If you are going to install self-hosted logging or monitoring, access to kibana, grafana, prometheus and alertmanager will be unrestricted by default.
In order to protect these applications using Keycloak from Kublr control plane, you need to add the following code to your cluster specification.
Please make sure to adjust the Keycloak URL in the configuration to your specific KCP location.
spec:
features:
logging:
values:
global:
keycloak:
init:
enabled: false
oauth2:
proxy:
extraArgs:
oidc_issuer_url: --oidc-issuer-url=<keycloak_url>/auth/realms/kublr-ui
login_url: --login-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/auth
redeem_url: --redeem-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/token
profile_url: --profile-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
validate_url: --validate-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
kibana:
authentication:
enabled: true
oidc:
clientId: logging-kibana
enabled: true
realm: kublr-ui
monitoring:
values:
global:
keycloak:
init:
enabled: false
oauth2:
proxy:
extraArgs:
oidc_issuer_url: --oidc-issuer-url=<keycloak_url>/auth/realms/kublr-ui
login_url: --login-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/auth
redeem_url: --redeem-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/token
profile_url: --profile-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
validate_url: --validate-url=<keycloak_url>/auth/realms/kublr-ui/protocol/openid-connect/userinfo
alertmanager:
authentication:
enabled: true
oidc:
clientId: monitoring-alertmanager
enabled: true
realm: kublr-ui
grafana:
authentication:
enabled: true
oidc:
clientId: monitoring-grafana
enabled: true
realm: kublr-ui
prometheus:
authentication:
enabled: true
oidc:
clientId: monitoring-prometheus
enabled: true
realm: kublr-ui