Grafana SSO

2022-12-26 02:19:17 +01:00 · 2022-12-26 02:19:17 +01:00 · b807525139
commit b807525139
parent d43aa1dcc7
2 changed files with 32 additions and 11 deletions
--- a/MetaObjects/grafana-sso-secret.yml
+++ b/MetaObjects/grafana-sso-secret.yml
@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-oauth
+  namespace: prometheus
+spec:
+  secretStoreRef:
+    name: secret-store
+    kind: ClusterSecretStore
+  target:
+    name: grafana-oauth
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: grafana
+  dataFrom:
+    - extract:
+        key: prometheus/grafana-sso
+        conversionStrategy: Default
+        decodingStrategy: Auto
--- a/apps/templates/prometheus.yaml
+++ b/apps/templates/prometheus.yaml
@ -35,17 +35,17 @@ spec:
            storageClassName: longhorn
          env:
            GF_SERVER_ROOT_URL: https://%(domain)s/
-          #   GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
-          #   GF_AUTH_GENERIC_OAUTH_NAME: authentik
-          #   GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
-          #   GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
-          #   GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
-          #   GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
-          #   GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
-          #   GF_AUTH_OAUTH_AUTO_LOGIN: "true"
-          #   GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
-          # envFromSecrets:
-          #   - name: grafana-oauth
+            GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+            GF_AUTH_GENERIC_OAUTH_NAME: authentik
+            GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
+            GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
+            GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
+            GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
+            GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
+            GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+            GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+          envFromSecrets:
+            - name: grafana-oauth
          ingress:
            enabled: true
            ingressClassName: traefik