Installing IBM App Connect with a managed Keycloak solution for identity and access management (IAM) on Red Hat OpenShift

To use a managed Keycloak solution with App Connect, the following Operators need to be installed in your cluster.

To see which versions of these Operators are supported for a managed Keycloak solution, see Operator and instance versions for this release and Operators available to install in the IBM Cloud Pak for Integration documentation.

You can install these Operators in an online cluster with internet access, or in a cluster within an air-gapped environment that is not connected to the internet.

When you install the Operators, the following installation modes are supported.

A cluster-wide installation into all namespaces on the cluster (cluster-scoped)

Selecting this mode installs the Operators (except for the cert-manager or IBM Cert Manager Operator) into the openshift-operators namespace. You install the Operators only once in the cluster and they become available to all namespaces (and users) on the cluster. You can use the cluster-scoped IBM App Connect Operator to deploy and manage App Connect instances or resources within any namespace.

Installation into a specific namespace on the cluster (namespace-scoped)

Selecting this mode installs the Operators (except for the cert-manager or IBM Cert Manager Operator) into a single namespace of your choice. With this installation mode, you can install the Operators multiple times, across multiple namespaces, in the same cluster, and at different versions. However, it is not advisable to install different versions of an Operator across namespaces because it can result in conflicts with the custom resource definitions (CRDs) that are used to create product-specific resources. CRDs are not unique to a namespace, but affect the whole cluster, so any conflicts might lead to installation or upgrade issues for an Operator and the resources that it manages. You can use the namespace-scoped IBM App Connect Operator to deploy and manage App Connect instances or resources within that namespace only.

To install the Operators that you need for configuring IAM, first add them to a catalog to make them available in your cluster. If you are using an online cluster with access to public registries, the images for each Operator are pulled directly from the public registries when you install the Operator.

If you are using an air-gapped cluster in a restricted network, you need to first mirror the images for the Operators to your local or internal registry to make them accessible to your cluster. You can then add the Operators to your internal catalog. When you install an Operator, its images are pulled from your local registry.

To install the Operators, follow the instructions in the IBM Cloud Pak for Integration documentation.

After you install the Operators, you can begin to install your App Connect (and other product capability) instances and configure Keycloak for access.

The high-level sequence of steps is as follows.

1. If not already deployed in your cluster, deploy License Service to track license consumption of Cloud Pak for Integration (including IBM App Connect) at the cluster level. For more information, see Deploying License Service and License Service.
   Note: Only one instance of License Service is deployed per cluster regardless of the number of IBM Cloud Paks and containerized products that you have installed on your cluster.
2. If you are using an online cluster, obtain and add your entitlement key to the namespaces where you want to deploy App Connect and other product capability instances. This entitlement key enables images to be pulled from the IBM Entitled Container Fulfillment Registry. For more information, see Finding and applying your entitlement key (online installation) in the Cloud Pak for Integration documentation.
3. If you purchased Cloud Pak for Integration, deploy the Platform UI that enables you to deploy and manage instances from a central location. For more information, see Deploying the Platform UI and Identity and access management in the Cloud Pak for Integration documentation.
4. Create the App Connect Designer and App Connect Dashboard instances that you need and ensure that IAM is enabled for these instances. Then, use Keycloak to configure user access. For more information, see Creating App Connect Designer or App Connect Dashboard instances with IAM enabled.
5. Create any other product capability instances that you are licensed to use. For more information, see Deploying instances in the Cloud Pak for Integration documentation.
6. Create other App Connect resources such as flows, integration servers, integration runtimes, switch servers, and configuration objects. For more information, see Creating your authoring and runtime environments, and other IBM App Connect resources and Creating and managing flows in App Connect Designer.