Add Konveyor deployment and usage guide

[chideat]

Summary by CodeRabbit

• Documentation
  • Added a comprehensive user guide for deploying and operating Konveyor: overview, prerequisites, operator installation, deploying Konveyor Hub, verification steps, configuration options, UI access and admin initialization, production TLS/Ingress setup with certificate and Ingress guidance, enabling Konveyor AI (supported providers/models and credential setup), forcing reconciliation, component overview, example manifests, commands, and references.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new documentation guide docs/en/solutions/How_to_Use_Konveyor.md with end-to-end operational instructions for deploying and operating Konveyor Hub/Tackle, covering prerequisites, operator installation, Tackle CRs, verification, access methods (port‑forward, Ingress/TLS), admin init, KAI enablement, credentials, and references. (≈266 lines)

Changes

Cohort / File(s)	Summary
Documentation docs/en/solutions/How_to_Use_Konveyor.md	New ~266-line guide detailing prerequisites, installing the Konveyor operator, deploying Konveyor Hub via a Tackle CR (examples), verification steps, configuration options, UI access (port-forward and Ingress with TLS manifest examples), Keycloak/admin init, enabling Konveyor AI (providers/models and credential setup), forcing operator reconciliation, component overview, and reference links.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• sinbadonline

Poem

🐰 I hopped through YAML with careful cheer,

CRs and secrets tucked so near,
Port‑forwards, TLS, a Keycloak song,
KAI dreams hum the whole day long,
Hop in—deployments now appear.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Konveyor deployment and usage guide' accurately and clearly describes the main change: a new documentation file providing comprehensive guidance on deploying and using Konveyor Hub/Tackle.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In `@docs/en/solutions/How_to_Use_Konveyor.md`:
- Line 114: The example password "Enter a new password (e.g., `admin@123`)" is
weak; update that text to show a stronger example (for instance:
`Str0ng!Admin#2026`) and/or replace with a password pattern recommendation like
"use a 12+ character password with upper and lower case letters, numbers, and
symbols" so the line referencing the example password is replaced with a
stronger example or a pattern recommendation.
- Around line 218-233: The docs currently recommend using kubectl create secret
... --from-literal which exposes secrets in shell history; update the examples
that reference the kubectl create secret generic kai-api-keys commands to use a
secure method such as piping a YAML Secret manifest to kubectl apply (using
stringData in the manifest) or using --from-env-file and removing the temp file,
and replace the inline --from-literal OpenAI/GOOGLE examples with the cat <<EOF
| kubectl apply -f - YAML snippets or the --from-env-file workflow described in
the comment so credentials are not passed on the command line.
- Line 253: Update the Crane description line to remove the inaccurate
"Community version is currently inactive" claim and instead state its current
status (e.g., "actively maintained as a community project in the migtools
organization with recent releases and ongoing development"); modify the table
entry containing "**Crane**" to reflect this wording so documentation accurately
represents Crane's active maintenance and development.
- Line 25: The documentation link in the sentence "Download the Konveyor
Operator plugin from Alauda Cloud Console Marketplace..." is incorrect (it
points to a backup install page); update the URL referenced for the violet tool
to the correct Alauda documentation for operator package upload/installation or
the violet CLI tool (replace the current
https://docs.alauda.io/container_platform/4.1/configure/backup/install.html link
with the appropriate Marketplace/OperatorHub or violet CLI docs URL), and ensure
the anchor text still mentions the violet tool and installation method.
- Around line 190-201: The "Supported Providers and Models" table is static and
can become outdated; add a short clarifying sentence under the "Supported
Providers and Models" heading stating that the table is illustrative (not
exhaustive) and directing readers to the Konveyor Official Documentation
(https://konveyor.io/docs/konveyor/) for the most current provider and model
support; include the link text and ensure the note is visible immediately after
the table so readers know where to check for updates.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b739efb and 2b4a107.

📒 Files selected for processing (1)

• docs/en/solutions/How_to_Use_Konveyor.md

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-01-13T11:25:34.596Z

Learnt from: jing2uo
Repo: alauda/knowledge PR: 104
File: docs/en/solutions/How_to_Migrate_VirtualMachine_From_VMware.md:131-172
Timestamp: 2026-01-13T11:25:34.596Z
Learning: In VMware migration documentation (docs/en/solutions), when describing the Forklift Operator workflow for VMware, specify that the VMware provider secret should set insecureSkipVerify=true to accommodate self-signed certificates commonly used in enterprise vCenter/ESXi environments. Include a note on the security trade-offs and ensure readers understand this is for internal, controlled environments.

Applied to files:

• docs/en/solutions/How_to_Use_Konveyor.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Agent

🔇 Additional comments (3)

docs/en/solutions/How_to_Use_Konveyor.md (3)

27-80: LGTM!

The Tackle deployment configuration is well-documented with clear placeholder comments for user-specific values. The warning about namespace requirements and the comprehensive configuration table are helpful.

---

120-184: LGTM!

The Ingress and TLS certificate configurations are correctly structured with appropriate placeholders and clear instructions for production deployment.

---

255-259: Reference links are current and accessible.

The documentation links provided in the references section are valid.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[Copilot]

Pull request overview

This PR adds comprehensive documentation for deploying and using Konveyor, a CNCF application modernization platform. The guide provides step-by-step instructions for installation, configuration, and accessing the platform.

Changes:

• Added complete deployment guide covering operator installation, Tackle instance creation, and UI access methods
• Documented KAI (Konveyor AI) configuration with multiple LLM provider options
• Included component overview describing the Konveyor ecosystem architecture

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@docs/en/solutions/How_to_Use_Konveyor.md`:
- Line 25: Fix the grammatical error in the sentence that reads "and according
[Upload Packages] to upload the plugin to cluster" by reordering and clarifying
the phrase; update the line in How_to_Use_Konveyor.md so it reads something
like: "Download the Konveyor Operator plugin from Alauda Cloud Console
Marketplace, and, according to [Upload Packages], upload the plugin to the
cluster." Ensure the bracketed link "[Upload Packages]" remains intact and the
word "cluster" is preceded by "the."
- Around line 131-135: The Ingress prerequisites are inconsistent with the
example ingress using "ingressClassName: nginx"; update the "#### Ingress
Prerequisites" text to generically require an Ingress Controller (e.g., ALB or
NGINX) and either add a brief note linking both options or include both example
snippets, or alternatively change the example ingress (the block containing
"ingressClassName: nginx") to an ALB-specific configuration that matches the
linked ALB deployment guide; edit the "Ingress Prerequisites" paragraph and the
ingress example to make the controller choice consistent and unambiguous.
- Line 114: Update the Keycloak admin console URL line to clarify path
differences based on Keycloak version/config: mention that Keycloak 18+ (Quarkus
default) uses http://127.0.0.1:8080/admin/ while older WildFly-based or Quarkus
with http-relative-path=/auth uses http://127.0.0.1:8080/auth/admin/, and
instruct readers to choose the correct URL for their Keycloak deployment or
check their server's http-relative-path setting; adjust the sentence that
currently reads "Login to Keycloak admin console at
http://127.0.0.1:8080/auth/admin/" to include both alternatives and a brief note
about Tackle requiring an external Keycloak deployment.

🧹 Nitpick comments (3)

docs/en/solutions/How_to_Use_Konveyor.md (3)

27-31: Add namespace creation guidance.

The document references the konveyor-tackle namespace in the Tackle CR example but doesn't explain whether users need to create it manually or if the operator creates it automatically. Adding a brief note would improve clarity for new users.

📝 Suggested addition

 ## Deploy Konveyor Hub (Tackle)
 
+> [!NOTE]
+> The `konveyor-tackle` namespace is typically created automatically during operator installation. If it doesn't exist, create it before proceeding:
+> ```bash
+> kubectl create namespace konveyor-tackle
+> ```
+
 ### Create Tackle Instance

---

140-156: Add guidance for ClusterIssuer selection.

The Certificate manifest uses a hard-coded issuerRef name cpaas-ca which is specific to Alauda's internal setup. Users may not have this ClusterIssuer in their cluster.

💡 Suggested improvement

Add a note before the Certificate manifest:

 #### Create TLS Certificate
 
+> [!NOTE]
+> Replace `cpaas-ca` with your ClusterIssuer name. To list available ClusterIssuers in your cluster:
+> ```bash
+> kubectl get clusterissuer
+> ```
+
 ```yaml
 apiVersion: cert-manager.io/v1

---

242-247: Add brief explanation of the force-reconcile pattern.

The command uses a timestamp-based annotation to trigger operator reconciliation, but the purpose and mechanism aren't explained. A brief note would help users understand when and why to use this pattern.

📝 Suggested addition

 3. Force the operator to reconcile and pick up the new credentials:
 
+   > [!NOTE]
+   > This command adds a timestamp annotation to the Tackle resource, triggering the operator to reconcile immediately and reload the secret. Use this pattern after updating secrets or configuration that the operator needs to pick up.
+
    ```bash
    kubectl patch tackle tackle -n konveyor-tackle --type=merge -p \
      '{"metadata":{"annotations":{"konveyor.io/force-reconcile":"'"$(date +%s)"'"}}}'
    ```

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Keycloak context path /auth removal version history

💡 Result:

Short timeline and notes

• Change introduced when Keycloak switched to the Quarkus distribution (default starting in Keycloak 17). The Quarkus build removed the default /auth context path. To restore it, set http-relative-path (e.g. bin/kc.sh start-dev --http-relative-path /auth). [1]

• This change is documented in the official migration guide and referenced in code/adapter updates noting “Starting from Keycloak release v17, … the "/auth" prefix was removed from the default context path.” [1][2]

Sources
[1] Keycloak — Migrating to Quarkus distribution (notes about /auth removal and http-relative-path).
[2] Adapter/commit notes referencing removal starting with v17 (adapting endpoints for Quarkus runtime).

---

🌐 Web query:

Konveyor Tackle Keycloak version bundled embedded

💡 Result:

Short answer: Tackle does not ship a single fixed “bundled/embedded” Keycloak version. Konveyor Tackle integrates with Keycloak (or can be deployed authless) and expects you to provide/connect a Keycloak instance via the Tackle CR / environment variables; it doesn’t embed a specific Keycloak release inside the Tackle operator/Hub image. See Konveyor install/docs and the Tackle settings (Keycloak-related env vars). [1][2]

Sources:

• Konveyor Tackle docs — installation / authless deployment info. [1]
• Tackle settings (Keycloak env vars) in the tackle2-hub source. [2]

---

🌐 Web query:

Keycloak 18 admin console URL path /admin/ vs /auth/admin/

💡 Result:

Short answer

• Keycloak 18 (Quarkus distribution) serves the admin console at /admin (root context) by default; older WildFly-based releases used /auth/admin. (keycloak.org)

If you need the /auth prefix

• Start Keycloak with an HTTP relative path: --http-relative-path=/auth (or set KC_HTTP_RELATIVE_PATH=/auth / KC_HTTP_RELATIVE_PATH env). That restores URLs like /auth/admin/ (some resources/behavior may require additional hostname/proxy settings). (forum.keycloak.org)

Notes / troubleshooting pointers

• Reverse-proxy/hostname-path settings (KC_HOSTNAME, --hostname-path, KC_HOSTNAME_ADMIN, KC_HOSTNAME_URL, etc.) affect generated admin links and static resource loading; many upgrade issues stem from mismatched hostname/path configuration. Check the upgrade docs and GitHub/forum issues if the console breaks after changing paths. (github.com)

If you want, tell me how you run Keycloak (docker/standalone/hosted) and I’ll give the exact command/env and example reverse-proxy rules.

Citations:

• 1: https://www.keycloak.org/docs/latest/upgrading/index.html?utm_source=openai
• 2: https://forum.keycloak.org/t/problem-upgrading-with-auth-portion-of-url-now-gone/18002?utm_source=openai
• 3: Admin console does not work with reverse proxy keycloak/keycloak#11922

---

Clarify Keycloak admin console URL path based on version and configuration.

The URL /auth/admin/ assumes Keycloak is configured with the /auth context path. This works for WildFly-based Keycloak or Quarkus-based Keycloak with http-relative-path=/auth enabled. However, modern Keycloak 18+ (Quarkus) defaults to /admin/ without additional configuration. Since Tackle requires external Keycloak deployment, the documentation should either specify the assumed Keycloak version/configuration or provide adaptive instructions for both paths (e.g., "If using Keycloak 18+, use http://127.0.0.1:8080/admin/; for older versions or with /auth configured, use http://127.0.0.1:8080/auth/admin/").

🤖 Prompt for AI Agents

In `@docs/en/solutions/How_to_Use_Konveyor.md` at line 114, Update the Keycloak
admin console URL line to clarify path differences based on Keycloak
version/config: mention that Keycloak 18+ (Quarkus default) uses
http://127.0.0.1:8080/admin/ while older WildFly-based or Quarkus with
http-relative-path=/auth uses http://127.0.0.1:8080/auth/admin/, and instruct
readers to choose the correct URL for their Keycloak deployment or check their
server's http-relative-path setting; adjust the sentence that currently reads
"Login to Keycloak admin console at http://127.0.0.1:8080/auth/admin/" to
include both alternatives and a brief note about Tackle requiring an external
Keycloak deployment.