Shared Keycloak instance
By default, the kdb Insights Enterprise deploys an instance of Keycloak as its identity and access management platform.
In certain circumstances it is desirable to use an existing instance of Keycloak instead of deploying a new instance. For example, you might be deploying multiple instances of the application and want to save resources by using a shared Keycloak instance.
Variables
Certain variables are referenced throughout this document.
name | description |
---|---|
CHART_REPO |
Name of the Helm repository where kdb Insights Enterprise charts are stored |
KEYCLOAK_NAMESPACE |
Name of the namespace where the shared Keycloak instance will be installed |
KEYCLOAK_RELEASE_NAME |
Release name for the Keycloak install |
KEYCLOAK_VERSION |
Version of Keycloak you want to install |
INSIGHTS_RELEASE_NAME |
Release name for the Insights install |
INSIGHTS_VERSION |
Version of Insights you want to install |
These should be replaced with the appropriate value when referenced.
You can find the appropriate versions by referring to the Artifacts section of the release notes
Deploy a standalone Keycloak instance
Follow these steps to deploy a standalone Keycloak instance:
-
Create a namespace called
$KEYCLOAK_NAMESPACE
and set it to be your current context. -
Create
kxi-keycloak
andkxi-postgresql
secrets.Passwords
<PASSWORD>
in the secret generation commands below should be replaced with a password of your choosing.It is not necessary that you use the same password for each one, you can have a unique password for each if desired.
This creates two secrets calledkubectl create secret generic kxi-keycloak \ --from-literal=admin-password=<PASSWORD> \ --from-literal=management-password=<PASSWORD> kubectl create secret generic kxi-postgresql \ --from-literal=postgres-password=<PASSWORD> \ --from-literal=password=<PASSWORD>
kxi-keycloak
andkxi-postgresql
. -
Deploy the keycloak-server chart.
helm install --set \ keycloak.auth.existingSecret=kxi-keycloak,keycloak.postgresql.auth.existingSecret=kxi-postgresql \ $KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION
Upgrade a standalone Keycloak instance
If there are no breaking changes between the installed version and the version you are upgrading to, follow these steps to upgrade your Keycloak instance.
If there are breaking changes, refer to the release notes for further guidance instead of following these steps.
-
Ensure your current context is set to be the
$KEYCLOAK_NAMESPACE
-
Upgrade the keycloak-server chart using
helm upgrade
helm upgrade --set \ keycloak.auth.existingSecret=kxi-keycloak,keycloak.postgresql.auth.existingSecret=kxi-postgresql \ $KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION
Deploy Insights
Passwords must match between Insights and Keycloak deployments
To successfully authenticate with the shared Keycloak instance, the Keycloak and PostgreSQL passwords defined in this stage must exactly match those defined in the kxi-keycloak
and kxi-postgresql
secrets in the Keycloak deployment.
-
Switch to the namespace where you want to install Insights.
-
Run the following to create the necessary secrets and a default values file for the kdb Insights Enterprise using a shared Keycloak instance:
kxi install setup --keycloak-auth-url http://$KEYCLOAK_RELEASE_NAME-keycloak.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/
-
Install Insights.
kxi install run --filepath values.yaml --version $INSIGHTS_VERSION $CHART_REPO/insights
Helm values
If you are running helm install
with an existing values file, set these values to allow Insights to use a shared Keycloak instance:
global:
keycloak:
authURL: http://$KEYCLOAK_RELEASE_NAME-keycloak.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/
keycloak:
enabled: false
keycloak-config-cli:
enabled: true
If you are running helm upgrade
, you also need to set the helm.sh/hook
annotation to ensure that the keycloak-config-cli
job runs post upgrade as follows:
keycloak-config-cli:
enabled: true
annotations:
"helm.sh/hook": "post-install,post-upgrade"