Install the Secure-Profile Dependencies
The secure profile requires cert-manager, SPIRE, Keycloak, and Istio (ambient mode) on the target cluster. cert-manager ships with the platform; this guide installs the other three. Install them before enabling the secure profile.
TOC
Common installation patternSPIREKeycloak1. Install the operator2. Deploy a Keycloak instanceWhen to create aKeycloakRealmImportIstio (ambient mode)NextCommon installation pattern
Each component is delivered as a platform package — an OLM operator or a Cluster Plugin. The steps are the same for all of them:
-
Download the component package from the Customer Portal —
https://cloud.alauda.cn(China) orhttps://cloud.alauda.io(international). -
Upload it to the platform with
violet:violetrelocates the package's images into the platform registry, so the components install on air-gapped clusters. -
Install from the web console — Administrator → Marketplace / OperatorHub, selecting the target cluster — or with
kubectl(aSubscriptionfor OLM operators, aModuleInfofor Cluster Plugins).
The sections below cover the per-component configuration.
SPIRE
SPIRE issues the workload SVIDs that AuthBridge uses for mTLS. It is delivered as a Cluster Plugin.
Upload the SPIRE package with violet and install it on the workload cluster (Marketplace → install on cluster, or create a ModuleInfo from the global cluster). Configure the install:
Verify:
SPIRE auto-registers every pod (via a default ClusterSPIFFEID) as spiffe://<trustDomain>/ns/<namespace>/sa/<serviceaccount>, delivered through the csi.spiffe.io CSI driver.
Keycloak
Keycloak issues the OAuth2/JWT tokens that AuthBridge validates. It is delivered as an OLM operator plus a Keycloak instance you create.
1. Install the operator
Upload the Keycloak operator package with violet, then install it from OperatorHub. Platform operators require the Manual upgrade approval — approve the generated InstallPlan to complete the install.
2. Deploy a Keycloak instance
Create a Keycloak custom resource. Name it keycloak so the operator generates the keycloak-initial-admin secret that the Kagenti operator reads:
image— the Keycloak server image relocated byviolet(the cluster cannot pullquay.iodirectly).db.vendor: dev-fileruns an in-pod H2 database — fine for dev/test (data is not persisted across restarts). For production, setvendor: postgresand pointdb.host/db.usernameSecret/db.passwordSecretat an external PostgreSQL.hostname.strict: falselets Keycloak resolve its hostname from requests, which suits in-cluster access. Do not sethostname.backchannelDynamic: trueunless you also sethostname.hostname, or the server fails to start.token-exchange(withadmin-fine-grained-authz) is required for the Kagenti audience / token-exchange flow.
Do not pre-create the keycloak-initial-admin secret. The Keycloak operator creates and owns it; a pre-existing secret with that name blocks the operator's reconcile (the Keycloak instance never starts).
The operator exposes the instance in-cluster at http://keycloak-service.<namespace>.svc:8080 — use this URL as keycloak.publicUrl on the Kagenti operand.
The value you set as keycloak.publicUrl becomes the JWT issuer (iss) claim that AuthBridge validates against. Use the same hostname form you will use to fetch tokens — typically the short in-cluster service URL http://keycloak-service.keycloak.svc:8080 (the upstream demo convention). If you pick the FQDN form (…svc.cluster.local…), clients fetching tokens must also call that FQDN; mixing the two yields iss-mismatch 401s on otherwise-valid tokens.
When to create a KeycloakRealmImport
KeycloakRealmImport is how the Keycloak operator imports a realm declaratively (spec.keycloakCRName + spec.realm). The secure profile needs a kagenti realm with a platform client and an audience scope.
- You normally do not create it yourself. When
authbridgeConfig.enabledistrueand aKeycloakinstance already exists, the Kagenti operator auto-imports thekagentirealm — it applies aKeycloakRealmImportnamedkagenti-realm-import(carrying the platform client and thekagenti-platform-audiencescope) into your Keycloak. - Create one manually only if you are not using the auto-import (for example
authbridgeConfigis off but you still want the realm), or you need to customise the realm. Apply aKeycloakRealmImportthat references your instance (spec.keycloakCRName: keycloak) with your realm representation underspec.realm.
Istio (ambient mode)
The secure profile uses Istio ambient mesh (ztunnel) for namespace-level mTLS, delivered as Service Mesh v2 (the servicemesh-operator2 / Sail operator).
Install the Alauda Service Mesh v2 operator from the Marketplace (download → violet → install), version 2.1.1 or later (ambient support). Ambient on ACP also requires the Multus CNI plugin and kube-ovn ≥ v4.1.5.
Then enable ambient by creating the IstioCNI, Istio, and ZTunnel resources with profile: ambient. Create the istio-cni, istio-system, and ztunnel namespaces first, each labeled istio-discovery=enabled. The full, authoritative procedure (prerequisites, namespace labels, verification) is in the Alauda Service Mesh v2 documentation — Installing Istio ambient mode (alauda/servicemesh2-docs). In summary:
If the cluster already runs a shared Istio (e.g. for the platform dashboard), enable ambient additively — set profile: ambient on the existing Istio and IstioCNI resources (preserving their existing spec.values, such as a custom meshConfig) and add a ZTunnel. Existing sidecar-mode workloads keep working, and istiod is updated in place.
The Kagenti operator labels each enrolled agent namespace with istio.io/dataplane-mode: ambient and istio-discovery: enabled automatically — you do not label agent namespaces yourself.
Next
With cert-manager, SPIRE, Keycloak, and Istio ambient in place, continue to Enable the Secure Profile.