From 6110ae0fe4107ba5bc0fe34ccfb6c090f76ad937 Mon Sep 17 00:00:00 2001 From: Marco van Zijl Date: Wed, 12 Nov 2025 07:02:24 +0100 Subject: [PATCH] Fix: Add Grafana OAuth2 provider configuration and related secrets management --- .../templates/grafana-sso-secret.yaml | 11 ++++++++ apps/authentik/templates/rbac.yaml | 28 +++++++++++++++++++ apps/authentik/values.yaml | 24 ++++++++++++++++ apps/monitoring/grafana/values.yaml | 8 ++++-- 4 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 apps/authentik/templates/grafana-sso-secret.yaml create mode 100644 apps/authentik/templates/rbac.yaml diff --git a/apps/authentik/templates/grafana-sso-secret.yaml b/apps/authentik/templates/grafana-sso-secret.yaml new file mode 100644 index 0000000..c62d825 --- /dev/null +++ b/apps/authentik/templates/grafana-sso-secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: authentik-client-secret-grafana + namespace: monitoring + labels: + {{- include "authentik.labels" . | nindent 4 }} +type: Opaque +stringData: + client-id: "grafana" + client-secret: {{ randAlphaNum 32 | quote }} diff --git a/apps/authentik/templates/rbac.yaml b/apps/authentik/templates/rbac.yaml new file mode 100644 index 0000000..fc99c48 --- /dev/null +++ b/apps/authentik/templates/rbac.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: authentik-read-grafana-secret + namespace: monitoring # The namespace where the secret exists + labels: + {{- include "authentik.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["authentik-client-secret-grafana"] # Grant access only to this specific secret + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: authentik-read-grafana-secret-binding + namespace: monitoring # The namespace where the secret and role exist + labels: + {{- include "authentik.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: authentik-read-grafana-secret +subjects: +- kind: ServiceAccount + name: {{ include "authentik.fullname" . }} # The service account used by Authentik + namespace: {{ .Release.Namespace }} # The namespace where Authentik is running diff --git a/apps/authentik/values.yaml b/apps/authentik/values.yaml index 3301b3a..ac3a8ac 100644 --- a/apps/authentik/values.yaml +++ b/apps/authentik/values.yaml @@ -53,6 +53,30 @@ authentik: mountPath: /postgres-creds readOnly: true + blueprints: + - | + version: 1 + entries: + - model: authentik_providers_oauth2.oauth2provider + id: grafana-provider + attrs: + name: Grafana + client_id: !secret authentik-client-secret-grafana@monitoring#client-id + client_secret: !secret authentik-client-secret-grafana@monitoring#client-secret + redirect_uris: + - "https://grafana.noxxos.nl/login/generic_oauth" + signing_key: !Keypair authentik-self-signed-certificate + - model: authentik_core.application + id: grafana-app + attrs: + name: Grafana + slug: grafana + provider: !provider grafana-provider + launch_url: "https://grafana.noxxos.nl" + icon: "https://static.goauthentik.io/img/icon/provider/grafana.png" + group: "Dashboards" + policy_engine_mode: "any" + additionalObjects: - apiVersion: postgresql.cnpg.io/v1 kind: Cluster diff --git a/apps/monitoring/grafana/values.yaml b/apps/monitoring/grafana/values.yaml index 013b432..fe035ed 100644 --- a/apps/monitoring/grafana/values.yaml +++ b/apps/monitoring/grafana/values.yaml @@ -20,6 +20,8 @@ grafana: mountPath: /secrets/my-db readOnly: true + envFromSecret: authentik-client-secret-grafana + datasources: datasources.yaml: apiVersion: 1 @@ -104,10 +106,10 @@ grafana: password: "$__file{/secrets/my-db/password}" auth.generic_oauth: - enabled: false # Enable after configuring secret + enabled: true name: Authentik - client_id: grafana - # client_secret should be set via envValueFrom or existingSecret + client_id: "$__from_env{client-id}" + client_secret: "$__from_env{client-secret}" scopes: openid profile email auth_url: https://auth.noxxos.nl/application/o/authorize/ token_url: https://auth.noxxos.nl/application/o/token/