Initialize Management Services with Axual HELM

Management Configuration

After starting your cluster and instance services, it is time to set up the management services.

Start the Platform Manager without initSelfServiceJob

Be sure you have disabled the initSelfServiceJob for Management API and have provided to Management API the MASTER realm credentials to perform rest calls to Keycloak and check that realm and user exist.

  1. Create a mgmt-values.yaml file in your working directory like below.

    mgmt-values.yaml
    mgmt:
  api:
    # Disable mgmt-api init self-service job
    initSelfServiceJob:
      enabled: false
    axual:
      # Keycloak Admin Credentials
      keycloak:
        master:
          username: [YUOR_ADMIN_USER]
          password: [YUOR_ADMIN_PASSWORD]

  2. Issue a helm upgrade command with the mgmt-values.yaml as input file to install Management Services.

    helm upgrade --install platform axual-stable/platform -f mgmt-values.yaml -n kafka

  3. Alternatively you can override a specific property with the --set option

    helm upgrade --install platform axual-stable/platform --set mgmt.api.initSelfServiceJob.enabled="false" --set mgmt.api.axual.keycloak.master.username=[YUOR_ADMIN_USER] --set mgmt.api.axual.keycloak.master.password=[YUOR_ADMIN_PASSWORD] -n kafka

Configure Keycloak Realm from scratch

Access the Admin console

Now that Keycloak has started, we can access the Admin Console using the Admin credentials defined in your mgmt-values.yaml file.

  1. Open your favourite web browser, access https://<MGMT_KEYCLOAK_DOMAIN>/auth and login with the Admin credentials

  2. From the Realm selection press Add realm button

  3. Provide a name to the new Realm and press save

    Keycloak Add Realm
    In case you have already a realm.json you can import here

  4. Click Security Defenses

  5. Click Brute Force Detection

  6. Enable the Brute Force Detention, this is used to protect Keycloak from brute force login attempts

  7. Press Save

  8. Go to Clients page using the sidebar

    Keycloak Configure Clients Sidebar

  9. Click on Create

  10. Fill in the Client ID as self-service and the Root URL as the domain where the Self-Service can be accessible

  11. Click Save

  12. Check that Valid Redirect URLs and Web Origins matches the URL of the Self-Service

  13. Go to Users page using the sidebar

    Keycloak Configure Users Sidebar

  14. Click Add User

  15. Fill in the form

    Keycloak Add User Form

  16. Press Save

Initialize Platform Manager

Now that we have configured the Realm we can start and initialize the first Tenant in your Platform Manager.

Initialize the first Tenant in the Platform Manager

Now that selfservice-api has started, we need to initialize the first tenant

Be sure you have started the Keycloak without restricting the Admin Console over a different port. This is the default behaviour of the Keycloak chart.

  1. Make a POST curl request to Platform Manager to initialize the Tenant

In a local installation you need to port forward the selfservice-api Service 
curl --request POST \
  --url https://localhost:[local-port-forward]/api/initialize \
  --header 'Content-Type: application/json' \
  --data '{
  "tenantName" : [your-tenant-name],
  "tenantShortName" : [your-realm-name],
  "tenantUserEmail" : [email address of the user you have created in the realm]
}'
The user identified with the tenantUserEmail will get created in the Platform Manager DB, and it will receive SUPER_ADMIN role. This user is the most powerful user in the Self-Service

  1. After received a 204 No Content response, you can log in into the SelfService UI

Restrict Keycloak Admin console Access

If Keycloak is deployed as part of the platform, its admin console will be publicly accessible by default on the same port and hostname as its APIs. Once the Keycloak is configured, we might not need or want the admin console to be publicly reachable. To restrict its access, set the global.mgmt.keycloak.publicAdminConsole value to false, as in the example below:

values.yaml
global:
  mgmt:
    keycloak:
      publicAdminConsole: false

You will then need to run a helm upgrade command specifying the values.yaml to upgrade the release:

helm upgrade --install platform axual-stable/platform -n kafka -f values.yaml

Alternatively, you can override the specific property with the --set option

helm upgrade --install platform axual-stable/platform --set global.mgmt.keycloak.publicAdminConsole="false" -n kafka