[Feature] Extra Prometheus metrics

[ath88]

For the Keycloak 11 rewrite of the chart, it seems that the supported metrics were changed away from the Keycloak Metrics SPI[1], to use the internal Wildfly Prometheus metrics[2]. They provide quite different metrics, as far as I can see. The SPI exposes keycloak events, such as signup and logins.

If I wanted to add the SPI, I could just add it as an init container. But, I would need to add an additional ServiceMonitor manually, since the chart does not support the additional configuration.

How about the chart support the SPI, or at least multiple scrape endpoints?

[1] https://github.com/aerogear/keycloak-metrics-spi
[2] https://docs.wildfly.org/16/Admin_Guide.html#exposed-metrics

[Tim-Schwalbe]

Also the metrics endpoint is not secured with a password if I just add the SPI. The metrics endpoint is just reachable at /auth/realms/master/metrics

Any Idea how to fix this? Is there any way to change the port for the SPI?

[ath88]

There is no solution from the developers - but it should be trivial to configure nginx to block it, or to add authentication.

See aerogear/keycloak-metrics-spi#39

[unguiculus]

You can add an init container or use a custom image. Adding an option to support multiple scrape endpoints is certainly something I can look into.

[ath88]

I'll gladly add it as an init container - thats what I did before. But having to manage an extra servicemonitor, along with the helm chart, is cumbersome. :)

[Tim-Schwalbe]

Yes I did that and also needed to lock the endpoint for the metrics.

Here is my NGINX Ingress Config to block requests to /auth/realms/master/metrics. I did not test if there will be an endpoint for every realm, but for now it was working.

   annotations: 
    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/server-snippet: |
      location /auth/realms/master/metrics {
          return 403;
      }

[unguiculus]

@ath88 Please checkout #321. Does this suit your needs?

[ath88]

It does indeed look like it would suit my needs! Thanks a lot! :)

[harshitmahapatra]

@Tim-Schwalbe Would you mind sharing your init container config?

[Tim-Schwalbe]

@harshitmahapatra Here it is:

extraInitContainers: |
  - name: extensions
    image: busybox
    imagePullPolicy: IfNotPresent
    command:
      - sh
    args:
      - -c
      - |
        echo "Copying extensions..."
        wget -O /deployments/keycloak-metrics-spi.jar https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.0.1/keycloak-metrics-spi-2.0.1.jar
    volumeMounts:
      - name: deployments
        mountPath: /deployments

and here is the ingress with the regEx:

ingress:
  # If `true`, an Ingress is created
  enabled: true
  # The Service port targeted by the Ingress
  servicePort: http
  # Ingress annotations
  annotations: 
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/server-snippet: |
      location ~* /auth/realms/[^/]+/metrics {
          return 403;
      }

[harshitmahapatra]

@Tim-Schwalbe Thank you very much 😃!