Skip to content

Commit 685044a

Browse files
committed
feat(authentik): Grafana auth
1 parent f7bf99c commit 685044a

File tree

6 files changed

+130
-25
lines changed

6 files changed

+130
-25
lines changed
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
module "onepassword_grafana" {
2+
source = "github.com/bjw-s/terraform-1password-item?ref=main"
3+
vault = "Kubernetes"
4+
item = "grafana"
5+
}
6+
7+
resource "authentik_provider_oauth2" "grafana" {
8+
name = "Grafana"
9+
10+
client_id = module.onepassword_grafana.fields.AUTHENTIK_CLIENT_ID
11+
client_secret = module.onepassword_grafana.fields.AUTHENTIK_CLIENT_SECRET
12+
13+
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
14+
15+
redirect_uris = [module.onepassword_grafana.fields.AUTHENTIK_GRAFANA_URL]
16+
17+
property_mappings = [
18+
data.authentik_scope_mapping.scope-email.id,
19+
data.authentik_scope_mapping.scope-profile.id,
20+
data.authentik_scope_mapping.scope-openid.id,
21+
]
22+
}
23+
24+
resource "authentik_application" "grafana" {
25+
name = "Grafana"
26+
slug = "grafana"
27+
protocol_provider = authentik_provider_oauth2.grafana.id
28+
29+
meta_launch_url = module.onepassword_grafana.fields.AUTHENTIK_GRAFANA_URL
30+
}
31+
32+
resource "authentik_group" "grafana_admins" {
33+
name = "Grafana Admins"
34+
}
35+
36+
resource "authentik_group" "grafana_editors" {
37+
name = "Grafana Editors"
38+
}
39+
40+
resource "authentik_group" "grafana_viewers" {
41+
name = "Grafana Viewers"
42+
}
43+
44+
resource "authentik_policy_binding" "grafana-access-admin" {
45+
target = authentik_application.grafana.uuid
46+
group = authentik_group.grafana_admins.id
47+
order = 0
48+
}
49+
50+
resource "authentik_policy_binding" "grafana-access-editors" {
51+
target = authentik_application.grafana.uuid
52+
group = authentik_group.grafana_editors.id
53+
order = 0
54+
}
55+
56+
resource "authentik_policy_binding" "grafana-access-viewers" {
57+
target = authentik_application.grafana.uuid
58+
group = authentik_group.grafana_viewers.id
59+
order = 0
60+
}

infrastructure/terraform/authentik/directory.tf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,9 @@ resource "authentik_user" "scotte" {
1212
name = module.onepassword_scotte.fields.FULLNAME
1313
email = module.onepassword_scotte.fields.EMAIL
1414
password = module.onepassword_scotte.fields.password
15-
groups = [data.authentik_group.admins.id, authentik_group.users.id]
15+
groups = [
16+
data.authentik_group.admins.id,
17+
authentik_group.users.id,
18+
authentik_group.grafana_admins.id
19+
]
1620
}

infrastructure/terraform/authentik/flows.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,3 +152,7 @@ data "authentik_flow" "default-source-authentication" {
152152
data "authentik_flow" "default-source-enrollment" {
153153
slug = "default-source-enrollment"
154154
}
155+
156+
data "authentik_flow" "default-provider-authorization-implicit-consent" {
157+
slug = "default-provider-authorization-implicit-consent"
158+
}

infrastructure/terraform/authentik/mappings.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,3 +29,15 @@ data "authentik_property_mapping_saml" "username" {
2929
data "authentik_property_mapping_saml" "email" {
3030
managed = "goauthentik.io/providers/saml/email"
3131
}
32+
33+
data "authentik_scope_mapping" "scope-email" {
34+
name = "authentik default OAuth Mapping: OpenID 'email'"
35+
}
36+
37+
data "authentik_scope_mapping" "scope-profile" {
38+
name = "authentik default OAuth Mapping: OpenID 'profile'"
39+
}
40+
41+
data "authentik_scope_mapping" "scope-openid" {
42+
name = "authentik default OAuth Mapping: OpenID 'openid'"
43+
}

kubernetes/main/apps/monitoring/grafana/app/grafana-secrets.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,14 @@ spec:
1818
data:
1919
adminUser: "{{ .ADMIN_USER }}"
2020
adminPassword: "{{ .ADMIN_PASSWORD }}"
21-
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
21+
22+
# Authelia
23+
# GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
24+
25+
# Authentik
26+
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ .AUTHENTIK_CLIENT_ID }}"
27+
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .AUTHENTIK_CLIENT_SECRET }}"
28+
2229
# Database configuration
2330
GF_DATABASE_USER: &dbuser grafana
2431
GF_DATABASE_PASSWORD: &dbpass "{{ .GRAFANA_DATABASE_PASSWORD }}"

kubernetes/main/apps/monitoring/grafana/app/helm-release.yaml

Lines changed: 41 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -50,39 +50,57 @@ spec:
5050
userKey: adminUser
5151
passwordKey: adminPassword
5252
env:
53-
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.${SECRET_DOMAIN_NAME}/api/oidc/userinfo
54-
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.${SECRET_DOMAIN_NAME}/api/oidc/authorization
55-
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.${SECRET_DOMAIN_NAME}/api/oidc/token
53+
# Authelia
54+
# GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.${SECRET_DOMAIN_NAME}/api/oidc/userinfo
55+
# GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.${SECRET_DOMAIN_NAME}/api/oidc/authorization
56+
# GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.${SECRET_DOMAIN_NAME}/api/oidc/token
57+
5658
GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
5759
GF_SECURITY_ANGULAR_SUPPORT_ENABLED: true
5860
envFromSecrets:
5961
- name: grafana-secret
6062
grafana.ini:
61-
# default:
62-
# force_migration: true
6363
auth:
64-
# signout_redirect_url: https://auth.${SECRET_DOMAIN_NAME}/logout
65-
oauth_auto_login: true
66-
oauth_allow_insecure_email_lookup: true
64+
signout_redirect_url: https://sso.${SECRET_DOMAIN_NAME}/application/o/grafana/end-session/
65+
oauth_auto_login: true
6766
auth.generic_oauth:
68-
enabled: true
69-
name: Authelia
70-
icon: signin
71-
client_id: grafana
72-
scopes: "openid profile email groups"
73-
empty_scopes: false
74-
login_attribute_path: preferred_username
75-
groups_attribute_path: groups
76-
name_attribute_path: name
77-
use_pkce: true
78-
auth.generic_oauth.group_mapping:
79-
role_attribute_path: |
80-
contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer'
81-
org_id: 1
67+
name: authentik
68+
enabled: true
69+
scopes: "openid profile email"
70+
auth_url: "https://sso.${SECRET_DOMAIN_NAME}/application/o/authorize/"
71+
token_url: "https://sso.${SECRET_DOMAIN_NAME}/application/o/token/"
72+
api_url: "https://sso.${SECRET_DOMAIN_NAME}/application/o/userinfo/"
73+
# Optionally map user groups to Grafana roles
74+
role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
75+
users:
76+
auto_assign_org = true
77+
auto_assign_org_id = 1
78+
# Authelia
79+
# # default:
80+
# # force_migration: true
81+
# auth:
82+
# # signout_redirect_url: https://auth.${SECRET_DOMAIN_NAME}/logout
83+
# oauth_auto_login: true
84+
# oauth_allow_insecure_email_lookup: true
85+
# auth.generic_oauth:
86+
# enabled: true
87+
# name: Authelia
88+
# icon: signin
89+
# client_id: grafana
90+
# scopes: "openid profile email groups"
91+
# empty_scopes: false
92+
# login_attribute_path: preferred_username
93+
# groups_attribute_path: groups
94+
# name_attribute_path: name
95+
# use_pkce: true
96+
# auth.generic_oauth.group_mapping:
97+
# role_attribute_path: |
98+
# contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer'
99+
# org_id: 1
82100
auth.basic:
83101
enabled: false
84102
auth.anonymous:
85-
enabled: true
103+
enabled: false
86104
org_id: 1
87105
org_role: Viewer
88106
date_formats:

0 commit comments

Comments
 (0)