Integrate Keycloak with Grafana (!1987) · Merge requests · Sylva-projects / sylva-core

Cristian Manda requested to merge grafana-keycloak into main Mar 29, 2024

This MR enables Keycloak auth for Grafana running in the management cluster, which has access to Thanos datasource containing all data from all clusters. Also enabled ingress for exposing Grafana at grafana.{{ .Values.cluster_domain }}

For the keycloak part, we modify the sylva-admin user to include an additional realmRole : grafanaadmin to provide admin capabilities to the sso user inside grafana. Because we cannot modify the realm settings via the available operators for already existing keycloak deployments (fresh deployments will be created with the additional realmRole via the KeycloakRealm resource ), we have to rely on a kube job implemented by the keycloak-add-realm-role unit to do this.

The local admin grafana user will still be available for non-SSO logins.

The workload clusters still have the default behavior: Rancher login -> Grafana r/o access. For admin access to the workload Grafana the password is produced by helm during deployment.

Closes #1038 (closed) #1055 (closed)

Edited May 20, 2024 by Zaharia Mihai

Integrate Keycloak with Grafana

Merge request reports