SSO Keycloak dashboard services provide the ability to monitor real-time statistical data and event logs.
- Install asdf
- Run
make local-setup
to install necessary tooling
-
De-coupling the auditing service from the authentication service (Keycloak) and reducing the amount of Keycloak SQL transactions and DB data storage; gives better maintainability of the Keycloak instances.
-
Full control of the log ingestion and data store process that gives better performance displaying the dashboard data and log events in a separate business intelligent tool rather than in Keycloak UI.
-
an access to the Keycloak logs without significant impacts on Keycloak operational performance.
-
a functional log consumer that can be used to filter the logs and extract metadata before the data stored.
-
a solution to store the aggregated historical data and logs for a longer term.
-
a dashboard tool to display the aggregated data and option to search log events.
-
a dashboard that has authorization integration to support multi-tenant workspaces.
-
Promtail
&Loki
: collect, transform and load raw log data for the designated time period. -
Loki
&S3
: provide the Amazon S3 compatible Object Storage to store/read compacted event data by Loki. -
Promtail
&Custom Go server
: collect, and upsert the aggreated event historial data in DB. -
Grafana
: connect Loki and the aggregation DB to visualize the logs and stats. -
Loki in AWS breakdown:
Loki has a helm chart for deploying in kubernetes. For the deployment in an ECS cluster there are a few changes to note:
- Service discovery can be used in ECS to replace services in k8s. Since we cannot use this in the BCGov AWS, it has been replaced with a network load balancer. This is necessary to allow read and write tasks to communicate on port 7946. If not working, you will see "empty ring" errors.
- ECS does not support config maps. To replace this a custom image was built with custom configuration files. Configurations that will be changed at runtime can set their values with the syntax ${ENV_VAR:-default}, and environment variables can be used to configure them. Values consistent across environments can be hardcoded.
- The helm chart includes a deployment "gateway". This is an nginx reverse proxy which provides path-based routing to the read and write services. It has been replaced with listener rules on the application load balancer.
The helm charts for the promtail instances and grafana dashboard can be installed with make commands. These automate adding environment variables from .env files in their directories. See the directory readmes for more information.
The Loki setup is deployed with terraform into AWS. It deploys automatically on merge to dev/main.
GitHub CD pipeline scripts are triggered based on the directory that has changed; there is a recommended deployment order when deploying the resources for the very first time:
Loki
: deploys theMinIO
andLoki
resources,read
,write
, andgateway
.Aggregator
: deploys theAggregator
andCompactor
with thePostgres DB
.Grafana
: deploys theGrafana
dashboard with the twodatasources
configured above.Promtail
: deploys thePromtail
in multiple namespaces to collect the Keycloak disk logs.
The terraform account for deployment is restricted to the required resource types for this repository. If adding new resources not currently required, you will get a permission denied error. Expand the permissions on the sso-dashboard-boundary
as needed.
The following secrets are set in the GitHub secrets of the repository and can be found in OCP secret
SANDBOX_OPENSHIFT_SERVER
: the OpenShift online server URL.SANDBOX_OPENSHIFT_TOKEN
: : the OpenShift session token.- please the find the secret in Sandbox Deployer Secret
SANDBOX_OPENSHIFT_NAMESPACE
: the namespace name to deployGrafana
,Loki
, andAggregator
.SANDBOX_SSO_CLIENT_ID
: the SSO integration credentials,client id
, to set inGrafana
andMinIO
dashboard UI.SANDBOX_SSO_CLIENT_SECRET
: the SSO integration credentials,client secret
, to set inGrafana
andMinIO
dashboard UI.- please find the integration
#4492 SSO Dashboard
via CSS app
- please find the integration
PROD_OPENSHIFT_SERVER
: the OpenShift online server URL.PROD_OPENSHIFT_TOKEN
: : the OpenShift session token.- please the find the secret in Sandbox Deployer Secret
PROD_OPENSHIFT_NAMESPACE
: the namespace name to deployGrafana
,Loki
, andAggregator
.PROD_SSO_CLIENT_ID
: the SSO integration credentials,client id
, to set inGrafana
andMinIO
dashboard UI.PROD_SSO_CLIENT_SECRET
: the SSO integration credentials,client secret
, to set inGrafana
andMinIO
dashboard UI.- please find the integration
#4492 SSO Dashboard
via CSS app
- please find the integration