Skip to main content
Version: Release 22.2

Keycloak Configuration for Kubernetes Operator

This topic describes the steps involved in configuring Keycloak before and after the Release installation. Keycloak is the the default authentication manager for Release.

Intended Audience

This guide is for administrators who install and manage Digital.ai Release.

Before You Begin

  • The Operator zip file is downloaded from the Release Software Distribution site and extracted to the Deploy server filesystem you would use to install Release on the Kubernetes cluster.
  • A local Deploy instance installed on your system. For information about how to set up local Deploy instance, see platform specific Operator-based installation instructions.

Configuring Keycloak Parameters

To configure Keycloak as the default authentication manager for Digital.ai Release, go to digitalai-release/kubernetes folder of the Operator file and update the OIDC parameters in the dairelease_cr.yaml file.

Enabling OIDC Configuration

To enable external OIDC configuration on Digital.ai Release:

  1. Set the oidc.enabled to true.

  2. Set spec.keycloak.install to false.
    Note: By default, this value is set to true. If you want to use a different authentication provider other than Keycloak, set the value to false.

  3. Configure the values for the OIDC parameters in the dairelease_cr.yaml file as described in the following table:

    Note: For more information about OIDC configuration, see Release OIDC with Keycloak.

ParameterDescriptionConfiguration
oidc.externalIs external configuration enabledtrue
oidc.clientidClient credentials from Release to KeycloakclientId = "" clientSecret = ""
oidc.clientSecret
oidc.userNameClaimNameUser property mappingsuserNameClaimName = "preferred_username" fullNameClaim = "name" emailClaim = "email" rolesClaim = "groups"
oidc.fullNameClaim
oidc.emailClaim
oidc.rolesClaim
oidc.issuerURLs from Browser to Keycloakissuer = http://keycloak:8080/auth/realms/digitalai-platform userAuthorizationUri = http://keycloak:8080/auth/realms/digitalai-platform/protocol/openid-connect/auth logoutUri = http://keycloak:8080/auth/realms/digitalai-platform/protocol/openid-connect/logout
userAuthorizationUri
oidc.logoutUri
oidc.redirectUriURLs from Browser to ReleaseredirectUri = http://localhost:5516/oidc-login postLogoutRedirectUri = http://localhost:5516/oidc-login
oidc.postLogoutRedirectUri
oidc.keyRetrievalUriURLs from Release to KeycloakkeyRetrievalUri = http://keycloak:8080/auth/realms/digitalai-platform/protocol/openid-connect/certs accessTokenUri= http://keycloak:8080/auth/realms/digitalai-platform/protocol/openid-connect/token
oidc.accessTokenUri
oidc.scopesList of scopes (note single quotes around list, same way as in example)'["openid"]'

Note: The path-based routing will not work if you use OIDC authentication. To enable path-based routing, you must modify the ingress specification in the dairelease_cr.yaml file as follows:

  • Set ingress.nginx.ingress.kubernetes.io/rewrite-target to /
  • Set ingress.path: /xl-release(/|$)(.*) to /

Note: if you have some missing values above, use "" for that value in the oidc object. Do not delete that value from the object.

Configuring Keycloak as the Default Authentication Manager

To configure Keycloak as the default authentication manager for Digital.ai Release, specify the values for the OIDC parameters in the the dairelease_cr.yaml as described in the following table: Note:

  • By default, Kubernetes Operator installer uses embedded Postgres database for Keycloak authentication.
  • For more information about keycloak authentication with External Database, see "Operator Based Solution with keycloak enabled with external database"
ParameterDescriptionDefault Value
keycloak.ingress.rules.hostDefines the valid DNS name for the Keycloak Ingress resource. This is a mandatory parameter.
Note: By default, Keycloak pod uses the Postgres database that is included in the Operator installer. If you want to use an external database, create a database and a user, and ensure to update the parameters described in this table in the Keycloak section.		NA
DB_VENDORDefines the database vendor name. This is a mandatory parameter.NA
DB_ADDRDefines the database URI. This is a mandatory parameter.NA
DB_PORTDefines the port number. This is a mandatory parameter.NA
DB_USERDefines the username of the database user. This is a mandatory parameter.NA
DB_PASSWORDDefines the password of the database user. This is a mandatory parameter.NA
spec.keycloak.installInstalls the Keycloak chart.true
keycloak.extraENV
KEYCLOAK_USER		Defines the username of the Keycloak user.admin
keycloak.extraENV
KEYCLOAK_PASSWORD		Defines the password of the Keycloak user.admin

Do you want to use an existing Keycloak database with the Operator-based installer?

note

This is not an officially supported use case. Use these instructions at your own discretion.

Use the following instructions to set up an existing Keycloak database, if you have been using an existing PostgreSQL database for Keycloak and if you want to use it while installing or upgrading Release using the Operator-based installer.

  • Operator-based Fresh Installation
    • Edit the dairelease_cr.yaml file for setting up Keycloak with external database.
      • If you are using external database for both Release and Keycloak, update the values for the following parameters:
        • .spec.postgresql.install to false
        • .spec.keycloak.extraENV
          • DB_ADDR
          • DB_PORT
          • DB_USER
          • DB_PASSWORD
      • If you are using external database only for Keycloak and embedded Postgres database for Release, update the values for the following parameters:
        • .spec.keycloak.extraENV
          • DB_ADDR
          • DB_PORT
          • DB_USER
          • DB_PASSWORD
  • Operator-based Upgrade

    • During the upgrade process, you need to use the custom operator zip option for setting up Keycloak with external database.

      Answer the following question while upgrading.

      • Do you want to use custom operator zip file for Release? Yes

      • ? Release operator zip to use (absolute path or URL to the zip)

    1. Download the operator zip from the Release Software Distribution site.
      • Extract the ZIP file to the ReleaseInstallation folder.
      • Update the following in dairelease_cr.yaml for setting up Keycloak with external database.
        • If you are using external database for both Release and Keycloak, update the values for the following parameters:
          • .spec.postgresql.install to false
          • .spec.keycloak.extraENV
            • DB_ADDR
            • DB_PORT
            • DB_USER
            • DB_PASSWORD
        • If you are using external database only for Keycloak and embedded Postgres database for Release, update the values for the following parameters:
          • .spec.keycloak.extraENV update the following fields.
            • DB_ADDR
            • DB_PORT
            • DB_USER
            • DB_PASSWORD
      • Zip the operator package and provide absolute path of the zip while upgrading [? Release operator zip to use (absolute path or URL to the zip)].
    2. If External database for Release is used, then during upgrade process we need to edit list of following question Edit list of custom resource keys that will migrate to the new Release CR and update the following parameters`.
      • .spec.UseExistingDB.Enabled
      • .spec.UseExistingDB.XLR_DB_URL
      • .spec.UseExistingDB.XLR_DB_USER
      • .spec.UseExistingDB.XLR_DB_PASS
      • .spec.UseExistingDB.XLR_REPORT_DB_URL
      • .spec.UseExistingDB.XLR_REPORT_DB_USER
      • .spec.UseExistingDB.XLR_REPORT_DB_PASS

Configuring User Permissions

As an admin, you can add user roles, assign role-based permissions, and configure Keycloak users with the required user roles.

To add user roles:

  1. Log in to Digital.ai Release as admin, or a user with the Admin global permission.
  2. From Release GUI, click User Management > Roles > Add Role, and type the role. For example oidc-administrators.
  3. Click Save.

To assign global permissions to the user role:

  1. From Release GUI, click User Management > Global Permissions, and select the checkboxes next to the user role (for example, oidc-administrators) to define the required permissions for the selected user role.

    Assign Global Permissions

After assigning global permissions to the user role, to configure Keycloak users with this user role:

  1. Log in to Keycloak as admin.

  2. In the navigation pane, under Manage, click Users and select the user, for example — Alice.

  3. From the Role Mapping tab, choose the role under Assigned Roles.

    Assign User Roles

    Note: For information about the role, click Roles under Configure group.

Logging in to the Release Application

After configuring the parameters, you can verify the OIDC authentication by accessing the Release application.

  1. In a web browser, enter the URL of the Release application. You will be redirected to the Keycloak Login screen.

    Keycloak Login Screen

  2. If configured, enter the username and password for Release, or enter the default username and password (admin/admin).

    Note: After the successful configuration of Keycloak OIDC authentication, the default login credentials (admin/admin) will no longer work.

    After a successful authentication, you will be redirected to the Release dashboard.

    Release Dashboard

Note:

  • By default, the Operator comes with the default realm — digitalai-platform. You can use this realm to configure users and identity providers for Digital.ai products, such as Release and Deploy.
  • To sign in as oidc-user, you can use the login credentials of any of the following sample users: alice, bob, carol, elrond, eve.
  • If you want to sign in as an internal user, browse directly to http://example.com/login.