Skip to content

Shared Keycloak instance

By default, the kdb Insights Enterprise deploys an instance of Keycloak as its identity and access management platform.

In certain circumstances it is desirable to use an existing instance of Keycloak instead of deploying a new instance. For example, you might be deploying multiple instances of the application and want to save resources by using a shared Keycloak instance.

Variables

Certain variables are referenced throughout this document.

name description
CHART_REPO Name of the Helm repository where kdb Insights Enterprise charts are stored
KEYCLOAK_NAMESPACE Name of the namespace where the shared Keycloak instance will be installed
KEYCLOAK_RELEASE_NAME Release name for the Keycloak install
KEYCLOAK_VERSION Version of Keycloak you want to install
INSIGHTS_RELEASE_NAME Release name for the Insights install
INSIGHTS_VERSION Version of Insights you want to install

These should be replaced with the appropriate value when referenced.

You can find the appropriate versions by referring to the Artifacts section of the release notes

Deploy a standalone Keycloak instance

Follow these steps to deploy a standalone Keycloak instance:

  1. Create a namespace called $KEYCLOAK_NAMESPACE and set it to be your current context.

  2. Create kxi-keycloak and kxi-postgresql secrets.

    Passwords

    <PASSWORD> in the secret generation commands below should be replaced with a password of your choosing.

    It is not necessary that you use the same password for each one, you can have a unique password for each if desired.

    kubectl create secret generic kxi-keycloak \
      --from-literal=admin-password=<PASSWORD> \
      --from-literal=management-password=<PASSWORD>
    kubectl create secret generic kxi-postgresql \
      --from-literal=postgres-password=<PASSWORD> \
      --from-literal=password=<PASSWORD>
    
    This creates two secrets called kxi-keycloak and kxi-postgresql.

  3. Deploy the keycloak-server chart.

    helm install --set \
      keycloak.auth.existingSecret=kxi-keycloak,keycloak.postgresql.auth.existingSecret=kxi-postgresql \
      $KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION
    

Upgrade a standalone Keycloak instance

If there are no breaking changes between the installed version and the version you are upgrading to, follow these steps to upgrade your Keycloak instance.

If there are breaking changes, refer to the release notes for further guidance instead of following these steps.

  1. Ensure your current context is set to be the $KEYCLOAK_NAMESPACE

  2. Upgrade the keycloak-server chart using helm upgrade

    helm upgrade --set \
      keycloak.auth.existingSecret=kxi-keycloak,keycloak.postgresql.auth.existingSecret=kxi-postgresql \
      $KEYCLOAK_RELEASE_NAME $CHART_REPO/keycloak-server --version $KEYCLOAK_VERSION
    

Deploy Insights

Passwords must match between Insights and Keycloak deployments

To successfully authenticate with the shared Keycloak instance, the Keycloak and PostgreSQL passwords defined in this stage must exactly match those defined in the kxi-keycloak and kxi-postgresql secrets in the Keycloak deployment.

  1. Switch to the namespace where you want to install Insights.

  2. Run the following to create the necessary secrets and a default values file for the kdb Insights Enterprise using a shared Keycloak instance:

    kxi install setup --keycloak-auth-url http://$KEYCLOAK_RELEASE_NAME-keycloak.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/
    
  3. Install Insights.

    kxi install run --filepath values.yaml --version $INSIGHTS_VERSION $CHART_REPO/insights
    

Helm values

If you are running helm install with an existing values file, set these values to allow Insights to use a shared Keycloak instance:

global:
 keycloak:
    authURL: http://$KEYCLOAK_RELEASE_NAME-keycloak.$KEYCLOAK_NAMESPACE.svc.cluster.local/auth/

keycloak:
  enabled: false

keycloak-config-cli:
  enabled: true

If you are running helm upgrade, you also need to set the helm.sh/hook annotation to ensure that the keycloak-config-cli job runs post upgrade as follows:

keycloak-config-cli:
  enabled: true
  annotations:
    "helm.sh/hook": "post-install,post-upgrade"