use authelia as login source

2024-10-04 12:11:23 +02:00
parent 140aca08da
commit a94389bdcc
17 changed files with 323 additions and 0 deletions
--- a/apps/monitoring/grafana-auth.sealedsecret.yaml
+++ b/apps/monitoring/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-auth
+  namespace: monitoring
+spec:
+  encryptedData:
+    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-auth
+      namespace: monitoring
+    type: Opaque
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -16,6 +16,12 @@ serviceMonitor:
  ##
  enabled: false

+envValueFrom:
+  AUTH_GRAFANA_CLIENT_SECRET:
+    secretKeyRef:
+      name: grafana-auth
+      key: client_secret
+
 ingress:
  enabled: false

@@ -67,3 +73,21 @@ grafana.ini:
  default_theme: dark
  unified_alerting:
    enabled: false
+  analytics:
+    check_for_updates: false
+  server:
+    domain: grafana.kluster.moll.re
+    root_url: https://grafana.kluster.moll.re
+  auth.generic_oauth:
+    name: Authelia
+    enabled: true
+    allow_sign_up: true
+    client_id: grafana
+    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
+    scopes: openid profile email groups
+    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
+    token_url: https://auth.kluster.moll.re/api/oidc/token
+    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    tls_skip_verify_insecure: true
+    auto_login: true
+    use_pkce: true
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
  - namespace.yaml
  - grafana.ingress.yaml
  - grafana-admin.sealedsecret.yaml
+  - grafana-auth.sealedsecret.yaml
  # grafana dashboards are provisioned from a git repository
  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
  - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main