Skip to content

Entitlement prerequisites

Entitlements are managed using the kdb Insights Enterprise CLI using the entitlement command.

Before managing entitlements, you must complete the following prerequisites:

Enabling entitlements

Entitlements are disabled by default, allowing all users to view and interact with all packages, and query all deployed databases, in a kdb Insights Enterprise instance. Users with deployment access to the cluster can enable entitlements as follows:

  1. Update your deployment values:

    The panels below display values for the standard and shared Keycloak deployments.

    Merging install values

    The values below are a partial extract of your deployment values. These must be merged with your existing values file.

    For more information, refer to Applying configuration changes.

    A standard deployment deploys Keycloak as part of the application. If you're using this configuration, you should ensure your values file includes the details shown below.

    The names kxi-keycloak and kxi-postgresql are the default values, update these as appropriate.

    global:
      entitlements:
        enabled: true
      keycloak:
        auth:
          existingSecret: kxi-keycloak
      postgresql:
        auth:
          existingSecret: kxi-postgresql
      ..
    
    keycloak:
      auth:
        existingSecret: kxi-keycloak
      postgresql:
        auth:
          existingSecret: kxi-postgresql
    ..
    

    Keycloak values

    Please note there are two sets of keycloak and postgres objects; global.keycloak, global.postgresql, keycloak, keycloak.postgresql.

    Both sets of these are required as shown above.

    If deploying using the shared Keycloak mode, configure the values file as below. The main difference with the standard deploy is the kxi-ent-srv.externalDatabase.host value. Point this at the Kubernetes service for the Postgresql database deployed with the shared Keycloak instance.

    The KEYCLOAK_RELEASE_NAME and KEYCLOAK_NAMESPACE variables should be updated to match those of your Keycloak deployment. The shared Keycloak docs explain each of these values.

    global:
      entitlements:
        enabled: true
      keycloak:
        authURL: http://${KEYCLOAK_RELEASE_NAME}.${KEYCLOAK_NAMESPACE}.svc.cluster.local/auth/
        auth:
          existingSecret: kxi-keycloak
      postgresql:
        auth:
          existingSecret: kxi-postgresql
      ..
    kxi-ent-srv:
      enabled: true
      externalDatabase:
        host: ${KEYCLOAK_RELEASE_NAME}-postgresql.${KEYCLOAK_NAMESPACE}.svc.cluster.local
    
  2. Run the upgrade command with $INSIGHTS_VERSION set to your target application version.

    kxi install upgrade --filepath values.yaml --version $INSIGHTS_VERSION
    

Adding users to groups

Entitlements aren't directed to individual users

Entitlements are configured at the group level, not per user. Therefore, before defining any entitlements you must use the Keycloak administration console at https://${INSIGHTS_HOSTNAME}/auth to:

  1. Create the necessary groups.

  2. Add users and service accounts to those groups.

Next steps

Provide entitlements to user groups using the following guides: