Introduction
Just like how a surveillance system over a compound wall enhances the security of our homes, Keycloak too requires continuous surveillance to better safeguard its application.
This tutorial assumes that the reader has basic understanding on Keycloak and it helps the readers to set up Prometheus Operator to monitor their Keycloak.
Setup
Before we begin, let us first, visualize what we will be doing to achieve our target, to monitor Keycloak using Prometheus Operator.
Here, let us assume that Keycloak is already installed on Keycloak Namepace.
We will then:
Install Prometheus Operator on Monitoring Namespace which will automatically deploy Prometheus pod.
Enable Keycloak to publish its metrics at keycloak-metrics Service.
Create a Service Monitor (CRD provided by Operator) which points to the keycloak-metrics Service and attach it to our Prometheus Pod.
For this tutorial, I have used Keycloak helm chart from Bitnami. Feel free to use other helm charts and adjust the parameters accordingly.
Installing Prometheus Operator
We will install the Prometheus Operator using Helm charts from prometheus-community. Feel free to use any other helm chart and change the parameters accordingly.
Adding Helm Repository
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
Install Prometheus-Operator
Note: Adjust other parameters accordingly based on requirements.
custom-values.yaml
...
prometheus:
prometheusSpec:
serviceMonitorSelector:
matchLabels:
<Service Monitor Label Key>: <Service Monitor Label Value>
...
We are intimating Prometheus to look out for a Service Monitor by adding labels into serviceMonitorSelector.
Remember the labels, as we will have to use the same labels while creating Service Monitor later in this tutorial.
Once custom-values.yaml are modified according to the requirement, install Prometheus-Operator using below command
helm install -f custom-values.yaml --namespace=[MONITORING_NAMESPACE] [RELEASE_NAME] prometheus-community/kube-prometheus-stack
Exposing Keycloak Metrics
Ultimately, our aim is to monitor Keycloak's metrics. Keycloak provides options to make it's metrics available for scraping and monitoring. To enable it, make sure to adjust this parameter to Keycloak helm's values.yaml
values.yaml
...
metrics:
enabled: true
...
Note:
By default, keycloak-metrics Service will include http-management port, but the metrics for scraping are enabled at http port (80). So, make sure you patch the keycloak-metrics Service to include http port in its ports specifications.
Service Monitors
Now that we have Prometheus-Operator running and Keycloak making it's metrics available at http port, how do we point the Prometheus to scrape at the http port where Keycloak furnishes it's metrics?
The answer is Service Monitors. Service Monitors are used by Prometheus to automatically detect it's target service to scrape data. Refer here for more information.
Since during our installation, we had notified the Prometheus to look out for a Service Monitor by providing labels in serviceMonitorSelector, we will now create that service monitor with the information of our keycloak-metrics service.
Deploy the below manifest.
Note: This manifest should be deployed only after the Prometheus-Operator is installed. As we are attaching this Service Monitor to Prometheus, therefore it must be there in the namespace where this Service Monitor is deployed.
Service Monitor Manifest
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: <Insert Appropriate Name for Service Monitor>
Namespace: <MONITORING_NAMESPACE>
labels:
<Service Monitor Label Key>: <Service Monitor Label Value>
spec:
endpoints:
- ports: http
path: /auth/realms/master/metrics
interval: <Select Appropriate Intervals at which the Metrics will be scraped automatically>
selector:
matchLabels:
app.kubernetes.io/component: metrics
namespaceSelector:
matchNames:
- <Insert Namespace where Keycloak is installed>
Note: Make sure that the metadata.labels have the same key/values as the ones we have provided in serviceMonitorSelector during Prometheus-Operator installation.
I will now breakdown the manifest for better understanding.
endpoints:
- ports: http
path: /auth/realms/master/metrics
interval: <Select Appropriate Intervals at which the Metrics will be scraped automatically>
In endpoints of Service Monitor specification, we mention at which port to scrape, what path to scrape, and when (interval) to scrape.
Note: /auth/realms/master/metrics will publish the data for all the realms.
selector:
matchLabels:
app.kubernetes.io/component: metrics
namespaceSelector:
matchNames:
- <Insert Namespace where Keycloak is installed>
The above two selectors provide the service monitor with information about the service which will publish the data. So make sure you provide appropriate selector labels for keycloak-metrics service and namespace where Keycloak is installed.
And that's it! Prometheus will now start scraping the Keycloak metrics automatically at given intervals. To visualize them, you now can open the dashboard and view the metrics!
Summary
By going through this tutorial, we will now be able to monitor and analyze Keycloak metrics and view them on customizable Dashboards of Prometheus/Grafana.
Thanks for checking out this post!
Cover Image credits: Image by Lorenzo Cafaro from Pixabay
Top comments (0)