Skip to content

This section deals with kdb Insights Enterprise security configuration.

Authentication and authorization

The kdb Insights Enterprise utilizes Keycloak to offer a full range of authentication and authorization services. Full documentation on these topics is available here.

There are a number of available configurations within the Keycloak service. Below is an install values file extract with some sample settings. The following sections will go explain these settings.

global:
  keycloak:
    guiClientSecret: "gui-client-secret"
    operatorClientSecret: "kxi-operator-client-secret"

keycloak:
  auth:
    existingSecret: kxi-keycloak
  postgresql:
    auth:
        existingSecret: kxi-postgresql
  importUsers: false
  initUser:
    enabled: false
    name: "demoinsights"
    auth: "<redacted>"
  initClient:
    enabled: false
    clientId: "test-publisher"
    clientSecret: "<redacted>"
  resetPasswordAllowed: true
  smtpServer:
    host: smtp.host.net
    from: admin@host.com
    user: apikey
    password: <redacted>
  passwordPolicy:
    enabled: true
    policy:
      passwordHistory: 24
      length: 14
      upperCase: 1
      lowerCase: 1
      specialChars: 1
      digits: 1
      forceExpiredPasswordChange: 90
    text: |
        <p>Password policy:</p>
        <ul>
            <li>At least one uppercase letter</li>
            <li>At least one lowercase letter</li>
            <li>At least one symbol</li>
            <li>At least one number</li>
            <li>Minimum length of 14 or greater</li>
            <li>Not one of the previous 24 passwords</li>
        </ul>

Internal clients

The global.keycloak values relate to internal clients created by the install process. These clients allow components to communicate with the Keycloak service for authentication. The values can be set explicitly as part of the install or will be randomly generated by the CLI installer.

variable type example default
global.keycloak.guiClientSecret string <redacted> ""
global.keycloak.operatorClientSecret string <redacted> ""

Warning

When you install the application for the first time, these will be persisted in your values file and your CLI config file. These should be re-used across subsequent upgrades.

Keycloak credentials

The values in the table below are set by the CLI at install/setup time. It creates Kubernetes secrets containing Keycloak credentials and these values are the secret names.

variable type value default
keycloak.auth.existingSecret string kxi-keycloak ""
keycloak.postgresql.auth.existingSecret string kxi-postgresql ""

Import users

importUsers allows the system administrator to set whether the initUser is imported on install.

variable type example default
importUsers bool True False

kdb Insights CLI

When installing or upgrading using the CLI, if the import-users argument is not set it is defaulted to True for install and False for upgrade. To override this default behaviour, please use the --import-users=[True|False] CLI command-line option.

The --import-users argument can be used to disable the user import on install:

kxi install run --filepath values.yaml --version ${INSIGHTS_VERSION} --import-users False

You can similarly enable the user import on upgrade as below:

kxi install upgrade --filepath values.yaml --version ${INSIGHTS_VERSION} --import-users True

Initial user

The keycloak.initUser is used to create a default user in the application as part of the installation. On first login the user will have to update their password.

Set keycloak.initUser.enabled to true to enable the user.

variable type example default
keycloak.initUser.enabled bool true false
keycloak.initUser.name string demoinsights demoinsights
keycloak.initUser.auth string Sup3RS3cretPa$$ <redacted>

Initial client

The keycloak.initClient is used to create a default service account in the application as part of the installation. This enables programmatic access to the kdb Insights Enterprise API.

Set keycloak.initClient.enabled to true to enable the service account.

variable type example default
initClient.enabled bool true false
initClient.clientId string test-publisher test-publisher
initClient.clientSecret string Ajfjksjwe121 <redacted>

Reset password service

When enabled, this allows your users to reset their forgotten password via email. You will need to configure SMTP server credentials. With this functionality enabled, users will have a Forgot Password? prompt appear on their login screen. Clicking this will take the user through the Keycloak forgot password flow.

Local users

This only applies to users managed within Keycloak and not those from an upstream identity provider. See the authentication docs for more information on user types.

variable type example default
keycloak.resetPasswordAllowed string true false
keycloak.smtpServer.host string smtp.host.net
keycloak.smtpServer.from string admin@host.com
keycloak.smtpServer.user string apikey
keycloak.smtpServer.password string Pa$$w0rd!

Password policy

This defines the password policy that is enforced in the system. A default password policy is enabled but allows you to modify as you require.

For example if you are running in a development environment, you might want to disable the password policy completely. On the other hand, if you are running in a production environment, you might want to enforce a stricter policy.

variable type description default
keycloak.passwordPolicy.enabled bool Whether a password policy is enabled true
keycloak.passwordPolicy.policy.passwordHistory number Password history 24
keycloak.passwordPolicy.policy.length number Minimum password length 14
keycloak.passwordPolicy.policy.upperCase number Minimum number of upper case characters 1
keycloak.passwordPolicy.policy.lowerCase number Minimum number of lower case characters 1
keycloak.passwordPolicy.policy.specialChars number Minimum number of special characters 1
keycloak.passwordPolicy.policy.digits number Minimum number of digits 1
keycloak.passwordPolicy.policy.forceExpiredPasswordChange number Time until password expiry in days 90
keycloak.passwordPolicy.text string HTML text to display the policy on the password update page See policy text config

The password policy text is shown on the Update password screen

Password policy text

Post deployment, the password policy settings can be adjusted by following the Keycloak password policy documentation.

Password policies

The password policy text can be adjusted post deployment by following the steps in the advanced docs. This does not automatically update if the settings are changed in Keycloak, so you must ensure it is kept in sync if the settings are changed.

Shared Keycloak Instances

When using a shared Keycloak instance, the password policy text displayed on the Update password screen is shared across all realms.

This means you should ensure that all realms have the same password policy settings in order for the password policy text to accurately reflect the policy.

If this is not ensured, it can lead to situations where the text on the screen does not accurately reflect the policy being enforced.

Default password policy text

<p>Password policy:</p>
<ul>
    <li>At least one uppercase letter</li>
    <li>At least one lowercase letter</li>
    <li>At least one symbol</li>
    <li>At least one number</li>
    <li>Minimum length of 14 or greater</li>
   <li>Not one of the previous 24 passwords</li>
</ul>

TLS certificate renewals

The kdb Insights Enterprise SDKs use TLS certificates for securing publish and query traffic. These certificates are automatically provisioned and renewed by the application (via cert-manager). The configuration values below determine the duration of the certs and how long before expiry they renew.

client-controller:
  env:
    KXI_CERT_RENEW_BEFORE: "15m"
    KXI_CERT_DURATION: "1h"
Variable Type Example Default
env.KXI_CERT_RENEW_BEFORE string 15m 15d
env.KXI_CERT_DURATION string 1h 90d

Renewal settings

The example values in the table above will create certs valid for 1 hour and renewed 15 minutes before they expire.

These values are specified in Go time.duration format.