Skip to content

Shared Keycloak Instance

By default, kdb Insights Enterprise deploys an instance of Keycloak as its identity and access management platform.

In certain circumstances it is desirable to use an existing instance of Keycloak instead of deploying a new instance, for example, you might be deploying multiple instances of kdb Insights Enterprise and want to save resources by using a shared Keycloak instance.


Certain variables are referenced throughout this document.

name description
CHART_REPO Name of the Helm repository where kdb Insights Enterprise charts are stored
KEYCLOAK_NAMESPACE Name of the namespace where the shared Keycloak instance will be installed
KEYCLOAK_RELEASE_NAME Release name for the Keycloak install
KEYCLOAK_VERSION Version of Keycloak you want to install
INSIGHTS_RELEASE_NAME Release name for kdb Insights Enterprise install
INSIGHTS_VERSION Version of kdb Insights Enterprise you want to install

These should be replaced with the appropriate value when referenced.

You can find the appropriate versions by referring to the Artifacts section of the release notes

Deploy a standalone Keycloak instance

Follow these steps to deploy a standalone Keycloak instance:

  1. Create a namespace called $KEYCLOAK_NAMESPACE and set it to be your current context.

  2. Create kxi-keycloak and kxi-postgresql secrets as described here.

  3. Deploy the keycloak-server chart.

    helm install --set \
    keycloak.postgresql.auth.existingSecret=kxi-postgresql \

Upgrade a standalone Keycloak instance

If there are no breaking changes between the installed version and the version you are upgrading to, you can follow these steps to upgrade your Keycloak instance.

If there are breaking changes, please refer to the release notes for further guidance instead of following these steps.

  1. Ensure your current context is set to be the $KEYCLOAK_NAMESPACE

  2. Upgrade the keycloak-server chart using helm upgrade

    helm upgrade --set \
    keycloak.postgresql.auth.existingSecret=kxi-postgresql \

Deploy kdb Insights Enterprise

Passwords must match between kdb Insights Enterprise and Keycloak deployments

To successfully authenticate with the shared Keycloak instance, the Keycloak and PostgreSQL passwords defined in this stage must exactly match those defined in the kxi-keycloak and kxi-postgresql secrets in the Keycloak deployment.

  1. Switch to the namespace you want to install kdb Insights Enterprise in.

  2. Run the following to create the necessary secrets and a default values file for kdb Insights Enterprise using a shared Keycloak instance:

    kxi install setup --keycloak-auth-url http://$KEYCLOAK_RELEASE_NAME.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/
  3. Install kdb Insights Enterprise.

    helm install -f values.yaml $INSIGHTS_RELEASE_NAME $CHART_REPO/insights --version $INSIGHTS_VERSION

Helm values

If you are running helm install with an existing values file, you can set these values to allow kdb Insights Enterprise to use a shared Keycloak instance:

    authURL: http://$KEYCLOAK_RELEASE_NAME.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/

  enabled: false

  enabled: true

If you are running helm upgrade, you also need to set the annotation to ensure that the keycloak-config-cli job runs post upgrade as follows:

  enabled: true
    "": "post-install,post-upgrade"