatabase:
credentialsSecretRef: keycloak-db-secret
---
apiVersion: v1
kind: Secret
metadata:
name: keycloak-db-secret
stringData:
DB_VENDOR: <postgres, mysql, mariadb, oracle, mssql>
DB_ADDR: <Database IP or URL (resolvable by K8s)>
DB_PORT: <Database Port>
DB_DATABASE: <Database Name, "keycloak" as default>
DB_SCHEMA: <Database Schema>
DB_USER: <Database User>
DB_PASSWORD: <Database Password>
The secret values have been adjusted to Keycloak Container. From the product perspective, we'll do a mapping step to make those settings consumable by the RHSSO image [2]. Another interesting aspect is that KeycloakBackup CR will no longer be needed as the backup should be performed by using a database Operator dedicated mechanism (probably some sort of Backup CR).
The final question is how to get a database up and running for Keycloak Operator? The answer would be to get one of the Postgresql Operators [3].
Thanks,
Sebastian