Skip to content

Monitoring Specific Keycloak ConfigurationπŸ“œ

Table of ContentsπŸ“œ

  • Keycloak configuration
  • Grafana configuration
  • Prometheus+Alertmanager configuration

These are the items you need to configure after keycloak and Grafana are working on your cluster, or you are utilizing an external keycloak eg: login.dso.mil

Keycloak ConfigurationπŸ“œ

GrafanaπŸ“œ

  1. Create a grafana client scope named β€œGrafana” with the following mappings
Name Mapper Type Mapper Selection Sub Token Claim Name Claim JSON Type Other
profile User Attribute profile profile String Add to ID token: on
Add to access token: on
add to userinfo: on
multivalued: off
aggr attrib values: off
email User Property email email String Add to ID token: on
Add to access token: on
add to userinfo: on
realm roles User Realm Role realm roles realm_access.roles String Add to ID token: off
Add to access token: on
add to userinfo: off
client roles User Client Role N/A resource_access.${client_id}.roles String Add to ID token: off
Add to access token: on
add to userinfo: off
username User Property username preferred_username String Add to ID token: on
Add to access token: on
add to userinfo: on
groups Group Membership N/A groups N/A Full group path: on
Add to ID token: on
Add to access token: on
add to userinfo: on
  1. Create a grafana client

  2. Change the following configuration items

  3. access type: confidential this will enable a β€œCredentials” tab within the client configuration page
  4. Direct Access Grants Enabled: Off
  5. Valid Redirect URIs: https://grafana.DOMAIN/login/generic_oauth
  6. Base URL: https://grafana.DOMAIN
  7. Set Client Scopes
  8. Default Client Scopes: Grafana (the client scope you created in the previous step)
  9. optional client scopes: N/A
  10. Take note of the client secret in the credential tab

PrometheusπŸ“œ

  1. Create a prometheus client

  2. Change the following configuration items

  3. access type: confidential this will enable a β€œCredentials” tab within the client configuration page
  4. Direct Access Grants Enabled: Off
  5. Valid Redirect URIs: https://prometheus.DOMAIN/login/generic_oauth
  6. Base URL: https://prometheus.DOMAIN
  7. Take note of the client secret in the credential tab

AlertmanagerπŸ“œ

  1. Create an alertmanager client

  2. Change the following configuration items

  3. access type: confidential this will enable a β€œCredentials” tab within the client configuration page
  4. Direct Access Grants Enabled: Off
  5. Valid Redirect URIs: https://alertmanager.DOMAIN/login/generic_oauth
  6. Base URL: https://alertmanager.DOMAIN
  7. Take note of the client secret in the credential tab

Grafana ConfigurationπŸ“œ

Grafana configuration can be set via the editing the following section in the chart’s values.

  • It is recommended to utilize BigBang’s encrypted helm values support to paste in the client_secret directly.
  • Below config are example BigBang values for enabling and configuring OIDC support:
sso:
  oidc:
    host: login.dso.mil
    realm: baby-yoda
  certificate_authority: ''

monitoring:
  sso:
    enabled: true
    grafana:
      client_id: ""
      client_secret: ""
      scopes: "openid Grafana" # default 'openid profile email'
      allow_sign_up: "true" # true/false if Grafana will auto-create users from Keycloak after successful first login
  • The root_url setting DOES NOT need to be edited if you filled in your β€œhostname” variable in your values file and istio is enabled, update only if desiring a different prefix or if not using HTTPS.

  • Setting monitoring.sso.enabled=true in BigBang values will set Grafana OIDC to enabled.

  • Update role_attribute_path to either β€œEditor” or β€œAdmin” to allow all OIDC created users to be able to edit dashboards or administer the grafana install.

Enabling Grafana OIDC in BigBangπŸ“œ

monitoring:
  sso:
    enabled: true
    grafana:
      client_id: grafana
      client_secret: secret

OIDC Custom CAπŸ“œ

Grafana can establish trust using a CA cert file with OIDC auth connections. An example of this when using Big Bang to deploy grafana with a secret named grafana-oidc-secret is below. This assumes the secret is created in the same namespace (an example of secret creation can also be found below):

monitoring:
  sso:
    enabled: true
    grafana:
      scopes: "openid Grafana" #this is a sample client scope, review docs/KEYCLOAK.md
      allow_sign_up: "true"
      role_attribute_path: "Viewer"
      tls_client_cert: ""
      tls_client_key: ""
      tls_client_ca : "/etc/oidc/ca.pem"
      tls_skip_verify_insecure: false
      client_id: "grafana"    #this is a sample client_id, review docs/KEYCLOAK.md
      client_secret: "secret" #this is a sample secret, review docs/KEYCLOAK.md
      auth_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth
      token_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/token
      api_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/userinfo
      # allowed_domains: ""
      # empty_scopes: false




monitoring:
  values:
    grafana:
      extraSecretMounts:
        - name: "oidc-ca-cert"
          mountPath: "/etc/oidc/ca.pem"
          secretName: "grafana-oidc-secret"
          readOnly: true
          subPath: "ca.pem"

Secret creation example that works with this example”

kubectl create secret generic grafana-oidc-secret --from-file=ca.pem=/path/to/cert.pem -n monitoring

Prometheus + Alertmanager ConfigurationπŸ“œ

Configuration of Keycloak/OIDC auth in front of Prometheus+Alertmanager requires the following:

sso:
  oidc:
    host: login.dso.mil
    realm: baby-yoda
  certificate_authority: ''
  # JWKS value is different for each Keycloak instance, will need to be retrieved after deployment. Can be found with: $ curl https://$KEYCLOAK_URL$/auth/realms/$KEYCLOAK_REALM$ /protocol/openid-connect/certs
  jwks: ""

monitoring:
  sso:
    enabled: true
    prometheus:
      client_id: ""
      client_secret: ""
    alertmanager:
      client_id: ""
      client_secret: ""

authservice:
  enabled: true
  • Configuration above is for BigBang, chains for authservice are automatically populated when above settings are present.

  • Setting monitoring.sso.enabled to true installs an HAProxy container in the authservice namespace which works in conjunction with Authservice itself to place an OIDC redirect in front of Prometheus+Alertmanager.

  • When monitoring.sso.enabled is set to true, the Prometheus+Alertmanager VirtualServices are replaced with ones that route to the HAProxy Deployment rather than directly to the services themselves.

Last update: 2023-05-16 by Ryan Garcia