Migrate Grafana OIDC from Dex to Authentik
- Add Authentik Blueprint (ConfigMap) defining Grafana OAuth2 provider, application, admins group, and policy binding - Mount blueprint in worker, pass grafana client secret via env - Switch Grafana auth.generic_oauth from Dex to Authentik endpoints - Replace dex-oauth ExternalSecret with authentik-oauth Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
4e3f7bead7
commit
00e4dc46e3
7 changed files with 118 additions and 6 deletions
72
argocd/manifests/authentik/configmap-blueprint.yaml
Normal file
72
argocd/manifests/authentik/configmap-blueprint.yaml
Normal file
|
|
@ -0,0 +1,72 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: authentik-blueprints
|
||||||
|
namespace: authentik
|
||||||
|
data:
|
||||||
|
grafana.yaml: |
|
||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
name: BlumeOps Grafana SSO
|
||||||
|
labels:
|
||||||
|
blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
|
||||||
|
entries:
|
||||||
|
# admins group — gates access to admin-only applications
|
||||||
|
- model: authentik_core.group
|
||||||
|
id: admins-group
|
||||||
|
identifiers:
|
||||||
|
name: admins
|
||||||
|
attrs:
|
||||||
|
name: admins
|
||||||
|
|
||||||
|
# OAuth2 provider for Grafana
|
||||||
|
- model: authentik_providers_oauth2.oauth2provider
|
||||||
|
id: grafana-provider
|
||||||
|
identifiers:
|
||||||
|
name: Grafana
|
||||||
|
attrs:
|
||||||
|
name: Grafana
|
||||||
|
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
||||||
|
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||||
|
client_type: confidential
|
||||||
|
client_id: grafana
|
||||||
|
client_secret: !Env [AUTHENTIK_GRAFANA_CLIENT_SECRET]
|
||||||
|
redirect_uris:
|
||||||
|
- matching_mode: strict
|
||||||
|
url: https://grafana.ops.eblu.me/login/generic_oauth
|
||||||
|
- matching_mode: strict
|
||||||
|
url: https://grafana.tail8d86e.ts.net/login/generic_oauth
|
||||||
|
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
|
||||||
|
property_mappings:
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
|
||||||
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
|
||||||
|
sub_mode: hashed_user_id
|
||||||
|
include_claims_in_id_token: true
|
||||||
|
|
||||||
|
# Grafana application — linked to the OAuth2 provider
|
||||||
|
- model: authentik_core.application
|
||||||
|
id: grafana-app
|
||||||
|
identifiers:
|
||||||
|
slug: grafana
|
||||||
|
attrs:
|
||||||
|
name: Grafana
|
||||||
|
slug: grafana
|
||||||
|
provider: !KeyOf grafana-provider
|
||||||
|
meta_launch_url: https://grafana.ops.eblu.me
|
||||||
|
policy_engine_mode: any
|
||||||
|
|
||||||
|
# Policy binding — restrict Grafana to admins group
|
||||||
|
- model: authentik_policies.policybinding
|
||||||
|
identifiers:
|
||||||
|
order: 0
|
||||||
|
target: !KeyOf grafana-app
|
||||||
|
group: !KeyOf admins-group
|
||||||
|
attrs:
|
||||||
|
target: !KeyOf grafana-app
|
||||||
|
group: !KeyOf admins-group
|
||||||
|
order: 0
|
||||||
|
enabled: true
|
||||||
|
negate: false
|
||||||
|
timeout: 30
|
||||||
|
|
@ -53,6 +53,15 @@ spec:
|
||||||
key: postgresql-password
|
key: postgresql-password
|
||||||
- name: AUTHENTIK_REDIS__HOST
|
- name: AUTHENTIK_REDIS__HOST
|
||||||
value: authentik-redis
|
value: authentik-redis
|
||||||
|
- name: AUTHENTIK_GRAFANA_CLIENT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: authentik-config
|
||||||
|
key: grafana-client-secret
|
||||||
|
volumeMounts:
|
||||||
|
- name: blueprints
|
||||||
|
mountPath: /blueprints/custom
|
||||||
|
readOnly: true
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
memory: "256Mi"
|
memory: "256Mi"
|
||||||
|
|
@ -60,3 +69,7 @@ spec:
|
||||||
limits:
|
limits:
|
||||||
memory: "1Gi"
|
memory: "1Gi"
|
||||||
cpu: "1000m"
|
cpu: "1000m"
|
||||||
|
volumes:
|
||||||
|
- name: blueprints
|
||||||
|
configMap:
|
||||||
|
name: authentik-blueprints
|
||||||
|
|
|
||||||
|
|
@ -37,3 +37,7 @@ spec:
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: "Authentik (blumeops)"
|
key: "Authentik (blumeops)"
|
||||||
property: postgresql-password
|
property: postgresql-password
|
||||||
|
- secretKey: grafana-client-secret
|
||||||
|
remoteRef:
|
||||||
|
key: "Authentik (blumeops)"
|
||||||
|
property: grafana-client-secret
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ kind: Kustomization
|
||||||
namespace: authentik
|
namespace: authentik
|
||||||
resources:
|
resources:
|
||||||
- external-secret.yaml
|
- external-secret.yaml
|
||||||
|
- configmap-blueprint.yaml
|
||||||
- deployment-server.yaml
|
- deployment-server.yaml
|
||||||
- deployment-worker.yaml
|
- deployment-worker.yaml
|
||||||
- deployment-redis.yaml
|
- deployment-redis.yaml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
apiVersion: external-secrets.io/v1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: grafana-authentik-oauth
|
||||||
|
namespace: monitoring
|
||||||
|
spec:
|
||||||
|
refreshInterval: 1h
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-blumeops
|
||||||
|
target:
|
||||||
|
name: grafana-authentik-oauth
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
data:
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .clientSecret }}"
|
||||||
|
data:
|
||||||
|
- secretKey: clientSecret
|
||||||
|
remoteRef:
|
||||||
|
key: "Authentik (blumeops)"
|
||||||
|
property: grafana-client-secret
|
||||||
|
|
@ -6,7 +6,7 @@ namespace: monitoring
|
||||||
resources:
|
resources:
|
||||||
- ingress-tailscale.yaml
|
- ingress-tailscale.yaml
|
||||||
- external-secret-admin.yaml
|
- external-secret-admin.yaml
|
||||||
- external-secret-dex-oauth.yaml
|
- external-secret-authentik-oauth.yaml
|
||||||
- external-secret-teslamate-datasource.yaml
|
- external-secret-teslamate-datasource.yaml
|
||||||
# Dashboard ConfigMaps - discovered by Grafana sidecar via label grafana_dashboard=1
|
# Dashboard ConfigMaps - discovered by Grafana sidecar via label grafana_dashboard=1
|
||||||
- dashboards/configmap-borgmatic.yaml
|
- dashboards/configmap-borgmatic.yaml
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ admin:
|
||||||
envFromSecrets:
|
envFromSecrets:
|
||||||
- name: grafana-teslamate-datasource
|
- name: grafana-teslamate-datasource
|
||||||
optional: true
|
optional: true
|
||||||
- name: grafana-dex-oauth
|
- name: grafana-authentik-oauth
|
||||||
optional: true
|
optional: true
|
||||||
|
|
||||||
# Persistence with PVC for SQLite database
|
# Persistence with PVC for SQLite database
|
||||||
|
|
@ -32,13 +32,13 @@ grafana.ini:
|
||||||
allow_embedding: false
|
allow_embedding: false
|
||||||
auth.generic_oauth:
|
auth.generic_oauth:
|
||||||
enabled: true
|
enabled: true
|
||||||
name: Dex
|
name: Authentik
|
||||||
client_id: grafana
|
client_id: grafana
|
||||||
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
|
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
|
||||||
scopes: openid profile email
|
scopes: openid profile email
|
||||||
auth_url: https://dex.ops.eblu.me/auth
|
auth_url: https://authentik.ops.eblu.me/application/o/authorize/
|
||||||
token_url: https://dex.ops.eblu.me/token
|
token_url: https://authentik.ops.eblu.me/application/o/token/
|
||||||
api_url: https://dex.ops.eblu.me/userinfo
|
api_url: https://authentik.ops.eblu.me/application/o/userinfo/
|
||||||
allow_sign_up: true
|
allow_sign_up: true
|
||||||
role_attribute_path: "'Admin'"
|
role_attribute_path: "'Admin'"
|
||||||
auto_login: false
|
auto_login: false
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue