Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 8. Deploy an AWS Route 53 loadbalancer
This topic describes the procedure required to configure DNS based failover for Multi-AZ Red Hat build of Keycloak clusters using AWS Route53 for an active/passive setup. These instructions are intended to be used with the setup described in the Concepts for active-passive deployments chapter. Use it together with the other building blocks outlined in the Building blocks active-passive deployments chapter.
We provide these blueprints to show a minimal functionally complete example with a good baseline performance for regular installations. You would still need to adapt it to your environment and your organization’s standards and security best practices.
8.1. Architecture
All Red Hat build of Keycloak client requests are routed by a DNS name managed by Route53 records. Route53 is responsibile to ensure that all client requests are routed to the Primary cluster when it is available and healthy, or to the backup cluster in the event of the primary availability-zone or Red Hat build of Keycloak deployment failing.
If the primary site fails, the DNS changes will need to propagate to the clients. Depending on the client’s settings, the propagation may take some minutes based on the client’s configuration. When using mobile connections, some internet providers might not respect the TTL of the DNS entries, which can lead to an extended time before the clients can connect to the new site.
Figure 8.1. AWS Global Accelerator Failover
Two Openshift Routes are exposed on both the Primary and Backup ROSA cluster. The first Route uses the Route53 DNS name to service client requests, whereas the second Route is used by Route53 to monitor the health of the Red Hat build of Keycloak cluster.
8.2. Prerequisites
- Deployment of Red Hat build of Keycloak as described in Deploy Red Hat build of Keycloak for HA with the Red Hat build of Keycloak Operator on a ROSA cluster running OpenShift 4.14 or later in two AWS availability zones in AWS one region.
- An owned domain for client requests to be routed through.
8.3. Procedure
- Create a Route53 Hosted Zone using the root domain name through which you want all Red Hat build of Keycloak clients to connect. - Take note of the "Hosted zone ID", because this ID is required in later steps. 
- Retrieve the "Hosted zone ID" and DNS name associated with each ROSA cluster. - For both the Primary and Backup cluster, perform the following steps: - Log in to the ROSA cluster.
- Retrieve the cluster LoadBalancer Hosted Zone ID and DNS hostname - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The AWS region hosting your ROSA cluster
 - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- ROSA clusters running OpenShift 4.13 and earlier use classic load balancers instead of application load balancers. Use the - aws elb describe-load-balancerscommand and an updated query string instead.
 
- Create Route53 health checks - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The domain which Red Hat build of Keycloak clients should connect to. This should be the same, or a subdomain, of the root domain used to create the Hosted Zone.
- 2
- The subdomain that will be used for health probes on the Primary cluster
- 3
- The subdomain that will be used for health probes on the Backup cluster
 - Output: - 233e180f-f023-45a3-954e-415303f21eab 799e2cbb-43ae-4848-9b72-0d9173f04912 - 233e180f-f023-45a3-954e-415303f21eab- 1 - 799e2cbb-43ae-4848-9b72-0d9173f04912- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the Route53 record set - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The ID of the Hosted Zone created earlier
 - Output: - /change/C053410633T95FR9WN3YI - /change/C053410633T95FR9WN3YI- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Wait for the Route53 records to be updated - Command: - aws route53 wait resource-record-sets-changed --id /change/C053410633T95FR9WN3YI - aws route53 wait resource-record-sets-changed --id /change/C053410633T95FR9WN3YI- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update or create the Red Hat build of Keycloak deployment - For both the Primary and Backup cluster, perform the following steps: - Log in to the ROSA cluster
- Ensure the - KeycloakCR has the following configuration- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The domain clients used to connect to Red Hat build of Keycloak
 - To ensure that request forwarding works, edit the Red Hat build of Keycloak CR to specify the hostname through which clients will access the Red Hat build of Keycloak instances. This hostname must be the - $CLIENT_DOMAINused in the Route53 configuration.
- Create health check Route - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
8.4. Verify
Navigate to the chosen CLIENT_DOMAIN in your local browser and log in to the Red Hat build of Keycloak console.
To test failover works as expected, log in to the Primary cluster and scale the Red Hat build of Keycloak deployment to zero Pods. Scaling will cause the Primary’s health checks to fail and Route53 should start routing traffic to the Red Hat build of Keycloak Pods on the Backup cluster.