Shared Keycloak Instance
By default, the KX Insights Platform deploys an instance of Keycloak as its identity and access management platform.
In certain circumstances it is desirable to use an existing instance of Keycloak instead of deploying a new instance, for example, you might be deploying multiple instances of Insights and want to save resources by using a shared Keycloak instance.
Certain variables are referenced throughout this document.
||Name of the Helm repository where KX Insights charts are stored|
||Name of the namespace where the shared Keycloak instance will be installed|
||Release name for the Keycloak install|
||Version of Keycloak you want to install|
||Release name for the Insights install|
||Version of Insights you want to install|
These should be replaced with the appropriate value when referenced.
You can find the appropriate versions by referring to the Artifacts section of the release notes
Deploy a standalone Keycloak instance
Follow these steps to deploy a standalone Keycloak instance:
Create a namespace called
$KEYCLOAK_NAMESPACEand set it to be your current context.
kxi-postgresqlsecrets as described here.
Deploy the keycloak-server chart.
helm install --set \ keycloak.auth.existingSecret=kxi-keycloak,\ keycloak.postgresql.auth.existingSecret=kxi-postgresql \ $KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION
Upgrade a standalone Keycloak instance
If there are no breaking changes between the installed version and the version you are upgrading to, you can follow these steps to upgrade your Keycloak instance.
If there are breaking changes, please refer to the release notes for further guidance instead of following these steps.
Ensure your current context is set to be the
Upgrade the keycloak-server chart using
helm upgrade --set \ keycloak.auth.existingSecret=kxi-keycloak,\ keycloak.postgresql.auth.existingSecret=kxi-postgresql \ $KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION
Passwords must match between Insights and Keycloak deployments
To successfully authenticate with the shared Keycloak instance, the Keycloak and PostgreSQL passwords defined in this stage must exactly match those defined in the
kxi-postgresql secrets in the Keycloak deployment.
Switch to the namespace you want to install Insights in.
Run the following to create the necessary secrets and a default values file for the KX Insights Platform using a shared Keycloak instance:
kxi install setup --keycloak-auth-url http://$KEYCLOAK_RELEASE_NAME.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/
helm install -f values.yaml $INSIGHTS_RELEASE_NAME $CHART_REPO/insights --version $INSIGHTS_VERSION
If you are running
helm install with an existing values file, you can set these values to allow Insights to use a shared Keycloak instance:
global: keycloak: authURL: http://$KEYCLOAK_RELEASE_NAME.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/ keycloak: enabled: false keycloak-config-cli: enabled: true
If you are running
helm upgrade, you also need to set the
helm.sh/hook annotation to ensure that the
keycloak-config-cli job runs post upgrade as follows:
keycloak-config-cli: enabled: true annotations: "helm.sh/hook": "post-install,post-upgrade"