Keycloak Configuration for Kubernetes Operator Installer
Keycloak is the the default authentication manager for Deploy. This topic describes the steps involved in configuring Keycloak before and after the Deploy installation.
Intended Audience
This guide is for administrators who install and manage Digital.ai Deploy.
Before You Begin
- The Operator zip file is downloaded from the Deploy Software Distribution site and extracted to the standalone Deploy server you would use to install Deploy on the Kubernetes cluster.
- A local Deploy instance installed on your system. For information about how to set up local Deploy instance, see Step 6—Set up the local Digital.ai Deploy Container instance in Installing Deploy Using Kubernetes Operator.
Configuring Keycloak Parameters
To configure Keycloak as the default authentication manager for Digital.ai Deploy, go to digitalai-deploy/kubernetes folder of the Operator file and update the OIDC parameters in the daideploy_cr.yaml file.
Enabling OIDC Configuration
To enable external OIDC configuration on Digital.ai Deploy:
-
Set the
oidc.enabledtotrue. -
Set
spec.keycloak.installtofalse. Note: By default, this value is set totrue. If you want to use a different authentication provider other than Keycloak, set the value tofalse. -
Configure the values for the OIDC parameters in the
daideploy_cr.yamlfile as described in the following table:Note: For more information about OIDC configuration, see Deploy OIDC with Keycloak.
Parameter | Description | Configuration |
| Client credentials from Deploy to Keycloak |
|
| ||
| User property mappings |
|
| ||
| URLs from Browser to Keycloak |
|
| ||
| ||
| URLs from Browser to Deploy |
|
| ||
| URLs from Deploy to Keycloak |
|
|
Note: The path-based routing will not work if you use OIDC authentication. To enable path-based routing, you must modify the ingress specification in the daideploy_cr.yaml file as follows:
- Set the
ingress.nginx.ingress.kubernetes.io/rewrite-target: /$2to / - Set
ingress.path: /xl-release(/|$)(.*)to /
Configuring Keycloak as the Default Authentication Manager
To configure Keycloak as the default authentication manager for Digital.ai Deploy, specify the values for the OIDC parameters in the the daideploy_cr.yaml as described in the following table:
Note: By default, Kubernetes Operator installer uses embedded Postgres database for Keycloak authentication.
| Parameter | Description | Default Value |
|---|---|---|
| keycloak.ingress.rules.host | Defines the valid DNS name for the Keycloak Ingress resource. This is a mandatory parameter. Note: By default, Keycloak pod uses the Postgres database that is included in the Operator installer. If you want to use an external database, create a database and a user, and ensure to update the parameters described in this table in the Keycloak section. | NA |
| DB_VENDOR | Defines the database vendor name. This is a mandatory parameter. | NA |
| DB_ADDR | Defines the database URI. This is a mandatory parameter. | NA |
| DB_PORT | Defines the port number. This is a mandatory parameter. | NA |
| DB_USER | Defines the username of the database user. This is a mandatory parameter. | NA |
| DB_PASSWORD | Defines the password of the database user. This is a mandatory parameter. | NA |
| spec.keycloak.install | Installs the Keycloak chart. | true |
| keycloak.extraENV KEYCLOAK_USER | Defines the username of the Keycloak user. | admin |
| keycloak.extraENV KEYCLOAK_PASSWORD | Defines the password of the Keycloak user. | admin |
Configuring User Permissions
As an admin, you can add user roles, assign role-based permissions, and configure Keycloak users with the required user roles.
To add user roles:
- Log in to Digital.ai Deploy as admin, or a user with the Admin global permission.
- From Explorer, click User Management > Roles > Add Role, and type the role. For example
oidc-administrators. - Click Save.
To assign global permissions to the user role:
-
From Explorer, click User Management > Global Permissions, and select the checkboxes next to the user role (for example,
oidc-administrators) to define the required permissions for the selected user role.
After assigning global permissions to the user role, to configure Keycloak users with this user role:
-
Log in to Keycloak as admin.
-
In the navigation pane, under Manage, click Users and select the user, for example —
Alice. -
From the Role Mapping tab, choose the role under Assigned Roles.
Note: For information about the role, click Roles under Configure group.
Logging in to the Deploy Application
After configuring the parameters, you can verify the OIDC authentication by accessing the Deploy application.
-
In a web browser, enter the URL of the Deploy application. You will be redirected to the Keycloak Login screen.
-
If configured, enter the username and password for Deploy, or enter the default username and password (
admin/admin).Note: After the successful configuration of Keycloak OIDC authentication, the default login credentials (
admin/admin) will no longer work.After a successful authentication, you will be redirected to the Deploy dashboard.
Note:
- By default, the Operator comes with the default realm —
digitalai-platform. You can use this realm to configure users and identity providers for Digital.ai products, such as Release and Deploy.- To sign in as
oidc-user, you can use the login credentials of any of the following sample users:alice,bob,carol,elrond,eve.- If you want to sign in as an internal user, browse directly to
http://example.com/login.