@@ -206,6 +206,76 @@ Prometheus as the data source. You can find more examples of how to do
206206this in the Grafana Helm chart `Import Dashboards <https://github.com/grafana/helm-charts/tree/main/charts/grafana#import-dashboards >`_
207207documentation.
208208
209+ Externally managed Keycloak
210+ ===========================
211+
212+ By default, Atmosphere manages the Keycloak resources needed by monitoring: the
213+ realm, client scope mapper, clients, client roles, and generated client
214+ secrets.
215+
216+ For multi-region environments where Keycloak is shared and owned outside of the
217+ regional monitoring deployment, disable Keycloak management:
218+
219+ .. code-block :: yaml
220+
221+ kube_prometheus_stack_keycloak_manage : false
222+
223+ This does not disable Keycloak authentication for Grafana, Prometheus, or
224+ Alertmanager. It only stops the monitoring role from calling the Keycloak admin
225+ API. The role still waits for ``kube_prometheus_stack_keycloak_server_url `` and
226+ expects the referenced clients and Kubernetes secrets to exist before it deploys
227+ the monitoring resources.
228+
229+ When using a shared Keycloak, override the Keycloak endpoint to point at the
230+ region that owns authentication. You can either set ``keycloak_host `` or override
231+ the full URL:
232+
233+ .. code-block :: yaml
234+
235+ keycloak_host : auth.primary.example.com
236+ # or:
237+ kube_prometheus_stack_keycloak_server_url : https://auth.primary.example.com
238+
239+ You must also set the local monitoring endpoints for the region being deployed:
240+
241+ .. code-block :: yaml
242+
243+ kube_prometheus_stack_alertmanager_host : alertmanager.region.example.com
244+ kube_prometheus_stack_grafana_host : grafana.region.example.com
245+ kube_prometheus_stack_prometheus_host : prometheus.region.example.com
246+
247+ Use region-specific client IDs when the shared Keycloak serves more than one
248+ monitoring deployment:
249+
250+ .. code-block :: yaml
251+
252+ kube_prometheus_stack_alertmanager_client_id : alertmanager-region
253+ kube_prometheus_stack_grafana_client_id : grafana-region
254+ kube_prometheus_stack_prometheus_client_id : prometheus-region
255+
256+ Each client must have a Kubernetes ``Secret `` in
257+ ``kube_prometheus_stack_helm_release_namespace `` containing a ``password `` key.
258+ The namespace defaults to ``monitoring ``. Override the secret names when they do
259+ not match the role defaults:
260+
261+ .. code-block :: yaml
262+
263+ kube_prometheus_stack_alertmanager_client_secret_name : alertmanager-region-client-secret
264+ kube_prometheus_stack_grafana_client_secret_name : grafana-region-client-secret
265+ kube_prometheus_stack_prometheus_client_secret_name : prometheus-region-client-secret
266+
267+ The shared Keycloak must already contain matching clients, client roles, client
268+ secrets, and redirect URIs. Alertmanager and Prometheus require a ``member ``
269+ client role. Grafana requires ``admin ``, ``editor ``, and ``viewer `` client
270+ roles. The role mapper that exposes client roles in the token must also exist.
271+
272+ The required redirect URIs are based on the endpoint variables:
273+
274+ - ``https://{{ kube_prometheus_stack_alertmanager_host }}/oauth2/callback ``
275+ - ``https://{{ kube_prometheus_stack_grafana_host }}/login ``
276+ - ``https://{{ kube_prometheus_stack_grafana_host }}/login/generic_oauth ``
277+ - ``https://{{ kube_prometheus_stack_prometheus_host }}/oauth2/callback ``
278+
209279************
210280Viewing data
211281************
0 commit comments