Fix: Add Grafana OAuth2 provider configuration and related secrets management

apps/authentik/templates/grafana-sso-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-client-secret-grafana
+  namespace: monitoring
+  labels:
+    {{- include "authentik.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  client-id: "grafana"
+  client-secret: {{ randAlphaNum 32 | quote }}

apps/authentik/templates/rbac.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: authentik-read-grafana-secret
+  namespace: monitoring # The namespace where the secret exists
+  labels:
+    {{- include "authentik.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["authentik-client-secret-grafana"] # Grant access only to this specific secret
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: authentik-read-grafana-secret-binding
+  namespace: monitoring # The namespace where the secret and role exist
+  labels:
+    {{- include "authentik.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: authentik-read-grafana-secret
+subjects:
+- kind: ServiceAccount
+  name: {{ include "authentik.fullname" . }} # The service account used by Authentik
+  namespace: {{ .Release.Namespace }} # The namespace where Authentik is running

apps/authentik/values.yaml

@@ -53,6 +53,30 @@ authentik:
         mountPath: /postgres-creds
         readOnly: true
 
+  blueprints:
+    - |
+      version: 1
+      entries:
+        - model: authentik_providers_oauth2.oauth2provider
+          id: grafana-provider
+          attrs:
+            name: Grafana
+            client_id: !secret authentik-client-secret-grafana@monitoring#client-id
+            client_secret: !secret authentik-client-secret-grafana@monitoring#client-secret
+            redirect_uris:
+              - "https://grafana.noxxos.nl/login/generic_oauth"
+            signing_key: !Keypair authentik-self-signed-certificate
+        - model: authentik_core.application
+          id: grafana-app
+          attrs:
+            name: Grafana
+            slug: grafana
+            provider: !provider grafana-provider
+            launch_url: "https://grafana.noxxos.nl"
+            icon: "https://static.goauthentik.io/img/icon/provider/grafana.png"
+            group: "Dashboards"
+            policy_engine_mode: "any"
+
   additionalObjects:
   - apiVersion: postgresql.cnpg.io/v1
     kind: Cluster

apps/monitoring/grafana/values.yaml

@@ -20,6 +20,8 @@ grafana:
       mountPath: /secrets/my-db
       readOnly: true
 
+  envFromSecret: authentik-client-secret-grafana
+
   datasources:
     datasources.yaml:
       apiVersion: 1
@@ -104,10 +106,10 @@ grafana:
       password: "$__file{/secrets/my-db/password}"
 
     auth.generic_oauth:
-      enabled: false  # Enable after configuring secret
+      enabled: true
       name: Authentik
-      client_id: grafana
+      client_id: "$__from_env{client-id}"
-      # client_secret should be set via envValueFrom or existingSecret
+      client_secret: "$__from_env{client-secret}"
       scopes: openid profile email
       auth_url: https://auth.noxxos.nl/application/o/authorize/
       token_url: https://auth.noxxos.nl/application/o/token/