Skip to content

Shared Keycloak Instance

By default, the KX Insights Platform deploys an instance of Keycloak as its identity and access management platform.

In certain circumstances it is desirable to use an existing instance of Keycloak instead of deploying a new instance, for example, you might be deploying multiple instances of Insights and want to save resources by using a shared Keycloak instance.

Variables

Certain variables are referenced throughout this document.

name description
CHART_REPO Name of the Helm repository where KX Insights charts are stored
KEYCLOAK_NAMESPACE Name of the namespace where the shared Keycloak instance will be installed
KEYCLOAK_RELEASE_NAME Release name for the Keycloak install
KEYCLOAK_VERSION Version of Keycloak you want to install
INSIGHTS_RELEASE_NAME Release name for the Insights install
INSIGHTS_VERSION Version of Insights you want to install

These should be replaced with the appropriate value when referenced.

You can find the appropriate versions by referring to the Artifacts section of the release notes

Deploy a standalone Keycloak instance

Follow these steps to deploy a standalone Keycloak instance:

  1. Create a namespace called $KEYCLOAK_NAMESPACE and set it to be your current context.

  2. Create kxi-keycloak and kxi-postgresql secrets as described here.

  3. Deploy the keycloak-server chart.

    helm install --set \
keycloak.auth.existingSecret=kxi-keycloak,\
keycloak.postgresql.auth.existingSecret=kxi-postgresql \
$KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION

Upgrade a standalone Keycloak instance

If there are no breaking changes between the installed version and the version you are upgrading to, you can follow these steps to upgrade your Keycloak instance.

If there are breaking changes, please refer to the release notes for further guidance instead of following these steps.

  1. Ensure your current context is set to be the $KEYCLOAK_NAMESPACE

  2. Upgrade the keycloak-server chart using helm upgrade

    helm upgrade --set \
keycloak.auth.existingSecret=kxi-keycloak,\
keycloak.postgresql.auth.existingSecret=kxi-postgresql \
$KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION

Deploy Insights

Passwords must match between Insights and Keycloak deployments

To successfully authenticate with the shared Keycloak instance, the Keycloak and PostgreSQL passwords defined in this stage must exactly match those defined in the kxi-keycloak and kxi-postgresql secrets in the Keycloak deployment.

  1. Switch to the namespace you want to install Insights in.

  2. Run the following to create the necessary secrets and a default values file for the KX Insights Platform using a shared Keycloak instance:

    kxi install setup --keycloak-auth-url http://$KEYCLOAK_RELEASE_NAME.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/

  3. Install Insights.

    helm install -f values.yaml $INSIGHTS_RELEASE_NAME $CHART_REPO/insights --version $INSIGHTS_VERSION

Helm values

If you are running helm install with an existing values file, you can set these values to allow Insights to use a shared Keycloak instance:

global:
 keycloak:
    authURL: http://$KEYCLOAK_RELEASE_NAME.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/

keycloak:
  enabled: false

keycloak-config-cli:
  enabled: true

If you are running helm upgrade, you also need to set the helm.sh/hook annotation to ensure that the keycloak-config-cli job runs post upgrade as follows:

keycloak-config-cli:
  enabled: true
  annotations:
    "helm.sh/hook": "post-install,post-upgrade"