Fix: Update Grafana OAuth2 client secret references and RBAC labels for consistency

2025-11-12 07:27:39 +01:00 · 2025-11-12 07:27:39 +01:00 · e91dead819
commit e91dead819
parent 2b844aba23
3 changed files with 16 additions and 7 deletions
--- a/apps/authentik/templates/grafana-sso-secret.yaml
+++ b/apps/authentik/templates/grafana-sso-secret.yaml
@ -4,8 +4,11 @@ metadata:
  name: authentik-client-secret-grafana
  namespace: monitoring
  labels:
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-sso
 type: Opaque
 stringData:
-  client-id: "grafana"
-  client-secret: {{ randAlphaNum 32 | quote }}
+  GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana"
+  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: {{ randAlphaNum 40 | quote }}
--- a/apps/authentik/templates/rbac.yaml
+++ b/apps/authentik/templates/rbac.yaml
@ -4,7 +4,10 @@ metadata:
  name: authentik-read-grafana-secret
  namespace: monitoring # The namespace where the secret exists
  labels:
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-sso
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
@ -17,7 +20,10 @@ metadata:
  name: authentik-read-grafana-secret-binding
  namespace: monitoring # The namespace where the secret and role exist
  labels:
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-sso
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
--- a/apps/monitoring/grafana/values.yaml
+++ b/apps/monitoring/grafana/values.yaml
@ -108,8 +108,8 @@ grafana:
    auth.generic_oauth:
      enabled: true
      name: Authentik
-      client_id: "$__from_env{client-id}"
-      client_secret: "$__from_env{client-secret}"
+      client_id: "$__from_env{GF_AUTH_GENERIC_OAUTH_CLIENT_ID}"
+      client_secret: "$__from_env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}"
      scopes: openid profile email
      auth_url: https://auth.noxxos.nl/application/o/authorize/
      token_url: https://auth.noxxos.nl/application/o/token/