I manage a production Kubernetes cluster which is increasingly relying on Grafana dashboarding and instrumentation. Initially, we integrated Grafana with our KeyCloak instance using the following excerpt in grafana.ini:
[auth.generic_oauth]
allow_sign_up = true
api_url = https://keycloak.example.com/auth/realms/kube-cluster/protocol/openid-connect/userinfo
auth_url = https://keycloak.example/auth/realms/kube-cluster/protocol/openid-connect/auth
client_id = grafana
client_secret = <my secret>
enabled = true
name = KeyCloak
scopes = openid profile email
token_url = https://keycloak.example.com/auth/realms/kube-cluster/protocol/openid-connect/token
Provided the we had a client ID and secret from Grafana, this was a relatively easy configuration - the problem was that by default an OIDC user had no privileges. They could view a dashboard, but they couldn't create or import a dashboard, or (more importantly), they couldn't use the "Explore" tab to drive Loki.
This post is for paying subscribers only
Sign up now and upgrade your account to read the post and get access to the full library of posts for paying subscribers only.
Sign up now
Already have an account? Sign in