Skip to content

Commit

Permalink
feat(grafana): enable auth via authelia
Browse files Browse the repository at this point in the history
  • Loading branch information
martinohmann committed Dec 28, 2023
1 parent 53a32ea commit d5b7bdc
Show file tree
Hide file tree
Showing 7 changed files with 71 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ identity_providers:
clients:
- id: grafana
description: Grafana
secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
secret: $pbkdf2-sha512$310000$TO1OTbdHDsVqMzwcgv0YIg$abgmxvIyQxLxglBygTMeVv6YDuaRYeHSzIRZSAPOKW57/JWy1DOnCuwoCgFeAl5x3PZxfXODywWSkLPX2J4Dlw
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
Expand Down
5 changes: 2 additions & 3 deletions kubernetes/apps/default/authelia/app/secret.sops.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ stringData:
AUTHELIA_NOTIFIER_SMTP_USERNAME: ENC[AES256_GCM,data:fgo3/99HVlEmt0bQrBTQmV8An7EXoA==,iv:ETLEKwdRZrcTlGGpwparjvntxLPuioXY71TLE/aSqTo=,tag:GFlZZ2Qha+BPU5uTzwsLbA==,type:str]
AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:o/gSx66zpKw6Nr7nQMuZvSXEz2bOKL7pLQjVGxKjJCDtE6DTb2XcOR6VzpXLCZ21FfN0nkNbMC9JNAAGBmAT4loV8OnVRE91mAgJCvmKmvv9M0GwwVXHCLxlZok/02SiDEjGogjzbMCRdUVz5YfBC9QKVgtbG06owJTyEjJyrAM=,iv:jB1EV8WlKX4+Y9iTUyt6hhoCTC5ANfleo1SeilaecLc=,tag:yiD1+x0oEUFvGkzkP/zWdw==,type:str]
AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:VTiIkPRndQ5dwp5y0MDZmYB08REnvpJzlA1oeM8YI0M6GMbA6mGNEyKSutdGD+Lh/ML0M/+zRoutnQWLVPk+17/GqF/KYKDvp8hRTAdO2tmcnsBeuZkwVpb6dW8z4ykVJ+veuSUbz8R2kvNSWmVkdVR8xt7mQM73qeW7tSWZhK8=,iv:pY7Qnjc9Ra/JZrd7vTDIIFiJFMRh0h/ID0OX76JMITg=,tag:0OdTxrPxV6xDhV/lxjKyqA==,type:str]
GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:XShHXingQHCcXXaEZeqNi/rJdYXl4AI94/xPonp5p6+3hzCtHTF2rdE9DFaiykrVPMYrhATuNhDt/TeYfT28X2wITMPQxvu7,iv:JOKkzKfc8IAStHZ6xZ29DdnRlyP2uz8bihrLOgzxJ2Y=,tag:eIMX73mPmL5ZrZbVCDFD4Q==,type:str]
sops:
kms: []
gcp_kms: []
Expand All @@ -29,8 +28,8 @@ sops:
ekoxSWY2dmlWK0k3bzhUdmo0ZzdvTzQKlBZSUqKIS0zDPmYiyDX/ynsV++620De6
FT3clq2Hev74lzkqV2NKjuJNkuPFIxSAPoySw0VYWbrxCS1ztWs8wg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-28T12:46:18Z"
mac: ENC[AES256_GCM,data:Gf8lUbyDve0nqj0Ugqk7vDzup9A7d7ygUI5pNDsZIwzvNhP9wyjVL7P0e9geY0shB4kwnHRZvuPr/SwRzTc8w0j2VPBCaUSMY8/0rLoFYuApQ24dNTQ8Vli1IfE73SkO5RpHFfca5OtJcxfG2xpKnKL6kxFJmkK4wLmin3BxzlM=,iv:flCGmIH0c1FJm6o5hwkBwtgPBqyLi6gztdpa/p6QFik=,tag:OLKDx160hW6pTwAR9jWsoA==,type:str]
lastmodified: "2023-12-28T18:41:40Z"
mac: ENC[AES256_GCM,data:u8EX5VEnnR7tzcBqym+QheDNsnE4NWhP9A9MQ5CnMz6lcjHr07uIs+mvjjkX2KCoNS2NxWsASn/B2eTSCgXI81cHgsIif0oPE/sYaR38rn0iRkkaqctMUoIb/3z51zmtX9Dqr78h/JlXcWXC8KnW+mQ1tqgu3YtRC9ufUGZ9SpU=,iv:f0+zfET2N3Pqh2RUVJM95fHfz7YOmm4Os9ILJRwRTtw=,tag:NHGnLRoyyUWDOO09V8tlgg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1
35 changes: 32 additions & 3 deletions kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: grafana
namespace: monitoring
spec:
interval: 30m
chart:
Expand Down Expand Up @@ -32,15 +31,45 @@ spec:
deploymentStrategy:
type: Recreate
admin:
existingSecret: grafana-admin-secret
existingSecret: grafana-admin
env:
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.18b.haus/api/oidc/userinfo
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.18b.haus/api/oidc/authorization
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.18b.haus/api/oidc/token
GF_EXPLORE_ENABLED: true
GF_SERVER_ROOT_URL: "https://grafana.18b.haus"
GF_SECURITY_COOKIE_SAMESITE: grafana
GF_SERVER_ROOT_URL: https://grafana.18b.haus
envFromSecrets:
- name: grafana
grafana.ini:
analytics:
check_for_updates: false
check_for_plugin_updates: false
reporting_enabled: false
auth:
oauth_auto_login: true
oauth_allow_insecure_email_lookup: true
auth.generic_oauth:
enabled: true
name: Authelia
icon: signin
scopes: openid profile email groups
empty_scopes: false
login_attribute_path: preferred_username
groups_attribute_path: groups
name_attribute_path: name
use_pkce: true
auth.generic_oauth.group_mapping:
org_id: 1
role_attribute_path: |
contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer'
auth.basic:
enabled: false
auth.anonymous:
enabled: false
news:
news_feed_enabled: false
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
Expand Down
2 changes: 1 addition & 1 deletion kubernetes/apps/monitoring/grafana/app/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: monitoring
resources:
- ./secret-admin.sops.yaml
- ./secret.sops.yaml
- ../../../../templates/volsync
- ./helmrelease.yaml
27 changes: 27 additions & 0 deletions kubernetes/apps/monitoring/grafana/app/secret-admin.sops.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: v1
kind: Secret
metadata:
name: grafana-admin
stringData:
admin-password: ENC[AES256_GCM,data:EdlmuudhUy8ny/fvb9FMSfnAh2ajTmTq,iv:WJ0RJmEzFlQN5kMk1RJaVd3b6DHcIyim06kTzmMXyTc=,tag:T2fm+sleaqCMQyHIfI4Qdg==,type:str]
admin-user: ENC[AES256_GCM,data:/RPRmOs=,iv:G1noxFd1buw66sc2sbry92ZRhfwG8CEVRFkBnlQNek4=,tag:WnXkYL8WkmiTquPqgDj9KQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u79ltfzz5k79ddwgv59r76p2532xnaehzz7vggttctudr6gdkvhq33edn6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRXhQYi9GYWpoSTZCaC9G
V3ZaRmZaenlIM2NObWRWVG5yTW5kdURtMGprCnF2a2FNa0RyNkxNL0d1S2lBam9Z
RmUrTStWc09IQUJDZ3IrZVZhVUthNWcKLS0tIFhERHM4Vis4ZmMxNWR0RFdyTk1B
VERTZ05haHJLaytWVnhRR1J1bzVCdmsKNFKU077vNGWdyQiQkYi48E4j8ZXD/aXS
p/PX9jmmy0CU8zd16R0T8tDOmKxO1hIXfkUh292KwHnlSFSGrDlmhw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-28T18:38:28Z"
mac: ENC[AES256_GCM,data:KO/jV5OBK0TyPZM8WK/fbgZ1409q8hUnYVi6jzeg/S6xdQtnsCu2zxBkr5oZAAth7RJ4fmnwJ4/OqHVKDaCUVE5ZmIogsaL73+MXNpFKcPyAa5HNpubMO0fHoH6m2Z3iabyteY0onr5wYig4BdYUcBRtHFrPS1yVNiQX7Sv3zmU=,iv:MIjn4WDhnovJ7xudbrfpoW+xN+LEMuU86bAt1Ku6+50=,tag:vLuH+eAp6k1mNyCrO5G4Ow==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1
10 changes: 4 additions & 6 deletions kubernetes/apps/monitoring/grafana/app/secret.sops.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: grafana-admin-secret
namespace: monitoring
name: grafana
stringData:
admin-password: ENC[AES256_GCM,data:EdlmuudhUy8ny/fvb9FMSfnAh2ajTmTq,iv:WJ0RJmEzFlQN5kMk1RJaVd3b6DHcIyim06kTzmMXyTc=,tag:T2fm+sleaqCMQyHIfI4Qdg==,type:str]
admin-user: ENC[AES256_GCM,data:/RPRmOs=,iv:G1noxFd1buw66sc2sbry92ZRhfwG8CEVRFkBnlQNek4=,tag:WnXkYL8WkmiTquPqgDj9KQ==,type:str]
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:u3eXLNS+l0XvT7fTvjcoLD/ODwTrXr74eVhzvQN0XBh7+w1h/ApNw/PgjtnO/IXFV1l8NEnYdln7FacD6j6wSS+JJpmtX1yd,iv:qEcOuiRuNA0sk7uOYU2EMZJyZEd4YyERUfzSPsA3gcI=,tag:2gBT1MRQXGCvoJn2KzHNEg==,type:str]
sops:
kms: []
gcp_kms: []
Expand All @@ -21,8 +19,8 @@ sops:
VERTZ05haHJLaytWVnhRR1J1bzVCdmsKNFKU077vNGWdyQiQkYi48E4j8ZXD/aXS
p/PX9jmmy0CU8zd16R0T8tDOmKxO1hIXfkUh292KwHnlSFSGrDlmhw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-09T07:29:46Z"
mac: ENC[AES256_GCM,data:8ATrBa3iAFpL22VNGdZNtEuqxeNvQpuEuFxVNiXKiAjLy4blJVTbn8SPDgRH/uWqlC74jFTqBrYpA5oiI5crXwTvoXqsg4zMjp+NZEiDOlfZnWw5AZ9XTBHzBMpelIF7FwY/wYpFv3vb+5Og43xX3pN1Q5QC6wuNkX+69LiARok=,iv:Zzf9rboYrat9dZFDx266XHeONQnzBG/JjNdh961zlwE=,tag:88s+08vF9P+ZNapC2JUP9Q==,type:str]
lastmodified: "2023-12-28T18:38:13Z"
mac: ENC[AES256_GCM,data:hEfqhjDuv3xfqN2eDrZGP8HdAWHcdVw985VGSCRtkaikuwyPhoCXBgLFa5KtMIMM+pu7rQZ7mRSWamyUCnBsoH9d26JXnhuiEaGpjgehR4g2YqKgfnkq45CVKdzcA/k2Ks8LVOr1mmrgoiBKBBlKf1TZPjJKloq9DUS9A918NN0=,iv:2EfZCdlaDjC/8xDaeTkuZNZZ5vpKBnPdyilQLN+Y5Pg=,tag:23QtUGn46KOf8HiPM3VDsQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1
4 changes: 4 additions & 0 deletions kubernetes/apps/monitoring/grafana/ks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ metadata:
name: &app grafana
namespace: flux-system
spec:
targetNamespace: monitoring
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: volsync
path: ./kubernetes/apps/monitoring/grafana/app
Expand Down

0 comments on commit d5b7bdc

Please sign in to comment.