Supporting Multi-region HA with Externalized Infinispan in Keycloak v26

Getting advice
1

Hello!

We are currently operating Keycloak v22.0.4 in a multi-region highly available (HA) configuration across us-east and us-west on AWS Fargate. This setup includes three tasks per region across multiple Availability Zones for both Keycloak and Infinispan clusters, backed by a global Aurora PostgreSQL 14.9 DB for configuration storage. We use an externalized/remote Infinispan v15.0.5. This architecture helps maintain active sessions during Keycloak releases/upgrades and ensures asynchronous session replication between regions.

As we migrate to Keycloak v26, we are encountering issues and require clarification on upgrading to the latest version. Our primary concerns are related to Infinispan multi-region setup and session storage:

  • Infinispan Multi-Region Setup and Session Storage:
    • We are struggling to set up an external Infinispan with Keycloak v26 due to library changes and NLB connectivity issues (related GitHub issue).
    • Is Keycloak’s single-region HA recommendation (source 1, source 2) based on synchronous session replication and persistent user sessions? If so, are there alternative multi-region strategies we could consider if we re-evaluate these requirements?
      • Is there a reason for not recommending a multi-region externalized Infinispan architecture? Is support for externalized Infinispan still available?
      • How does the new Keycloak v26 architecture ensure no session loss during Keycloak upgrades (especially for breaking config/schema changes on the persist store)?
    • Based on our research it looks like external Infinispan isn’t used for user session storage in Keycloak HA v26. Is this accurate?
      • Our understanding is that Infinispan supports global clusters across regions. Is there a specific reason to move away from externalized Infinispan?
      • While enabling the clusterless feature would allow sessions to be stored in Infinispan, we note that it is not production-ready (blog post)
      • Our goal is to use an external Infinispan to facilitate Keycloak updates without session loss.

Any insights, examples, or documentation on achieving robust multi-region HA with Keycloak v26 (with or without external Infinispan for session storage) would be greatly appreciated!