Posted Updated 4 minutes read (About 540 words)

Rancher Monitoring Grafana 对接 KeyCloak

Rancher Monitoring 的 Grafana 目前不能与 Rancher 对接 RBAC,可以通过对接 KeyCloak 进行进行用户身份认证。

环境信息:

  1. Rancher: v2.9.5-ent
  2. KeyCloak: 26.4.5
  3. Rancher Monitoring Helm Chart: 104.1.4+up57.0.3

参考文档:https://grafana.com/docs/grafana/latest/setup-grafana/configure-access/configure-authentication/keycloak/

部署 KeyCloak

参考:https://warnerchen.github.io/2025/11/19/Rancher-%E5%AF%B9%E6%8E%A5-KeyCloak-OIDC/#%E9%83%A8%E7%BD%B2-KeyCloak

配置 KeyCloak

创建一个 Client:

在 Client 里创建三个 Role:

在 Client scopes -> grafana-dedicated 中,创建一个 Mapper:

在 Client scopes -> Setup 中,将 email/offline_access/profile/roles 设置为 Default:

创建三个 Group,分别赋予对应的 Client Role:

创建一个 User,将其添加到其中一个 Group 中,此处选择 editor:

回到 Client -> Client scopes -> Evaluate,选择刚刚创建的 User,在选择 Generated access token:

JSON 中如果包含以下内容,说明没问题:

1
2
3
"roles": [
  "editor"
],

配置 Grafana 对接 KeyCloak

在 Rancher 中,安装/更新 Rancher Monitoring V2,并在 Edit YAML 中进行配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
...
grafana:
  # 如果期望在 grafana.ini 中直接写入 client_secret,需要将其设置为 false
  assertNoLeakedSecrets: false
  grafana.ini:
    auth.generic_oauth:
      allow_sign_up: true
      api_url: https://keycloak.warnerchen.com/realms/suse/protocol/openid-connect/userinfo
      auth_url: https://keycloak.warnerchen.com/realms/suse/protocol/openid-connect/auth
      client_id: grafana
      client_secret: xxx
      email_attribute_path: email
      enabled: true
      login_attribute_path: username
      name: Keycloak-OAuth
      name_attribute_path: full_name
      role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*],
        'editor') && 'Editor' || 'Viewer'
      scopes: openid email profile offline_access roles
      tls_skip_verify_insecure: true
      token_url: https://keycloak.warnerchen.com/realms/suse/protocol/openid-connect/token
    server:
      root_url: http://grafana.warnerchen.com
  ingress:
    enabled: true
    hosts:
    - grafana.warnerchen.com

安装/更新完成后,通过 Rancher/Ingress 访问 Grafana,点击右上角的 Sign in:

通过 KeyCloak 登录:

登录成功后,查看 Role 为 Editor,说明配置成功:

如果 Rancher 和 Grafana 对接的是同一个 Keycloak Realm,那么从 Rancher 跳转到 Grafana 后,点击 Keycloak 登录按钮时,无需再次输入凭证,就可以直接完成登录。

Rancher Monitoring Grafana 对接 KeyCloak

https://warnerchen.github.io/2025/11/20/Rancher-Monitoring-Grafana-对接-KeyCloak/

Author

Warner Chen

Posted on

2025-11-20

Updated on

2025-11-20

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ai2
ansible1
calico2
cert-manager1
cilium1
cisco1
container5
containerd1
containers1
docker2
elasticsearch1
elk1
etcd3
fluentd1
harbor1
istio2
jenkins2
jfrog1
kafka1
kubernetes9
linux4
metallb1
mysql1
nexus1
others2
prometheus3
redis2
ssl1
suse43
web1
zookeeper1
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×