LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Authentication flow
  • Configure KeyCloak
  • Configure SUSE Observability
  • Kubernetes
  • Using an external secret
  • See also
  1. Self-hosted setup
  2. Security
  3. Authentication

KeyCloak

SUSE Observability Self-hosted

PreviousMicrosoft Entra IDNextService tokens

Last updated 4 months ago

Overview

SUSE Observability can authenticate using KeyCloak as an authentication provider, you will need to configure both SUSE Observability and KeyCloak to be able to talk to each other. The following sections describe the respective setups.

Authentication flow

When using Keycloak as an authentication provider, SUSE Observability will use OIDC (OpenID Connect) to authenticate users. The following diagram describes the authentication flow.

Configure KeyCloak

Before you can configure SUSE Observability to authenticate using KeyCloak, you need to add a new client configuration to the KeyCloak Authentication Server. The necessary settings for the client are:

  • Client ID - The ID of the client that's connecting, we recommend naming this stackstate

  • Client Protocol - Set to openid-connect

  • Access Type - Set to confidential, so that a secret is used to establish the connection between KeyCloak and SUSE Observability

  • Standard Flow Enabled - Set to Enabled

  • Implicit Flow Enabled - Set to Disabled

  • Root URL - The root location of SUSE Observability (the same value configured in as base URL of the SUSE Observability configuration

  • Valid redirect URIs - This should be /loginCallback/*

  • Base URL - This should point to the root location of SUSE Observability

Configure SUSE Observability

Kubernetes

To configure SUSE Observability to authenticate using KeyCloak, KeyCloak details and user role mapping needs to be added to the file authentication.yaml. For example:

stackstate:
  authentication:
    keycloak:
      url: "https://keycloak.acme.com/auth"
      realm: acme
      authenticationMethod: client_secret_basic
      clientId: stackstate
      secret: "8051a2e4-e367-4631-a0f5-98fc9cdc564d"
      jwsAlgorithm: RS256
      # scope is optional. By default `openid`, `profile` and `email` are requested
      # scope: ["openid", "profile", "email"] 
      # jwtClaims:
      #   usernameField: preferred_username
      #   groupsField: roles

    # map the roles from Keycloak to the
    # 3 standard subjects in SUSE Observability (guest, powerUser and admin)
    roles:
      guest: ["keycloak-guest-role-for-stackstate"]
      powerUser: ["keycloak-power-user-role-for-stackstate"]
      admin: ["keycloak-admin-role-for-stackstate"]

Note: By default when authenticating a user the request to KeyCloak specifies a default scope of openid profile email if a custom scope has not been specified on the configuration. Verify the Client scopes on your KeyCloak instance to be sure that the default scope is correct or you need a custom one.

Follow the steps below to configure SUSE Observability to authenticate using KeyCloak:

  1. In authentication.yaml - add details of the KeyCloak authentication provider (see the example above). The KeyCloak specific values can be obtained from the client configuration in KeyCloak:

    • url - The base URI for the KeyCloak instance

    • realm - The KeyCloak realm to connect to

    • authenticationMethod - Set to client_secret_basic, this is currently the only supported value.

    • clientId - The ID of the KeyCloak client as configured in KeyCloak

    • secret - The secret attached to the KeyCloak client, which is used to authenticate this client to KeyCloak

    • redirectUri - Optional: The URI where the login callback endpoint of SUSE Observability is reachable. Populated by default using the stackstate.baseUrl, but can be overridden (must be a fully qualified URL that points to the /loginCallback path)

    • jwsAlgorithm - Set this to RS256, this is currently the only supported value.

    • jwtClaims - Optional: The roles or username can be retrieved from a different attribute than the Keycloak default behavior

      • usernameField - Optional: The field in the OIDC user profile that should be used as the username. By default, this will be the preferred_username.

      • groupsField - Optional: SUSE Observability will always, and by default only, use the roles Keycloak provides. But it can also add roles from the field specified here. This is mainly useful when Keycloak is mapping roles/groups from a third-party system.

  2. Store the file authentication.yaml together with the values.yaml file from the SUSE Observability installation instructions.

  3. Run a Helm upgrade to apply the changes:

     helm upgrade \
       --install \
       --namespace suse-observability \
       --values values.yaml \
       --values authentication.yaml \
     suse-observability \
     suse-observability/suse-observability

Note:

  • The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.

  • Include authentication.yaml on every helm upgrade run.

  • The authentication configuration is stored as a Kubernetes secret.

Using an external secret

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  keycloak_client_id: <base64 of client id>
  keycloak_secret: <base64 of secret>

See also

In authentication.yaml - map user roles from KeyCloak to the correct SUSE Observability subjects using the roles.guest, roles.powerUser or roles.admin settings (see the example above). For details, see the . More SUSE Observability roles can also be created, see the .

When the keycloak secrets should come from an external secret, follow but fill in the following data:

🚀
Authentication options
Create RBAC roles
RBAC documentation
Keycloak authentication flow
these steps
External Secrets
default SUSE Observability roles
Permissions for predefined SUSE Observability roles