Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Configuring users and client secrets for Keycloak via pre-installed kubernetes Secret.

This document provides guidance on configuring Keycloak users and client secrets via Kubernetes secrets.

Providing Keycloak users from Kubernetes secrets

To configure users in Keycloak for accessing the Admin UI and the AtScale Modeler UI, first create a Kubernetes secret:

 
 
apiVersion: v1 kind: Secret metadata: name: keycloak-users-secret namespace: atscale type: Opaque data: adminUsername: "Y2xlaXRpbg==" adminPassword: "eGF2ZWNv" atscaleUsername: "Y2xlaXRpbg==" atscalePassword: "eGF2ZWNv"

Apply the secret using:

 
 
kubectl apply -f <secret-file>.yaml

Then update the values.yaml file used for deploying the AtScale release:

 
 
global: atscale: keycloak: # users.atscale.* and users.atscale.* must be provided to be considered, otherwise will fall # to default users and randomly generated passwords # @param users.atscale.username; Defaults to atscale-kc-admin # @param users.atscale.password; Randomly generated if not set # @param users.admin.username; Defaults to kc-admin # @param users.admin.password; Randomly generated if not set # @param users.existingSecret; If set, takes precedence over manually provided credentials (users.atscale.* and users.admin.*) # @param users.atscaleUsernameKeyRef; Key reference for atscale username in existingSecret # @param users.atscalePasswordKeyRef; Key reference for atscale password in existingSecret # @param users.adminUsernameKeyRef; Key reference for admin username in existingSecret # @param users.adminPasswordKeyRef; Key reference for admin password in existingSecret users: atscale: # Defaults to atscale-kc-admin username: "" # Randomly generated if not set password: "" admin: # Defaults to kc-admin username: "" # Randomly generated if not set password: "" existingSecret: "keycloak-users-secret" atscaleUsernameKeyRef: "atscaleUsername" atscalePasswordKeyRef: "atscalePassword" adminUsernameKeyRef: "adminUsername" adminPasswordKeyRef: "adminPassword"

Once the AtScale release is installed, Keycloak will initialize using the values provided in the secret.

Providing Keycloak client secrets from Kubernetes secrets

To configure client secrets in Keycloak for authentication flows, first create a Kubernetes secret:

 
 
apiVersion: v1 kind: Secret metadata: name: keycloak-clients-secret namespace: atscale type: Opaque data: apiClientSecret: "YXBpMzg5aGpkajhzYWo5MDgyamQwYQ==" engineClientSecret: "ZW5naW5lMzg5aGpkajhzYWo5MDgyamQwYQ==" entitlementClientSecret: "ZW50aXRsZW1lbnQzODloamRqOHNhajkwODJqZDBh" modelerClientSecret: "bW9kZWxlcjM4OWhqZGo4c2FqOTA4MmpkMGE=" monitoringClientSecret: "bW9uaXRvcmluZzM4OWhqZGo4c2FqOTA4MmpkMGE=" publicApiClientSecret: "cHVibGljQXBpMzg5aGpkajhzYWo5MDgyamQwYQ=="

Apply the secret using:

 
 
kubectl apply -f <secret-file>.yaml

Then update the values.yaml file used for deploying the AtScale release:

 
 
# @param clients.api.clientSecret; Secret for API client, randomly generated if not set # @param clients.engine.clientSecret; Secret for Engine client, randomly generated if not set # @param clients.entitlement.clientSecret; Secret for Entitlement client, randomly generated if not set # @param clients.modeler.clientSecret; Secret for Modeler client, randomly generated if not set # @param clients.monitoring.clientSecret; Secret for Monitoring client, randomly generated if not set # @param clients.publicApi.clientSecret; Secret for Public API client, randomly generated if not set # @param clients.existingSecret; If set, takes precedence over manually provided client secrets # @param clients.apiClientSecretKeyRef; Key reference for API client secret in existingSecret # @param clients.engineClientSecretKeyRef; Key reference for Engine client secret in existingSecret # @param clients.entitlementClientSecretKeyRef; Key reference for Entitlement client secret in existingSecret # @param clients.modelerClientSecretKeyRef; Key reference for Modeler client secret in existingSecret # @param clients.monitoringClientSecretKeyRef; Key reference for Monitoring client secret in existingSecret # @param clients.publicApiClientSecretKeyRef; Key reference for Public API client secret in existingSecret clients: api: clientSecret: "" engine: clientSecret: "" entitlement: clientSecret: "" modeler: clientSecret: "" monitoring: clientSecret: "" publicApi: clientSecret: "" existingSecret: "keycloak-clients-secret" apiClientSecretKeyRef: "apiClientSecret" engineClientSecretKeyRef: "engineClientSecret" entitlementClientSecretKeyRef: "entitlementClientSecret" modelerClientSecretKeyRef: "modelerClientSecret" monitoringClientSecretKeyRef: "monitoringClientSecret" publicApiClientSecretKeyRef: "publicApiClientSecret"

Once the AtScale release is installed, Keycloak will initialize using the values provided in the secret.

Behavior Rules

  • If keycloak.users.existingSecret is set, it takes precedence over manually specified credentials.

  • If existingSecret is not set, keycloak.users.atscale and keycloak.users.admin must have both username and password provided; otherwise, they will be ignored.

  • If neither existingSecret nor complete manual credentials are provided (keycloak.users.atscale.*keycloak.users.admin.*), default users will be automatically generated alongside randomly generated passwords:

    • kc-admin (admin user)

    • atscale-kc-admin (atscale user)

  • If keycloak.clients.existingSecret is set, the provided secret takes precedence for client secrets, and manually specified client secrets will be ignored.

  • If neitherexistingSecret and manually specified are not set, client secrets will be generated randomly.