Verified Commit 5ac750c9 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Add a prometheus exporter to Keycloak

Install keycloak-metrics-spi and configure it to provide prometheus
endpoints available as auth/realms/$realm/metrics. The prometheus
metrics are behind basic_auth as some metrics might be sensitive or can
be used by attackers. #23
parent cdb023fd
Pipeline #1068 passed with stage
in 6 minutes and 47 seconds
$ANSIBLE_VAULT;1.1;AES256
38386666643233373639363835396530396162636562393531373566623531346131613739386637
3238633664333561343139663665663537336633303036610a386436626330646262333130626539
35323033316530616437326630393632646630363664303765636362353063653232373233353862
6135346434373562350a376133626564643138386631366331333261376239636236343630303762
64633431326164386332396238363332303965363666663636373465626563373535343534633232
64313366623238656663383066613030633861333239623964633830323535363666303637663864
35366131663337663534393863313634376433303935363733366234326639613034363465366538
37343866306439336165666266323034666331616365333839343436306632643339386532623566
34373165323664663365663237323361643137616165666130333537653862633730646637656635
30656434366431353863333961353232653538616663313331343932363163353833633332383735
35313531333839366132343038326230643235663133373334393562393435333136363534383134
37643431666631666564383533366235313563636438666464343738376431643463373134346530
61613461326137333162346330323232333562306638353332386538386465396238
33633161366238616563613336356635353433646634623833303462623731616439336533396263
3234313663646437663864316637623065326434643132630a643536666665346331316339363034
39313739346138353061623139303034656339316262646161396338313065316461336636663661
3163663737393062370a396238663831313366646138663161353930616532373936663533616535
62613266386534343937313762323263363665366564313931646237663934616437326364313030
37323034306165626130343639326564393239633033343633623261366431656139626136356434
33666261303831346339653135363134646663323633306462616233623239333864353832393336
30343335316463333134363937366335343561303434396364383362386139303933386630336233
66616335633338353232636231333065326232383665613131393263336333653662393738633433
66643063336531613030376462353962656536376336383838356162313864373434366639323064
62366661396532356238663030303163623836313165643039623838383736346161373534623236
30373764396663643861653238303535336235643762326134363238656464633463386135343665
39306265653636656361633433333162333235633435386232646163316564323938646662363631
63316462373137653138323535313933626430373631666236636534666232613262303439313739
36353534333965326666643132636630383634353230303063313735353133643933643634303061
39343162373463376332306330656535613833616137323738336337376230343863393363633037
62613733306466626263643237303930386634373635643166653439613230656335366262666434
62636334323733303932386464343834373239633831653263323862376335333236336563316136
633064616535613235343934383333623930
......@@ -4,3 +4,4 @@ keycloak_db_password: keycloak
keycloak_domain: accounts.archlinux.org
keycloak_home_dir: /opt/keycloak
keycloak_port: "8443"
keycloak_nginx_htpasswd: /etc/nginx/auth/prometheus
---
- name: install keycloak
pacman: name=keycloak state=present
pacman: name=keycloak,keycloak-metrics-spi,python-passlib state=present
- name: template keycloak config
template: src=standalone.xml.j2 dest=/etc/keycloak/standalone.xml owner=keycloak group=keycloak mode=600
......@@ -43,6 +43,15 @@
become_user: postgres
become_method: su
- name: create htpasswd for nginx prometheus endpoint
htpasswd:
path: "{{ keycloak_nginx_htpasswd }}"
name: "{{ vault_keycloak_nginx_user }}"
password: "{{ vault_keycloak_nginx_passwd }}"
owner: root
group: http
mode: 0640
- name: make nginx log dir
file: path="/var/log/nginx/{{ keycloak_domain }}" state=directory owner=root mode=0755
......
......@@ -28,6 +28,19 @@ server {
root {{ keycloak_domain }};
location ~ /auth/realms/[a-z]+/metrics {
auth_basic "Prometheus exporter";
auth_basic_user_file {{ keycloak_nginx_htpasswd }};
access_log /var/log/nginx/{{ keycloak_domain }}/access.log main;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
proxy_pass https://localhost:{{ keycloak_port }};
}
location / {
access_log /var/log/nginx/{{ keycloak_domain }}/access.log main;
proxy_set_header Host $host;
......
......@@ -566,6 +566,9 @@
</properties>
</provider>
</spi>
<spi name="eventsListeners">
<provider name="metrics-listener" enabled="true"/>
</spi>
</subsystem>
</profile>
<interfaces>
......
......@@ -108,6 +108,7 @@ resource "keycloak_realm_events" "realm_events" {
events_listeners = [
"jboss-logging", # keycloak enables the 'jboss-logging' event listener by default.
"metrics-listener", # enable the prometheus exporter (keycloak-metrics-spi)
]
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment