From 60d563881634de71191f2057a58031fe9161c888 Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Sun, 15 Dec 2024 22:15:09 +0000 Subject: [PATCH] feat: configure grafana to use oidc --- .../dev/components/20-monitoring.yaml | 9 +++++++ registry/components/dex/secret.yaml | 2 ++ .../components/monitoring/application.yaml | 25 +++++++++++++++++++ registry/components/monitoring/secret.yaml | 14 +++++++++++ 4 files changed, 50 insertions(+) diff --git a/registry/clusters/dev/components/20-monitoring.yaml b/registry/clusters/dev/components/20-monitoring.yaml index 601878e..7ca346c 100644 --- a/registry/clusters/dev/components/20-monitoring.yaml +++ b/registry/clusters/dev/components/20-monitoring.yaml @@ -33,6 +33,15 @@ spec: - op: replace path: /spec/source/helm/valuesObject/grafana/ingress/annotations/cert-manager.io~1cluster-issuer value: letsencrypt-staging + - op: replace + path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/auth_url + value: https://oidc.dev.simonemms.com/auth + - op: replace + path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/token_url + value: https://oidc.dev.simonemms.com/token + - op: replace + path: /spec/source/helm/valuesObject/grafana/grafana.ini/auth.generic_oauth/api_url + value: https://oidc.dev.simonemms.com/userinfo destination: server: https://kubernetes.default.svc namespace: monitoring diff --git a/registry/components/dex/secret.yaml b/registry/components/dex/secret.yaml index 2244bfd..67fa4df 100644 --- a/registry/components/dex/secret.yaml +++ b/registry/components/dex/secret.yaml @@ -11,6 +11,7 @@ spec: data: base_url: https://oidc.simonemms.com argocd_url: https://argocd.simonemms.com + grafana_url: https://grafana.simonemms.com homepage_url: https://homepage.simonemms.com --- apiVersion: external-secrets.io/v1beta1 @@ -42,6 +43,7 @@ spec: secret: {{ .oidc_client_secret }} redirectURIs: - {{ .argocd_url }}/auth/callback + - {{ .grafana_url }}/login/generic_oauth - {{ .homepage_url }}/oauth2/callback connectors: - type: github diff --git a/registry/components/monitoring/application.yaml b/registry/components/monitoring/application.yaml index 215dafa..1948533 100644 --- a/registry/components/monitoring/application.yaml +++ b/registry/components/monitoring/application.yaml @@ -104,7 +104,31 @@ spec: path: /var/lib/grafana/dashboards/default dashboardsConfigMaps: default: grafana-dashboards + extraSecretMounts: + - name: credentials + secretName: credentials + mountPath: /etc/secrets/credentials + readOnly: true + defaultMode: 0440 grafana.ini: + auth: + disable_login_form: true + oauth_auto_login: false + auth.generic_oauth: + name: OIDC + enabled: true + client_id: $__file{/etc/secrets/credentials/client_id} + client_secret: $__file{/etc/secrets/credentials/client_secret} + scopes: openid email profile groups offline_access + auth_url: https://oidc.simonemms.com/auth + token_url: https://oidc.simonemms.com/token + api_url: https://oidc.simonemms.com/userinfo + tls_skip_verify_insecure: false + allow_sign_up: true + allow_assign_grafana_admin: true + role_attribute_path: contains(groups[*], 'mrsimonemmsorg:home-admin') && 'Admin' || 'Viewer' + security: + disable_initial_admin_creation: true server: domain: grafana.simonemms.com root_url: "https://%(domain)s" @@ -113,6 +137,7 @@ spec: type: statefulset podAnnotations: configmap.reloader.stakater.com/reload: grafana-dashboards + secrets.reloader.stakater.com/reload: credentials serviceMonitor: labels: prometheus: enabled diff --git a/registry/components/monitoring/secret.yaml b/registry/components/monitoring/secret.yaml index 2066009..26ae9ce 100644 --- a/registry/components/monitoring/secret.yaml +++ b/registry/components/monitoring/secret.yaml @@ -17,6 +17,8 @@ spec: data: admin-user: admin admin-password: "{{ .password }}" + client_id: "{{ .client_id }}" + client_secret: "{{ .client_secret }}" data: - secretKey: password remoteRef: @@ -24,3 +26,15 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + - secretKey: client_id + remoteRef: + key: OIDC_CLIENT_ID + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + - secretKey: client_secret + remoteRef: + key: OIDC_CLIENT_SECRET + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None