If you are going to install self-hosted logging or monitoring, access to kibana, grafana, prometheus and alertmanager will be unrestricted by default.


In order to protect these applications using Keycloak from Kublr control plane, you need to add the following code to your cluster specification.


Please make sure to adjust the Keycloak URL in the configuration to your specific KCP location.



spec:
  features:
    logging:
      values:
        global:
          keycloak:
            init:
              enabled: false
          oauth2:
            proxy:
              extraArgs:
                oidc_issuer_url: --oidc-issuer-url=<keycloak_url>/auth/realms/kublr-ui
                login_url: --login-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/auth
                redeem_url: --redeem-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/token
                profile_url: --profile-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
                validate_url: --validate-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
        kibana:
          authentication:
            enabled: true
            oidc:
              clientId: logging-kibana
              enabled: true
              realm: kublr-ui
    monitoring:
      values:
        global:
          keycloak:
            init:
              enabled: false
          oauth2:
            proxy:
              extraArgs:
                oidc_issuer_url: --oidc-issuer-url=<keycloak_url>/auth/realms/kublr-ui
                login_url: --login-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/auth
                redeem_url: --redeem-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/token
                profile_url: --profile-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
                validate_url: --validate-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
        alertmanager:
          authentication:
            enabled: true
            oidc:
              clientId: monitoring-alertmanager
              enabled: true
              realm: kublr-ui
        grafana:
          authentication:
            enabled: true
            oidc:
              clientId: monitoring-grafana
              enabled: true
              realm: kublr-ui
        prometheus:
          authentication:
            enabled: true
            oidc:
              clientId: monitoring-prometheus
              enabled: true
              realm: kublr-ui