Posted Updated 3 minutes read (About 382 words)

SUSE Observability 对接 KeyCloak

SUSE O11y 支持对接多种身份验证机制,目前包含以下几种:

  • Single password
  • File based
  • LDAP
  • Open ID Connect (OIDC)
  • KeyCloak (a specialized version of OIDC)

此处测试对接 KeyCloak:https://documentation.suse.com/cloudnative/suse-observability/next/en/setup/security/authentication/keycloak.html

环境信息:

  • KeyCloak:26.3.0
  • SUSE O11y:2.3.3

部署 KeyCloak

参考文档部署:https://www.keycloak.org/getting-started/getting-started-kube

部署后,创建一个自签名证书给 KeyCloak Ingress 挂载,可参考脚本创建:https://docs.rancher.cn/docs/rancher2/installation/resources/advanced/self-signed-ssl/_index/#4-%E5%A6%82%E4%BD%95%E7%94%9F%E6%88%90%E8%87%AA%E7%AD%BE%E5%90%8D%E8%AF%81%E4%B9%A6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kubectl -n keycloak create secret tls keycloak-tls --cert=tls.crt --key=tls.key

cat <<EOF | kubectl -n keycloak apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
  namespace: keycloak
spec:
  rules:
    - host: keycloak.warnerchen.com
      http:
        paths:
          - backend:
              service:
                name: keycloak
                port:
                  number: 8080
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - keycloak.warnerchen.com
      secretName: keycloak-tls
EOF

访问 KeyCloak,默认用户名密码为 admin

创建一个 Client:

在该 Client 下,创建三个 Role:

  • keycloak-guest-role-for-stackstate
  • keycloak-power-user-role-for-stackstate
  • keycloak-admin-role-for-stackstate

创建两个 User,分别授予不同的 Role:

获取 Client Secret:

配置 SUSE O11y 对接 KeyCloak

准备 Yaml 配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat <<EOF > authentication.yaml
stackstate:
  authentication:
    keycloak:
      # 如果 KeyCloak 为 17 之前的版本,则需要添加 /auth 的路径
      url: "https://keycloak.warnerchen.com"
      realm: master
      authenticationMethod: client_secret_basic
      clientId: stackstate
      secret: "xxx"
      jwsAlgorithm: RS256
    roles:
      guest: ["keycloak-guest-role-for-stackstate"]
      powerUser: ["keycloak-power-user-role-for-stackstate"]
      admin: ["keycloak-admin-role-for-stackstate"]
EOF

如果 KeyCloak 使用的是自签名证书,那么需要配置 SUSE O11y 跳过证书认证:

1
2
3
4
5
6
stackstate:
  components:
    server:
      extraEnv:
        open:
          CONFIG_FORCE_stackstate_misc_sslCertificateChecking: false

更多配置参考:https://github.com/StackVista/helm-charts/tree/master/stable/suse-observability

然后通过 helm upgrade 更新 SUSE O11y。

等待更新完毕,访问 SUSE O11y 就会跳转到 KeyCloak 登陆界面:

使用先前在 KeyCloak 创建的 User 进行登陆,即可跳转到 SUSE O11y,且具有对应的权限:

KeyCloak 也可以看到会话信息:

SUSE Observability 对接 KeyCloak

https://warnerchen.github.io/2025/07/10/SUSE-Observability-对接-KeyCloak/

Author

Warner Chen

Posted on

2025-07-10

Updated on

2025-07-10

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ai2
ansible1
calico1
cert-manager1
cisco1
container5
containerd1
containers1
docker2
elasticsearch1
elk1
etcd3
fluentd1
harbor1
istio2
jenkins1
kafka1
kubernetes9
linux4
metallb1
mysql1
nexus1
others2
prometheus3
redis2
suse32
web1
zookeeper1
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×