Addon: Oauth2 Proxy

Adding the oauth2-proxy addon will allow you to use the Oauth2 Proxy to authenticate users using Keycloak or similar Oauth2 providers.

Check the Oauth2 Proxy docs for all possible configuration options.

For cluster internal authentication a brancz/kube-rbac-proxy sidecar is also deployed.

The addon adds the following configuration options under the INSTANCE.prometheus.config._oauth2Proxy and INSTANCE.alertmanager.config._oauth2Proxy key:

`ingress.enabled`

type	boolean
default	`true`

Whether to deploy an ingress for the Oauth2 Proxy.

`ingress.host`

type	string
default	`null`
example	`prometheus-infra.example.com`

The hostname of the ingress.

`ingress.annotations`

type	dictionary
default	`{}`
example	`cert-manager.io/cluster-issuer: letsencrypt-production`

`ingress.tls.enabled`

type	boolean
default	`true`

Whether to enable TLS for the ingress.

`ingress.tls.secretName`

type	string
default	`null`

The name of the secret containing the TLS certificate. If left empty the name will be generated from the ingress name by appending -tls.

`proxyEnv`

type	dictionary
default	`{}`
example	`OAUTH2_PROXY_COOKIE_SECRET: secretKeyRef: name: oauth2-proxy key: cookieSecret OAUTH2_PROXY_CLIENT_SECRET: secretKeyRef: name: oauth2-proxy key: clientSecret`

A dictionary of environment variables to set on the Oauth2 Proxy container.

If given a string, the value will be used as the value of the environment variable. If given a dictionary, the value will be inserted under the valueFrom key.

`proxyArgs`

type

dictionary

default

{}

example

proxyArgs:
  "email-domain": example.com
  "provider": keycloak-oidc
  "provider-display-name": "Example Account"
  "oidc-issuer-url": https://example.com/auth/realms/example-realm
  "custom-sign-in-logo": https://example.com/_images/logo.png
  "real-client-ip-header": X-Forwarded-For

A dictionary of arguments to pass to the Oauth2 Proxy.

Example

addons:
  - oauth2-proxy

instances:
  default-instance:
    prometheus:
      enabled: true
      config:
        _oauth2Proxy: &oauth2ProxyConfig
          ingress:
            host: prometheus.example.com
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt-production
          proxyEnv:
            OAUTH2_PROXY_COOKIE_SECRET:
              secretKeyRef:
                name: oauth2-proxy
                key: cookieSecret
            OAUTH2_PROXY_CLIENT_SECRET:
              secretKeyRef:
                name: oauth2-proxy
                key: clientSecret
          proxyArgs:
            "email-domain": example.com
            "provider": keycloak-oidc
            "provider-display-name": "Example Account"
            "oidc-issuer-url": https://example.com/auth/realms/example-realm
            "custom-sign-in-logo": https://example.com/_images/logo.png
            "real-client-ip-header": X-Forwarded-For

    alertmanager:
      enabled: true
      config:
        _oauth2Proxy:
          <<: *oauth2ProxyConfig
          ingress:
            host: alertmanager.example.com
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt-production