I manage a production Kubernetes cluster which is increasingly relying on Grafana dashboarding and instrumentation. Initially, we integrated Grafana with our KeyCloak instance using the following excerpt in grafana.ini:

[auth.generic_oauth]
allow_sign_up = true
api_url = https://keycloak.example.com/auth/realms/kube-cluster/protocol/openid-connect/userinfo
auth_url = https://keycloak.example/auth/realms/kube-cluster/protocol/openid-connect/auth
client_id = grafana
client_secret = <my secret>
enabled = true
name = KeyCloak
scopes = openid profile email
token_url = https://keycloak.example.com/auth/realms/kube-cluster/protocol/openid-connect/token

Provided the we had a client ID and secret from Grafana, this was a relatively easy configuration - the problem was that by default an OIDC user had no privileges. They could view a dashboard, but they couldn't create or import a dashboard, or (more importantly), they couldn't use the "Explore" tab to drive Loki.

This post is for paying subscribers only

Sign up now and upgrade your account to read the post and get access to the full library of posts for paying subscribers only.

Sign up now Already have an account? Sign in
You’ve successfully subscribed to 🧑‍💻 Funky Penguin
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.