Grafana SSO

2022-12-26 02:19:17 +01:00 · 2022-12-26 02:19:17 +01:00 · 56c0abc712
commit 56c0abc712
parent 076cbdf6a2
2 changed files with 32 additions and 11 deletions
--- a/MetaObjects/grafana-sso-secret.yml
+++ b/MetaObjects/grafana-sso-secret.yml
@ -0,0 +1,21 @@
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: grafana-oauth
  namespace: prometheus
 spec:
  secretStoreRef:
    name: secret-store
    kind: ClusterSecretStore
  target:
    name: grafana-oauth
    template:
      metadata:
        labels:
          app.kubernetes.io/part-of: grafana
  dataFrom:
    - extract:
        key: prometheus/grafana-sso
        conversionStrategy: Default
        decodingStrategy: Auto
--- a/apps/templates/prometheus.yaml
+++ b/apps/templates/prometheus.yaml
@ -35,17 +35,17 @@ spec:
            storageClassName: longhorn
          env:
            GF_SERVER_ROOT_URL: https://%(domain)s/
-          #   GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+            GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
-          #   GF_AUTH_GENERIC_OAUTH_NAME: authentik
+            GF_AUTH_GENERIC_OAUTH_NAME: authentik
-          #   GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
+            GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
-          #   GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
+            GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
-          #   GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
+            GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
-          #   GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
+            GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
-          #   GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
+            GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
-          #   GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+            GF_AUTH_OAUTH_AUTO_LOGIN: "true"
-          #   GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+            GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
-          # envFromSecrets:
+          envFromSecrets:
-          #   - name: grafana-oauth
+            - name: grafana-oauth
          ingress:
            enabled: true
            ingressClassName: traefik