eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Migrate Grafana OIDC from Dex to Authentik

Browse source 
- Add Authentik Blueprint (ConfigMap) defining Grafana OAuth2 provider,
  application, admins group, and policy binding
- Mount blueprint in worker, pass grafana client secret via env
- Switch Grafana auth.generic_oauth from Dex to Authentik endpoints
- Replace dex-oauth ExternalSecret with authentik-oauth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-02-20 11:47:17 -08:00
commit 00e4dc46e3
7 changed files with 118 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

72
argocd/manifests/authentik/configmap-blueprint.yaml Normal file
View file

@ -0,0 +1,72 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: authentik-blueprints
namespace: authentik
data:
grafana.yaml: |
version: 1
metadata:
name: BlumeOps Grafana SSO
labels:
blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
entries:
# admins group — gates access to admin-only applications
- model: authentik_core.group
id: admins-group
identifiers:
name: admins
attrs:
name: admins
# OAuth2 provider for Grafana
- model: authentik_providers_oauth2.oauth2provider
id: grafana-provider
identifiers:
name: Grafana
attrs:
name: Grafana
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: confidential
client_id: grafana
client_secret: !Env [AUTHENTIK_GRAFANA_CLIENT_SECRET]
redirect_uris:
- matching_mode: strict
url: https://grafana.ops.eblu.me/login/generic_oauth
- matching_mode: strict
url: https://grafana.tail8d86e.ts.net/login/generic_oauth
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
sub_mode: hashed_user_id
include_claims_in_id_token: true
# Grafana application — linked to the OAuth2 provider
- model: authentik_core.application
id: grafana-app
identifiers:
slug: grafana
attrs:
name: Grafana
slug: grafana
provider: !KeyOf grafana-provider
meta_launch_url: https://grafana.ops.eblu.me
policy_engine_mode: any
# Policy binding — restrict Grafana to admins group
- model: authentik_policies.policybinding
identifiers:
order: 0
target: !KeyOf grafana-app
group: !KeyOf admins-group
attrs:
target: !KeyOf grafana-app
group: !KeyOf admins-group
order: 0
enabled: true
negate: false
timeout: 30

13
argocd/manifests/authentik/deployment-worker.yaml
View file

@ -53,6 +53,15 @@ spec:
key: postgresql-password
- name: AUTHENTIK_REDIS__HOST
value: authentik-redis
- name: AUTHENTIK_GRAFANA_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: authentik-config
key: grafana-client-secret
volumeMounts:
- name: blueprints
mountPath: /blueprints/custom
readOnly: true
resources:
requests:
memory: "256Mi"
@ -60,3 +69,7 @@ spec:
limits:
memory: "1Gi"
cpu: "1000m"
volumes:
- name: blueprints
configMap:
name: authentik-blueprints

4
argocd/manifests/authentik/external-secret.yaml
View file

@ -37,3 +37,7 @@ spec:
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-password
- secretKey: grafana-client-secret
remoteRef:
key: "Authentik (blumeops)"
property: grafana-client-secret

1
argocd/manifests/authentik/kustomization.yaml
View file

@ -4,6 +4,7 @@ kind: Kustomization
namespace: authentik
resources:
- external-secret.yaml
- configmap-blueprint.yaml
- deployment-server.yaml
- deployment-worker.yaml
- deployment-redis.yaml

22
argocd/manifests/grafana-config/external-secret-authentik-oauth.yaml Normal file
View file

@ -0,0 +1,22 @@
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-authentik-oauth
namespace: monitoring
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-blumeops
target:
name: grafana-authentik-oauth
creationPolicy: Owner
template:
data:
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .clientSecret }}"
data:
- secretKey: clientSecret
remoteRef:
key: "Authentik (blumeops)"
property: grafana-client-secret

2
argocd/manifests/grafana-config/kustomization.yaml
View file

@ -6,7 +6,7 @@ namespace: monitoring
resources:
- ingress-tailscale.yaml
- external-secret-admin.yaml
- external-secret-dex-oauth.yaml
- external-secret-authentik-oauth.yaml
- external-secret-teslamate-datasource.yaml
# Dashboard ConfigMaps - discovered by Grafana sidecar via label grafana_dashboard=1
- dashboards/configmap-borgmatic.yaml

10
argocd/manifests/grafana/values.yaml
View file

@ -12,7 +12,7 @@ admin:
envFromSecrets:
- name: grafana-teslamate-datasource
optional: true
- name: grafana-dex-oauth
- name: grafana-authentik-oauth
optional: true
# Persistence with PVC for SQLite database
@ -32,13 +32,13 @@ grafana.ini:
allow_embedding: false
auth.generic_oauth:
enabled: true
name: Dex
name: Authentik
client_id: grafana
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
scopes: openid profile email
auth_url: https://dex.ops.eblu.me/auth
token_url: https://dex.ops.eblu.me/token
api_url: https://dex.ops.eblu.me/userinfo
auth_url: https://authentik.ops.eblu.me/application/o/authorize/
token_url: https://authentik.ops.eblu.me/application/o/token/
api_url: https://authentik.ops.eblu.me/application/o/userinfo/
allow_sign_up: true
role_attribute_path: "'Admin'"
auto_login: false