Entitlement Prerequisites
This page describes what you need to have in place before setting up entitlements.
Entitlements are managed through the kdb Insights Enterprise CLI using the entitlement
command.
Before managing entitlements, ensure the following are in place:
- The latest kdb Insights Enterprise CLI is installed
- You have a running instance of kdb Insights Enterprise
- You can authenticate using a service or user account with the
insights.entitlements.admin
role - Entitlements are enabled
- Users are added to groups using Keycloak
Note
We also recommend turning on Encryption in transit for additional security.
Enable entitlements
Entitlements are disabled by default, allowing all users to view and interact with all packages, and query all deployed databases, in a kdb Insights Enterprise instance.
Users with deployment access to the cluster can enable entitlements as follows:
-
Update your deployment values. The tabs below display values for the standard and shared Keycloak deployments.
Merging install values
The values below are a partial extract of your deployment values. These must be merged with your existing values file.
For more information, refer to Applying configuration changes.
A standard deployment deploys Keycloak as part of the application. If you're using this configuration, you should ensure your values file includes the details shown below.
The names
kxi-keycloak
andkxi-postgresql
are the default values, update these as appropriate.global: entitlements: enabled: true keycloak: auth: existingSecret: kxi-keycloak postgresql: auth: existingSecret: kxi-postgresql .. keycloak: auth: existingSecret: kxi-keycloak postgresql: auth: existingSecret: kxi-postgresql ..
Keycloak values
Please note there are two sets of
keycloak
andpostgres
objects;global.keycloak
,global.postgresql
,keycloak
,keycloak.postgresql
.Both sets of these are required as shown above.
If deploying using the shared Keycloak mode, configure the values file as below. Ensure the
kxi-ent-srv.externalDatabase.host
value points to the Kubernetes service for the Postgresql database deployed with the shared Keycloak instance.The
KEYCLOAK_RELEASE_NAME
andKEYCLOAK_NAMESPACE
variables should be updated to match those of your Keycloak deployment. The shared Keycloak docs explain each of these values.global: entitlements: enabled: true keycloak: authURL: http://${KEYCLOAK_RELEASE_NAME}.${KEYCLOAK_NAMESPACE}.svc.cluster.local/auth/ auth: existingSecret: kxi-keycloak postgresql: auth: existingSecret: kxi-postgresql .. kxi-ent-srv: enabled: true externalDatabase: host: ${KEYCLOAK_RELEASE_NAME}-postgresql.${KEYCLOAK_NAMESPACE}.svc.cluster.local
-
Run the upgrade command with
$INSIGHTS_VERSION
set to your target application version.kxi install upgrade --filepath values.yaml --version $INSIGHTS_VERSION
Add users to groups
Entitlements aren't directed to individual users
Entitlements are configured at the group level, not per user. Therefore, before defining any entitlements you must:
-
Create the necessary groups.
-
Add users and service accounts to those groups.
Next steps
Provide entitlements to user groups using the following guides:
- Quickstart guide
- Configuration details