Skip to content

Keycloak Configuration Settings

The KX Insights Platform utilizes Keycloak to offer a full range of authentication and authorization services. Full documentation on these topics is available here.

Within the KX Insights Platform, there are a number of service level configurations available within the Keycloak service, configuration that needs to be shared across multiple charts is placed under the global key.

global:
  keycloak:
    guiClientSecret: "gui-client-secret"
    operatorClientSecret: "kxi-operator-client-secret"

keycloak:
    auth:
        existingSecret: kxi-keycloak
    postgresql:
        existingSecret: kxi-postgresql
    initUser:
        enabled: false
        name: "demoinsights"
        auth: "Pa$$w0rd!"
    initClient:
        enabled: false
        clientId: "test-publisher"
        clientSecret: "<redacted>"
    resetPasswordAllowed: true
    smtpServer:
      host: smtp.host.net
      from: admin@host.com
      user: apikey
      password: <redacted>

global.keycloak

The configuration below is shared between multiple charts. Client secrets allow microservices to communicate securely via Keycloak to request access tokens, giving secure access to other microservices.

variable type example default
global.keycloak.guiClientSecret string gui-client-secret
global.keycloak.operatorClientSecret string kxi-operator-client-secret

auth.existingSecret

Administrator authentication secret. Used by administrator user account to login when setting and updating user and permissions within the system. Set at install time.

variable type example default
auth.existingSecret string kxi-keycloak NA

postgresql.existingSecret

Backend secret used to allow keycloak to communicate securely with the backend persistence layer. Also set at install time

variable type example default
postgresql.existingSecret string kxi-postgresql NA

initUser

initUser configuration allows the system administrator to provide a default user to login to KX Insights Platform UI and API endpoints. On first login the user will have to update their password.

initUser.enabled allows the system administrator to set whether the default user is enabled on install

variable type example default
initUser.enabled bool true false
initUser.name string demoinsights demoinsights
initUser.auth string Pa$$w0rd! Pa$$w0rd!

initClient

initClient configuration allows the system administrator to provide a default service account to login to use for programmatic access to the KX Insights Platform API.

initClient.enabled allows the system administrator to set whether the default client is enabled on install

variable type example default
initClient.enabled bool true false
initClient.clientId string test-publisher test-publisher
initClient.clientSecret string Ajfjksjwe121 <redacted>

keycloakConfigCli

keycloakConfigCli configuration allows you to control how the keycloak config CLI runs after install or upgrade. These settings are useful if you want to store your Keycloak configuration as code.

If the keycloak config CLI job is enabled, then the realm defined in the secret keycloak-realm or inside the files defined in another secret can be imported into the Keycloak instance.

variable type example default
keycloakConfigCli.enabled bool true false
keycloakConfigCli.extraVolumeMounts map
keycloakConfigCli.extraVolumes map

The extraVolumeMounts and extraVolumes keys can used if there is already an existing secret with a realm defined in it.

If you want to automatically import the default realm defined by the KX Insights Platform on upgrade, simply enabled the keycloakConfigCli job and the default realm will be imported.

keycloak:
  keycloakConfigCli:
    enabled: true

If you want to maintain a separate realm secret, you would specify this as

keycloak:
  keycloakConfigCli:
    enabled: true
    extraVolumeMounts:
      - name: config
        mountPath: "/config"
        readOnly: true
    extraVolumes:
      - name: config
        secret:
          secretName: my-separate-keycloak-realm # replacing this with the name of the secret you want to use
          items:
          - key: "realm.json" # replace this with the key in the secret that contains the realm
            path: "realm.json"

If there are multiple files inside the secret and you want them all to be imported, you would specify this as

keycloak:
  keycloakConfigCli:
    enabled: true
    extraVolumeMounts:
      - name: config
        mountPath: "/config"
        readOnly: true
    extraVolumes:
      - name: config
        secret:
          secretName: my-separate-keycloak-realm # replacing this with the name of the secret you want to use

Other settings for the keycloak config CLI that may be of use can be found here

resetPasswordAllowed

When enabled, this allows users to reset their forgotten password via email. SMTP server credentials should be provided via smtpServer to prompt users for their forgotten password. With password resets enabled, users will have a "Forgot Password?" prompt appear on their login screen. Clicking this will take the user through the keycloak forgot password flow. The user must have a configured email address.

variable type example default
smtpServer.resetPasswordAllowed string true false

smtpServer

SMTP server credentials used by keycloak to prompt users for their forgotten password when resetPasswordAllowed is enabled

variable type example default
smtpServer.host string smtp.host.net
smtpServer.from string admin@host.com
smtpServer.user string apikey
smtpServer.password string Pa$$w0rd!