Status: Accepted
Date: 2026-01-25
With multi-region and multi-account architecture (HML/PRD), Keycloak needs to have the same configuration (realms, clients, roles) across all regions within the same account, but keep sessions isolated. Additionally, changes in HML should not affect PRD automatically (per ADR-006).
- Single global Keycloak (all regions point to a centralized Keycloak)
- Keycloak Cross-DC Replication (distributed Infinispan)
- Keycloak per region with GitOps sync (config as code)
- GitOps sync cross-account (HML and PRD synchronized)
Adopt Keycloak per region with GitOps sync, separated by account. Each region has its own Keycloak instance, and realm configuration is synchronized via Git only within the same account (cross-region, not cross-account).
- Low latency: Local authentication in the user's region
- Failure isolation: Keycloak in one region does not affect others
- Account isolation: Changes in HML do not affect PRD automatically
- Progressive rollout: Test configurations in HML before promoting to PRD
- GitOps: Versioned, auditable, and consistent configuration
- Simplicity: Avoids complexity of distributed Infinispan cross-region
┌─────────────────────────────────────────────────────────────────────────────┐
│ Git Repository │
│ platform-keycloak/realms/ │
├─────────────────────────────────┬───────────────────────────────────────────┤
│ realms/helpdev-hml/ │ realms/helpdev-prd/ │
│ (HML Account Config) │ (PRD Account Config) │
└────────────────┬────────────────┴──────────────────┬────────────────────────┘
│ │
▼ ▼
┌────────────────────────┐ ┌─────────────────────────────────────┐
│ AWS Account: HML │ │ AWS Account: PRD │
│ │ │ │
│ ┌──────────────────┐ │ │ ┌──────────────┐ ┌──────────────┐ │
│ │ Argo CD │ │ │ │ Argo CD │ │ Argo CD │ │
│ │ hml/us-east-1 │ │ │ │ prd/us-east-1│ │ prd/sa-east-1│ │
│ └────────┬─────────┘ │ │ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │ │ │
│ ▼ │ │ ▼ ▼ │
│ ┌──────────────────┐ │ │ ┌──────────────┐ ┌──────────────┐ │
│ │ Keycloak │ │ │ │ Keycloak │ │ Keycloak │ │
│ │ hml/us-east-1 │ │ │ │ prd/us-east-1│ │ prd/sa-east-1│ │
│ │ (RDS) │ │ │ │ (RDS) │ │ (RDS) │ │
│ └──────────────────┘ │ │ └──────────────┘ └──────────────┘ │
└────────────────────────┘ └─────────────────────────────────────┘
| ArgoCD Instance | Source Path | Syncs To |
|---|---|---|
| hml/us-east-1 | realms/helpdev-hml/ |
Keycloak hml/us-east-1 |
| prd/us-east-1 | realms/helpdev-prd/ |
Keycloak prd/us-east-1 |
| prd/sa-east-1 | realms/helpdev-prd/ |
Keycloak prd/sa-east-1 |
Principle: Same folder in Git → same configuration → synchronized between regions of the same account.
- Realms (
realm.json) - Clients (argocd, grafana, backstage, service clients)
- Roles and permissions
- Identity Providers (GitHub SSO)
- Client scopes
- User sessions
- Refresh tokens
- User data (if applicable)
- Audit logs
- Realm configurations between HML and PRD (manual promotion via PR)
- Developer commits change to
realms/helpdev-hml/ - Argo CD syncs to HML cluster
- Testing and validation in HML environment
- PR to copy changes from
realms/helpdev-hml/→realms/helpdev-prd/ - Code review by Platform Team + Security Team
- Merge triggers Argo CD sync to PRD clusters (all regions)
- Keycloak configuration in
platform-keycloak/realms/{account}/(JSON) keycloak-config-clias init container to import config- Argo CD in each account/region monitors specific repo path
- New client created via Backstage → commit to Git → sync across regions of the same account
- Promotion to PRD requires PR and approval