[keycloak] Add Prometheus Operator support (#58)

Signed-off-by: Sam Weston <[email protected]>

charts/keycloak/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: keycloak
-version: 6.1.1
+version: 6.2.0
 appVersion: 8.0.1
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:

charts/keycloak/README.md

@@ -127,6 +127,14 @@ Parameter | Description | Default
 `test.image.pullPolicy` | Test image pull policy | `IfNotPresent`
 `test.securityContext` | Security context for the test pod. Every container running in the pod will inherit this security context. This might be relevant when other components of the environment inject additional containers into the running pod (service meshs are the most prominent example for this) | `{fsGroup: 1000}`
 `test.containerSecurityContext` | Security context for containers running in the test pod. Will not be inherited by additionally injected containers | `{runAsUser: 1000, runAsNonRoot: true}`
+`prometheus.operator.enabled` | Enable the Prometheus Operator features of the chart | `false`
+`prometheus.operator.serviceMonitor.selector` | Labels to add to the Prometheus Operator ServiceMonitor depending on your Operator configuration | `release: prometheus`
+`prometheus.operator.serviceMonitor.interval` | How often Prometheus should poll the metrics endpoint | `10s`
+`prometheus.operator.serviceMonitor.scrapeTimeout` | How long the Prometheus metrics endpoint timeout should be | `10s`
+`prometheus.operator.serviceMonitor.path` | The path of the Prometheus metrics endpoint on Keycloak | `/auth/realms/master/metrics`
+`prometheus.operator.prometheusRules.enabled` | Whether to create Prometheus Operator PrometheusRules object | `false`
+`prometheus.operator.prometheusRules.selector` | Labels to add to the Prometheus Operator PrometheusRules object depending on your Operator configuration | `{app: prometheus-operator", release: prometheus}`
+`prometheus.operator.prometheusRules.rules` | The Prometheus Operator rules to configure | `{}`
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
 
@@ -365,6 +373,37 @@ WildFly uses Infinispan for caching.
 These caches can be replicated across all instances forming a cluster.
 If `keycloak.replicas > 1`, JGroups' DNS_PING is configured for cluster discovery and Keycloak is started with `--server-config standalone-ha.xml`.
 
+### Prometheus Operator Support
+
+It is possible to monitor Keycloak with Prometheus through the use of plugins such as [keycloak-metrics-spi](https://github.com/aerogear/keycloak-metrics-spi). The plugin can be added with configuration like this:
+```
+  extraInitContainers: |
+    - name: extensions
+      image: busybox
+      imagePullPolicy: IfNotPresent
+      command:
+        - sh
+      args:
+        - -c
+        - |
+          echo "Copying extensions..."
+          wget -O /deployments/keycloak-metrics-spi.jar https://github.com/aerogear/keycloak-metrics-spi/releases/download/1.0.1/keycloak-metrics-spi-1.0.1.jar
+      volumeMounts:
+        - name: deployments
+          mountPath: /deployments
+
+  extraVolumeMounts: |
+    - name: deployments
+      mountPath: /opt/jboss/keycloak/standalone/deployments
+
+  extraVolumes: |
+    - name: deployments
+      emptyDir: {}
+```
+
+You can then either configure Prometheus to scrape the `/auth/realms/master/metrics` path on the normal HTTP port of JBoss, or if you use the [Prometheus Operator](https://github.com/helm/charts/tree/master/stable/prometheus-operator) you can enable `prometheus.operator.enabled` in `values.yaml` and use the example configuration.
+If you are using Prometheus Operator for configuring Prometheus Rules, the chart also supports this; see `prometheus.operator.prometheusRules` in `values.yaml` for more details.
+
 ## Why StatefulSet?
 
 The chart sets node identifiers to the system property `jboss.node.name` which is in fact the pod name.

charts/keycloak/templates/prometheusrules.yaml

@@ -0,0 +1,14 @@
+{{ if and (.Values.prometheus.operator.prometheusRules.enabled) (.Values.prometheus.operator.prometheusRules.rules) }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "keycloak.fullname" . }}
+  labels:
+    {{- include "keycloak.selectorLabels" . | nindent 4 }}
+    {{- toYaml .Values.prometheus.operator.prometheusRules.selector | nindent 4 }}
+spec:
+  groups:
+  - name: {{ include "keycloak.fullname" . }}
+    rules:
+      {{- toYaml .Values.prometheus.operator.prometheusRules.rules | nindent 6 }}
+{{- end }}

charts/keycloak/templates/service-headless.yaml

@@ -5,6 +5,7 @@ metadata:
   name: {{ include "keycloak.fullname" . }}-headless
   labels:
     {{- include "keycloak.commonLabels" . | nindent 4 }}
+    service: headless
 spec:
   type: ClusterIP
   clusterIP: None

charts/keycloak/templates/service-http.yaml

@@ -12,6 +12,7 @@ metadata:
     {{- with $service.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+    service: http
 spec:
   type: {{ $service.type }}
   ports:

charts/keycloak/templates/servicemonitor.yaml

@@ -0,0 +1,22 @@
+{{ if and .Values.prometheus.operator.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "keycloak.fullname" . }}
+  labels:
+    {{- include "keycloak.commonLabels" . | nindent 4 }}
+    {{- toYaml .Values.prometheus.operator.serviceMonitor.selector | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "keycloak.selectorLabels" . | nindent 6 }}
+      service: http
+  endpoints:
+    - port: http
+      path: {{ .Values.prometheus.operator.serviceMonitor.path }}
+      interval: {{ .Values.prometheus.operator.serviceMonitor.interval }}
+      {{- with .Values.prometheus.operator.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+{{ end }}
+

charts/keycloak/values.yaml

@@ -332,3 +332,50 @@ test:
   containerSecurityContext:
     runAsUser: 1000
     runAsNonRoot: true
+
+prometheus:
+  operator:
+    ## Are you using Prometheus Operator?
+    enabled: false
+
+    serviceMonitor:
+      ## Additional labels to add to the ServiceMonitor so it is picked up by the operator.
+      ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release.
+      selector:
+        release: prometheus
+
+      ## Interval at which Prometheus scrapes metrics
+      interval: 10s
+
+      ## Timeout at which Prometheus timeouts scrape run
+      scrapeTimeout: 10s
+
+      ## The path to scrape
+      path: /auth/realms/master/metrics
+
+    prometheusRules:
+      ## Add Prometheus Rules?
+      enabled: false
+
+      ## Additional labels to add to the PrometheusRule so it is picked up by the operator.
+      ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator'
+      selector:
+        app: prometheus-operator
+        release: prometheus
+
+      ## Some example rules.
+      rules: {}
+      #  - alert: keycloak-IngressHigh5xxRate
+      #    annotations:
+      #      message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%.
+      #    expr: (sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]))/sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m])))*100 > 1
+      #    for: 5m
+      #    labels:
+      #      severity: warning
+      #  - alert: keycloak-IngressHigh5xxRate
+      #    annotations:
+      #      message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 5%.
+      #    expr: (sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]))/sum(rate(nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m])))*100 > 5
+      #    for: 5m
+      #    labels:
+      #      severity: critical