From 56c0abc712de6538acc96cf98e1ed0468332e407 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simen=20R=C3=B8stvik?= <simen.rostvik@crayon.com>
Date: Mon, 26 Dec 2022 02:19:17 +0100
Subject: [PATCH] Grafana SSO

---
 MetaObjects/grafana-sso-secret.yml | 21 +++++++++++++++++++++
 apps/templates/prometheus.yaml     | 22 +++++++++++-----------
 2 files changed, 32 insertions(+), 11 deletions(-)
 create mode 100644 MetaObjects/grafana-sso-secret.yml

diff --git a/MetaObjects/grafana-sso-secret.yml b/MetaObjects/grafana-sso-secret.yml
new file mode 100644
index 0000000..32074d8
--- /dev/null
+++ b/MetaObjects/grafana-sso-secret.yml
@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-oauth
+  namespace: prometheus
+spec:
+  secretStoreRef:
+    name: secret-store
+    kind: ClusterSecretStore
+  target:
+    name: grafana-oauth
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: grafana
+  dataFrom:
+    - extract:
+        key: prometheus/grafana-sso
+        conversionStrategy: Default
+        decodingStrategy: Auto
diff --git a/apps/templates/prometheus.yaml b/apps/templates/prometheus.yaml
index 52fbdef..2416eab 100644
--- a/apps/templates/prometheus.yaml
+++ b/apps/templates/prometheus.yaml
@@ -35,17 +35,17 @@ spec:
             storageClassName: longhorn
           env:
             GF_SERVER_ROOT_URL: https://%(domain)s/
-          #   GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
-          #   GF_AUTH_GENERIC_OAUTH_NAME: authentik
-          #   GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
-          #   GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
-          #   GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
-          #   GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
-          #   GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
-          #   GF_AUTH_OAUTH_AUTO_LOGIN: "true"
-          #   GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
-          # envFromSecrets:
-          #   - name: grafana-oauth
+            GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+            GF_AUTH_GENERIC_OAUTH_NAME: authentik
+            GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
+            GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
+            GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
+            GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
+            GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
+            GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+            GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+          envFromSecrets:
+            - name: grafana-oauth
           ingress:
             enabled: true
             ingressClassName: traefik