Hi everyone,
I have a production cluster of keycloak deployed in k8s with two connected deployments:
1. keycloak - accepts ingress traffic, contains my custom plugins, so can be updated quite often, but has no data for distributed caches on it.
2. keycloak-ispn - doesn't accept ingress traffic, practically never updated, contains all of the main data for distributed caches.
They are all connected to one headless k8s service and it's fqdn is used in -Djgroups.dns.query
Historically we used to have just one deployment, but the deployment of it was very long, and we were developing a lot of plugins and needed a more fast and stable deployment, so we decided to split it into two parts. We use the following two ispn configs, the main difference between the two is the following:
1. keycloak - <cache-container name="keycloak" zero-capacity-node="true">
2. keycloak-ispn - <cache-container name="keycloak" statistics="true">
Everything was okay, the distributed caches were all on keycloak-ispn nodes, but we faced a large problem with invalidation of local caches - realms, users, authorization, keys. For them we have a bunch of common problems with invalidation - we change settings for realm on one node but it is not applied to the other node on keycloak deployment (non ispn) - i.e. the changes are applied locally and in postgres, but are not seen on the other nodes from ingress deployment.
Any help is appreciated.