Keycloak Configuration Settings
The KX Insights Platform utilizes Keycloak to offer a full range of authentication and authorization services. Full documentation on these topics is available here.
Within the KX Insights Platform, there are a number of service level configurations available within the Keycloak service, configuration that needs to be shared across multiple charts is placed under the global
key.
global:
keycloak:
guiClientSecret: "gui-client-secret"
operatorClientSecret: "kxi-operator-client-secret"
keycloak:
auth:
existingSecret: kxi-keycloak
postgresql:
existingSecret: kxi-postgresql
initUser:
enabled: false
name: "demoinsights"
auth: "Pa$$w0rd!"
initClient:
enabled: false
clientId: "test-publisher"
clientSecret: "<redacted>"
resetPasswordAllowed: true
smtpServer:
host: smtp.host.net
from: admin@host.com
user: apikey
password: <redacted>
global.keycloak
The configuration below is shared between multiple charts. Client secrets allow microservices to communicate securely via Keycloak to request access tokens, giving secure access to other microservices.
variable | type | example | default |
---|---|---|---|
global.keycloak.guiClientSecret |
string |
gui-client-secret |
|
global.keycloak.operatorClientSecret |
string |
kxi-operator-client-secret |
auth.existingSecret
Administrator authentication secret. Used by administrator user
account to login when setting and updating user and permissions within the system. Set at install time.
variable | type | example | default |
---|---|---|---|
auth.existingSecret |
string |
kxi-keycloak |
NA |
postgresql.existingSecret
Backend secret used to allow keycloak to communicate securely with the backend persistence layer. Also set at install time
variable | type | example | default |
---|---|---|---|
postgresql.existingSecret |
string |
kxi-postgresql |
NA |
initUser
initUser
configuration allows the system administrator to provide a default user to login to KX Insights Platform UI and API endpoints. On first login the user will have to update their password.
initUser.enabled
allows the system administrator to set whether the default user is enabled on install
variable | type | example | default |
---|---|---|---|
initUser.enabled |
bool |
true |
false |
initUser.name |
string |
demoinsights |
demoinsights |
initUser.auth |
string |
Pa$$w0rd! |
Pa$$w0rd! |
initClient
initClient
configuration allows the system administrator to provide a default service account to login to use for programmatic access to the KX Insights Platform API.
initClient.enabled
allows the system administrator to set whether the default client is enabled on install
variable | type | example | default |
---|---|---|---|
initClient.enabled |
bool |
true |
false |
initClient.clientId |
string |
test-publisher |
test-publisher |
initClient.clientSecret |
string |
Ajfjksjwe121 |
<redacted> |
keycloakConfigCli
keycloakConfigCli
configuration allows you to control how the keycloak config CLI runs after install or upgrade. These settings are useful if you want to store your Keycloak configuration as code.
If the keycloak config CLI job is enabled, then the realm defined in the secret keycloak-realm
or inside the files defined in another secret can be imported into the Keycloak instance.
variable | type | example | default |
---|---|---|---|
keycloakConfigCli.enabled |
bool |
true |
false |
keycloakConfigCli.extraVolumeMounts |
map |
||
keycloakConfigCli.extraVolumes |
map |
The extraVolumeMounts
and extraVolumes
keys can used if there is already an existing secret with a realm defined in it.
If you want to automatically import the default realm defined by the KX Insights Platform on upgrade, simply enabled the keycloakConfigCli
job and the default realm will be imported.
keycloak:
keycloakConfigCli:
enabled: true
If you want to maintain a separate realm secret, you would specify this as
keycloak:
keycloakConfigCli:
enabled: true
extraVolumeMounts:
- name: config
mountPath: "/config"
readOnly: true
extraVolumes:
- name: config
secret:
secretName: my-separate-keycloak-realm # replacing this with the name of the secret you want to use
items:
- key: "realm.json" # replace this with the key in the secret that contains the realm
path: "realm.json"
If there are multiple files inside the secret and you want them all to be imported, you would specify this as
keycloak:
keycloakConfigCli:
enabled: true
extraVolumeMounts:
- name: config
mountPath: "/config"
readOnly: true
extraVolumes:
- name: config
secret:
secretName: my-separate-keycloak-realm # replacing this with the name of the secret you want to use
Other settings for the keycloak config CLI that may be of use can be found here
resetPasswordAllowed
When enabled, this allows users to reset their forgotten password via email. SMTP server credentials should be provided via smtpServer to prompt users for their forgotten password. With password resets enabled, users will have a "Forgot Password?" prompt appear on their login screen. Clicking this will take the user through the keycloak forgot password flow. The user must have a configured email address.
variable | type | example | default |
---|---|---|---|
smtpServer.resetPasswordAllowed |
string |
true |
false |
smtpServer
SMTP server credentials used by keycloak to prompt users for their forgotten password when resetPasswordAllowed is enabled
variable | type | example | default |
---|---|---|---|
smtpServer.host |
string |
smtp.host.net |
|
smtpServer.from |
string |
admin@host.com |
|
smtpServer.user |
string |
apikey |
|
smtpServer.password |
string |
Pa$$w0rd! |