Skip to content

Commit

Permalink
feat: configure grafana to use oidc
Browse files Browse the repository at this point in the history
  • Loading branch information
@mrsimonemms
mrsimonemms committed Dec 16, 2024
1 parent 19f34f8 commit 300e63c
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 0 deletions.
12 changes: 12 additions & 0 deletions registry/clusters/dev/components/20-monitoring.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,18 @@ spec:
- op: replace
path: /spec/source/helm/valuesObject/grafana/ingress/annotations/cert-manager.io~1cluster-issuer
value: letsencrypt-staging
- op: replace
path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/auth_url
value: https://oidc.dev.simonemms.com/auth
- op: replace
path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/token_url
value: https://oidc.dev.simonemms.com/token
- op: replace
path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/api_url
value: https://oidc.dev.simonemms.com/userinfo
- op: replace
path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/tls_skip_verify_insecure
value: true
destination:
server: https://kubernetes.default.svc
namespace: monitoring
Expand Down
2 changes: 2 additions & 0 deletions registry/components/dex/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ spec:
data:
base_url: https://oidc.simonemms.com
argocd_url: https://argocd.simonemms.com
grafana_url: https://grafana.simonemms.com
homepage_url: https://homepage.simonemms.com
---
apiVersion: external-secrets.io/v1beta1
Expand Down Expand Up @@ -42,6 +43,7 @@ spec:
secret: {{ .oidc_client_secret }}
redirectURIs:
- {{ .argocd_url }}/auth/callback
- {{ .grafana_url }}/login/generic_oauth
- {{ .homepage_url }}/oauth2/callback
connectors:
- type: github
Expand Down
20 changes: 20 additions & 0 deletions registry/components/monitoring/application.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,26 @@ spec:
path: /var/lib/grafana/dashboards/default
dashboardsConfigMaps:
default: grafana-dashboards
extraSecretMounts:
- name: credentials
secretName: credentials
mountPath: /etc/secrets/credentials
readOnly: true
defaultMode: 0440
grafana.ini:
auth.generic_oauth:
name: OIDC
enabled: true
client_id: $__file{/etc/secrets/credentials/client_id}
client_secret: $__file{/etc/secrets/credentials/client_secret}
scopes: openid email profile groups offline_access
auth_url: https://oidc.simonemms.com/auth
token_url: https://oidc.simonemms.com/token
api_url: https://oidc.simonemms.com/userinfo
tls_skip_verify_insecure: false
allow_sign_up: true
allow_assign_grafana_admin: true
role_attribute_path: contains(groups[*], 'mrsimonemmsorg:home-admin') && 'Admin' || 'Viewer'
server:
domain: grafana.simonemms.com
root_url: "https://%(domain)s"
Expand All @@ -113,6 +132,7 @@ spec:
type: statefulset
podAnnotations:
configmap.reloader.stakater.com/reload: grafana-dashboards
secrets.reloader.stakater.com/reload: credentials
serviceMonitor:
labels:
prometheus: enabled
Expand Down
14 changes: 14 additions & 0 deletions registry/components/monitoring/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,24 @@ spec:
data:
admin-user: admin
admin-password: "{{ .password }}"
client_id: "{{ .client_id }}"
client_secret: "{{ .client_secret }}"
data:
- secretKey: password
remoteRef:
key: GRAFANA_PASSWORD
conversionStrategy: Default
decodingStrategy: None
metadataPolicy: None
- secretKey: client_id
remoteRef:
key: OIDC_CLIENT_ID
conversionStrategy: Default
decodingStrategy: None
metadataPolicy: None
- secretKey: client_secret
remoteRef:
key: OIDC_CLIENT_SECRET
conversionStrategy: Default
decodingStrategy: None
metadataPolicy: None

0 comments on commit 300e63c

Please sign in to comment.