Setup Prometheus with Keycloak

This how-to will help you to setup Prometheus with Keycloak authentication.

Prerequisites

  • A running Keycloak instance

  • A cluster with an ingress controller and this component installed

  • A working Let’s Encrypt setup

Setup

  1. Login to the Keycloak instances admin console

  2. Create a new client using openid-connect protocol

  3. Configure the client with the following values

    Access Type

    confidential
    Valid Redirect URIs

    prometheus.example.com/oauth2/callback

NOTE: If using Alertmanager, you also need to add the following redirect uri: alertmanager.example.com/oauth2/callback.

  1. Configure the audience claim

    Navigate to the Mappers tab. Create a new mapper with the following values:

    Name

    static audience
    Mapper Type

    Audience
    Included Client Audience

    CLIENT_NAME (from the previous step)
    Included Custom Audience

    CLIENT_NAME (from the previous step)
    Add to ID token

    off
    Add to access token

    on

  2. Copy the client secret

    Navigate to the Credentials tab. Copy the value from the Secret field.

  3. Add the proxy configuration to your cluster’s Prometheus configuration

    prometheus:
  addons:
    - oauth2-proxy

  secrets:
    oauth2-proxy:
      metadata:
        namespace: syn-example-prometheus (1)
      stringData:
        cookieSecret: '?{vaultkv:${cluster:tenant}/${cluster:name}/syn-example-prometheus/oauth2_cookie_secret}' (2)
        clientSecret: '?{vaultkv:${cluster:tenant}/${cluster:name}/syn-example-prometheus/oauth2_client_secret}' (3)

  instances:
    example: (4)
      common:
        namespace: syn-example-prometheus (1)
      prometheus:
        enabled: true
        config:
          _oauth2Proxy: &oauth2ProxyConfig
            ingress:
              host: prometheus.example.com (5)
              annotations:
                cert-manager.io/cluster-issuer: letsencrypt-production (6)
            proxyEnv:
              OAUTH2_PROXY_COOKIE_SECRET:
                secretKeyRef:
                  name: oauth2-proxy
                  key: cookieSecret
              OAUTH2_PROXY_CLIENT_SECRET:
                secretKeyRef:
                  name: oauth2-proxy
                  key: clientSecret
            proxyArgs: (7)
              "provider": keycloak-oidc
              "provider-display-name": "Example Account"
              "client-id": "syn-prometheus-infra" (8)
              "email-domain": vshn.net (9)
              "oidc-issuer-url": https://keycloak.example.com/auth/realms/REALM (10)

      alertmanager: (11)
        enabled: true
        config:
          _oauth2Proxy:
            <<: *oauth2ProxyConfig (12)
            ingress:
              host: alertmanager.example.com
              annotations:
                cert-manager.io/cluster-issuer: letsencrypt-production
    1 The namespace where the Prometheus instance is deployed.
    2 The cookie secret is used to encrypt the cookie. Must be 16 or 32 bytes long. Can be generated with dd if=/dev/urandom bs=1 count=32 | base64.
    3 The client secret copied from the Keycloak admin console in an earlier step.
    4 The name of the Prometheus instance.
    5 The hostname where the proxy should be exposed. Has to match the hostname of the Valid Redirect URIs.
    6 Used to generate the certificate by cert-manager.
    7 Check the Oauth2 Proxy docs for all possible configuration options.
    8 The client id of the client created in the previous step.
    9 Optional email domain to restrict the users to. Can be set to * to allow all domains.
    10 The URL of the Keycloak instance. Replace REALM with the realm name.
    11 Optional Alertmanager configuration if using Alertmanager.
    12 References a copy of the _oauth2Proxy configuration.

NOTE: allowed-group or allowed-role can be used to further restrict the access to prometheus.

  1. Commit the changes and compile the catalog.