Addon: Oauth2 Proxy

Adding the oauth2-proxy addon will allow you to use the Oauth2 Proxy to authenticate users using Keycloak or similar Oauth2 providers.

Check the Oauth2 Proxy docs for all possible configuration options.

For cluster internal authentication a brancz/kube-rbac-proxy sidecar is also deployed.

The addon adds the following configuration options under the INSTANCE.prometheus.config._oauth2Proxy and INSTANCE.alertmanager.config._oauth2Proxy key:

ingress.enabled

type

boolean

default

true

Whether to deploy an ingress for the Oauth2 Proxy.

ingress.host

type

string

default

null

example

prometheus-infra.example.com

The hostname of the ingress.

ingress.annotations

type

dictionary

default

{}

example
cert-manager.io/cluster-issuer: letsencrypt-production

ingress.tls.enabled

type

boolean

default

true

Whether to enable TLS for the ingress.

ingress.tls.secretName

type

string

default

null

The name of the secret containing the TLS certificate. If left empty the name will be generated from the ingress name by appending -tls.

proxyEnv

type

dictionary

default

{}

example
OAUTH2_PROXY_COOKIE_SECRET:
  secretKeyRef:
    name: oauth2-proxy
    key: cookieSecret
OAUTH2_PROXY_CLIENT_SECRET:
  secretKeyRef:
    name: oauth2-proxy
    key: clientSecret

A dictionary of environment variables to set on the Oauth2 Proxy container.

If given a string, the value will be used as the value of the environment variable. If given a dictionary, the value will be inserted under the valueFrom key.

proxyArgs

type

dictionary

default

{}

example
proxyArgs:
  "email-domain": example.com
  "provider": keycloak-oidc
  "provider-display-name": "Example Account"
  "oidc-issuer-url": https://example.com/auth/realms/example-realm
  "custom-sign-in-logo": https://example.com/_images/logo.png
  "real-client-ip-header": X-Forwarded-For

A dictionary of arguments to pass to the Oauth2 Proxy.

Example

addons:
  - oauth2-proxy

instances:
  default-instance:
    prometheus:
      enabled: true
      config:
        _oauth2Proxy: &oauth2ProxyConfig
          ingress:
            host: prometheus.example.com
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt-production
          proxyEnv:
            OAUTH2_PROXY_COOKIE_SECRET:
              secretKeyRef:
                name: oauth2-proxy
                key: cookieSecret
            OAUTH2_PROXY_CLIENT_SECRET:
              secretKeyRef:
                name: oauth2-proxy
                key: clientSecret
          proxyArgs:
            "email-domain": example.com
            "provider": keycloak-oidc
            "provider-display-name": "Example Account"
            "oidc-issuer-url": https://example.com/auth/realms/example-realm
            "custom-sign-in-logo": https://example.com/_images/logo.png
            "real-client-ip-header": X-Forwarded-For

    alertmanager:
      enabled: true
      config:
        _oauth2Proxy:
          <<: *oauth2ProxyConfig
          ingress:
            host: alertmanager.example.com
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt-production