Fix: Add Grafana OAuth2 provider configuration and related secrets management

2025-11-12 07:02:24 +01:00 · 2025-11-12 07:02:24 +01:00 · 6110ae0fe4
commit 6110ae0fe4
parent 9af4291685
4 changed files with 68 additions and 3 deletions
--- a/apps/authentik/templates/grafana-sso-secret.yaml
+++ b/apps/authentik/templates/grafana-sso-secret.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-client-secret-grafana
+  namespace: monitoring
+  labels:
+    {{- include "authentik.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  client-id: "grafana"
+  client-secret: {{ randAlphaNum 32 | quote }}
--- a/apps/authentik/templates/rbac.yaml
+++ b/apps/authentik/templates/rbac.yaml
@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: authentik-read-grafana-secret
+  namespace: monitoring # The namespace where the secret exists
+  labels:
+    {{- include "authentik.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["authentik-client-secret-grafana"] # Grant access only to this specific secret
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: authentik-read-grafana-secret-binding
+  namespace: monitoring # The namespace where the secret and role exist
+  labels:
+    {{- include "authentik.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: authentik-read-grafana-secret
+subjects:
+- kind: ServiceAccount
+  name: {{ include "authentik.fullname" . }} # The service account used by Authentik
+  namespace: {{ .Release.Namespace }} # The namespace where Authentik is running
--- a/apps/authentik/values.yaml
+++ b/apps/authentik/values.yaml
@ -53,6 +53,30 @@ authentik:
        mountPath: /postgres-creds
        readOnly: true

+  blueprints:
+    - |
+      version: 1
+      entries:
+        - model: authentik_providers_oauth2.oauth2provider
+          id: grafana-provider
+          attrs:
+            name: Grafana
+            client_id: !secret authentik-client-secret-grafana@monitoring#client-id
+            client_secret: !secret authentik-client-secret-grafana@monitoring#client-secret
+            redirect_uris:
+              - "https://grafana.noxxos.nl/login/generic_oauth"
+            signing_key: !Keypair authentik-self-signed-certificate
+        - model: authentik_core.application
+          id: grafana-app
+          attrs:
+            name: Grafana
+            slug: grafana
+            provider: !provider grafana-provider
+            launch_url: "https://grafana.noxxos.nl"
+            icon: "https://static.goauthentik.io/img/icon/provider/grafana.png"
+            group: "Dashboards"
+            policy_engine_mode: "any"
+
  additionalObjects:
  - apiVersion: postgresql.cnpg.io/v1
    kind: Cluster
--- a/apps/monitoring/grafana/values.yaml
+++ b/apps/monitoring/grafana/values.yaml
@ -20,6 +20,8 @@ grafana:
      mountPath: /secrets/my-db
      readOnly: true

+  envFromSecret: authentik-client-secret-grafana
+
  datasources:
    datasources.yaml:
      apiVersion: 1
@ -104,10 +106,10 @@ grafana:
      password: "$__file{/secrets/my-db/password}"

    auth.generic_oauth:
-      enabled: false  # Enable after configuring secret
+      enabled: true
      name: Authentik
-      client_id: grafana
-      # client_secret should be set via envValueFrom or existingSecret
+      client_id: "$__from_env{client-id}"
+      client_secret: "$__from_env{client-secret}"
      scopes: openid profile email
      auth_url: https://auth.noxxos.nl/application/o/authorize/
      token_url: https://auth.noxxos.nl/application/o/token/