SUSE Observability 对接 KeyCloak

SUSE O11y 支持对接多种身份验证机制,目前包含以下几种:

  • Single password
  • File based
  • LDAP
  • Open ID Connect (OIDC)
  • KeyCloak (a specialized version of OIDC)

此处测试对接 KeyCloak:https://documentation.suse.com/cloudnative/suse-observability/next/en/setup/security/authentication/keycloak.html

环境信息:

  • KeyCloak:26.3.0
  • SUSE O11y:2.3.3

部署 KeyCloak

参考文档部署:https://www.keycloak.org/getting-started/getting-started-kube

部署后,创建一个自签名证书给 KeyCloak Ingress 挂载,可参考脚本创建:https://docs.rancher.cn/docs/rancher2/installation/resources/advanced/self-signed-ssl/_index/#4-%E5%A6%82%E4%BD%95%E7%94%9F%E6%88%90%E8%87%AA%E7%AD%BE%E5%90%8D%E8%AF%81%E4%B9%A6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kubectl -n keycloak create secret tls keycloak-tls --cert=tls.crt --key=tls.key

cat <<EOF | kubectl -n keycloak apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: keycloak
spec:
rules:
- host: keycloak.warnerchen.com
http:
paths:
- backend:
service:
name: keycloak
port:
number: 8080
path: /
pathType: Prefix
tls:
- hosts:
- keycloak.warnerchen.com
secretName: keycloak-tls
EOF

访问 KeyCloak,默认用户名密码为 admin

创建一个 Client:

在该 Client 下,创建三个 Role:

  • keycloak-guest-role-for-stackstate
  • keycloak-power-user-role-for-stackstate
  • keycloak-admin-role-for-stackstate

创建两个 User,分别授予不同的 Role:

获取 Client Secret:

配置 SUSE O11y 对接 KeyCloak

准备 Yaml 配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat <<EOF > authentication.yaml
stackstate:
authentication:
keycloak:
# 如果 KeyCloak 为 17 之前的版本,则需要添加 /auth 的路径
url: "https://keycloak.warnerchen.com"
realm: master
authenticationMethod: client_secret_basic
clientId: stackstate
secret: "xxx"
jwsAlgorithm: RS256
roles:
guest: ["keycloak-guest-role-for-stackstate"]
powerUser: ["keycloak-power-user-role-for-stackstate"]
admin: ["keycloak-admin-role-for-stackstate"]
EOF

如果 KeyCloak 使用的是自签名证书,那么需要配置 SUSE O11y 跳过证书认证:

1
2
3
4
5
6
stackstate:
components:
server:
extraEnv:
open:
CONFIG_FORCE_stackstate_misc_sslCertificateChecking: false

更多配置参考:https://github.com/StackVista/helm-charts/tree/master/stable/suse-observability

然后通过 helm upgrade 更新 SUSE O11y。

等待更新完毕,访问 SUSE O11y 就会跳转到 KeyCloak 登陆界面:

使用先前在 KeyCloak 创建的 User 进行登陆,即可跳转到 SUSE O11y,且具有对应的权限:

KeyCloak 也可以看到会话信息:

Author

Warner Chen

Posted on

2025-07-10

Updated on

2025-07-10

Licensed under

You need to set install_url to use ShareThis. Please set it in _config.yml.
You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.