From d5b7bdcadfb463ee0e755e395245de5793ee4759 Mon Sep 17 00:00:00 2001 From: martinohmann Date: Thu, 28 Dec 2023 19:43:55 +0100 Subject: [PATCH] feat(grafana): enable auth via authelia --- .../authelia/app/resources/configuration.yaml | 2 +- .../default/authelia/app/secret.sops.yaml | 5 ++- .../monitoring/grafana/app/helmrelease.yaml | 35 +++++++++++++++++-- .../monitoring/grafana/app/kustomization.yaml | 2 +- .../grafana/app/secret-admin.sops.yaml | 27 ++++++++++++++ .../monitoring/grafana/app/secret.sops.yaml | 10 +++--- kubernetes/apps/monitoring/grafana/ks.yaml | 4 +++ 7 files changed, 71 insertions(+), 14 deletions(-) create mode 100644 kubernetes/apps/monitoring/grafana/app/secret-admin.sops.yaml diff --git a/kubernetes/apps/default/authelia/app/resources/configuration.yaml b/kubernetes/apps/default/authelia/app/resources/configuration.yaml index 0e766c797..f06b13ec8 100644 --- a/kubernetes/apps/default/authelia/app/resources/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/resources/configuration.yaml @@ -80,7 +80,7 @@ identity_providers: clients: - id: grafana description: Grafana - secret: "${GRAFANA_OAUTH_CLIENT_SECRET}" + secret: $pbkdf2-sha512$310000$TO1OTbdHDsVqMzwcgv0YIg$abgmxvIyQxLxglBygTMeVv6YDuaRYeHSzIRZSAPOKW57/JWy1DOnCuwoCgFeAl5x3PZxfXODywWSkLPX2J4Dlw public: false authorization_policy: two_factor pre_configured_consent_duration: 1y diff --git a/kubernetes/apps/default/authelia/app/secret.sops.yaml b/kubernetes/apps/default/authelia/app/secret.sops.yaml index 4a1305942..cf8b852aa 100644 --- a/kubernetes/apps/default/authelia/app/secret.sops.yaml +++ b/kubernetes/apps/default/authelia/app/secret.sops.yaml @@ -13,7 +13,6 @@ stringData: AUTHELIA_NOTIFIER_SMTP_USERNAME: ENC[AES256_GCM,data:fgo3/99HVlEmt0bQrBTQmV8An7EXoA==,iv:ETLEKwdRZrcTlGGpwparjvntxLPuioXY71TLE/aSqTo=,tag:GFlZZ2Qha+BPU5uTzwsLbA==,type:str] AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:o/gSx66zpKw6Nr7nQMuZvSXEz2bOKL7pLQjVGxKjJCDtE6DTb2XcOR6VzpXLCZ21FfN0nkNbMC9JNAAGBmAT4loV8OnVRE91mAgJCvmKmvv9M0GwwVXHCLxlZok/02SiDEjGogjzbMCRdUVz5YfBC9QKVgtbG06owJTyEjJyrAM=,iv:jB1EV8WlKX4+Y9iTUyt6hhoCTC5ANfleo1SeilaecLc=,tag:yiD1+x0oEUFvGkzkP/zWdw==,type:str] AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:VTiIkPRndQ5dwp5y0MDZmYB08REnvpJzlA1oeM8YI0M6GMbA6mGNEyKSutdGD+Lh/ML0M/+zRoutnQWLVPk+17/GqF/KYKDvp8hRTAdO2tmcnsBeuZkwVpb6dW8z4ykVJ+veuSUbz8R2kvNSWmVkdVR8xt7mQM73qeW7tSWZhK8=,iv:pY7Qnjc9Ra/JZrd7vTDIIFiJFMRh0h/ID0OX76JMITg=,tag:0OdTxrPxV6xDhV/lxjKyqA==,type:str] - GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:XShHXingQHCcXXaEZeqNi/rJdYXl4AI94/xPonp5p6+3hzCtHTF2rdE9DFaiykrVPMYrhATuNhDt/TeYfT28X2wITMPQxvu7,iv:JOKkzKfc8IAStHZ6xZ29DdnRlyP2uz8bihrLOgzxJ2Y=,tag:eIMX73mPmL5ZrZbVCDFD4Q==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +28,8 @@ sops: ekoxSWY2dmlWK0k3bzhUdmo0ZzdvTzQKlBZSUqKIS0zDPmYiyDX/ynsV++620De6 FT3clq2Hev74lzkqV2NKjuJNkuPFIxSAPoySw0VYWbrxCS1ztWs8wg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-28T12:46:18Z" - mac: ENC[AES256_GCM,data:Gf8lUbyDve0nqj0Ugqk7vDzup9A7d7ygUI5pNDsZIwzvNhP9wyjVL7P0e9geY0shB4kwnHRZvuPr/SwRzTc8w0j2VPBCaUSMY8/0rLoFYuApQ24dNTQ8Vli1IfE73SkO5RpHFfca5OtJcxfG2xpKnKL6kxFJmkK4wLmin3BxzlM=,iv:flCGmIH0c1FJm6o5hwkBwtgPBqyLi6gztdpa/p6QFik=,tag:OLKDx160hW6pTwAR9jWsoA==,type:str] + lastmodified: "2023-12-28T18:41:40Z" + mac: ENC[AES256_GCM,data:u8EX5VEnnR7tzcBqym+QheDNsnE4NWhP9A9MQ5CnMz6lcjHr07uIs+mvjjkX2KCoNS2NxWsASn/B2eTSCgXI81cHgsIif0oPE/sYaR38rn0iRkkaqctMUoIb/3z51zmtX9Dqr78h/JlXcWXC8KnW+mQ1tqgu3YtRC9ufUGZ9SpU=,iv:f0+zfET2N3Pqh2RUVJM95fHfz7YOmm4Os9ILJRwRTtw=,tag:NHGnLRoyyUWDOO09V8tlgg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index 66f1434fe..c3533ed59 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: grafana - namespace: monitoring spec: interval: 30m chart: @@ -32,15 +31,45 @@ spec: deploymentStrategy: type: Recreate admin: - existingSecret: grafana-admin-secret + existingSecret: grafana-admin env: + GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.18b.haus/api/oidc/userinfo + GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.18b.haus/api/oidc/authorization + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana + GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.18b.haus/api/oidc/token GF_EXPLORE_ENABLED: true - GF_SERVER_ROOT_URL: "https://grafana.18b.haus" + GF_SECURITY_COOKIE_SAMESITE: grafana + GF_SERVER_ROOT_URL: https://grafana.18b.haus + envFromSecrets: + - name: grafana grafana.ini: analytics: check_for_updates: false check_for_plugin_updates: false reporting_enabled: false + auth: + oauth_auto_login: true + oauth_allow_insecure_email_lookup: true + auth.generic_oauth: + enabled: true + name: Authelia + icon: signin + scopes: openid profile email groups + empty_scopes: false + login_attribute_path: preferred_username + groups_attribute_path: groups + name_attribute_path: name + use_pkce: true + auth.generic_oauth.group_mapping: + org_id: 1 + role_attribute_path: | + contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer' + auth.basic: + enabled: false + auth.anonymous: + enabled: false + news: + news_feed_enabled: false dashboardProviders: dashboardproviders.yaml: apiVersion: 1 diff --git a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml index cda25a610..e2f112d49 100644 --- a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml @@ -2,8 +2,8 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: + - ./secret-admin.sops.yaml - ./secret.sops.yaml - ../../../../templates/volsync - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/grafana/app/secret-admin.sops.yaml b/kubernetes/apps/monitoring/grafana/app/secret-admin.sops.yaml new file mode 100644 index 000000000..6722e4754 --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/app/secret-admin.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-admin +stringData: + admin-password: ENC[AES256_GCM,data:EdlmuudhUy8ny/fvb9FMSfnAh2ajTmTq,iv:WJ0RJmEzFlQN5kMk1RJaVd3b6DHcIyim06kTzmMXyTc=,tag:T2fm+sleaqCMQyHIfI4Qdg==,type:str] + admin-user: ENC[AES256_GCM,data:/RPRmOs=,iv:G1noxFd1buw66sc2sbry92ZRhfwG8CEVRFkBnlQNek4=,tag:WnXkYL8WkmiTquPqgDj9KQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u79ltfzz5k79ddwgv59r76p2532xnaehzz7vggttctudr6gdkvhq33edn6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRXhQYi9GYWpoSTZCaC9G + V3ZaRmZaenlIM2NObWRWVG5yTW5kdURtMGprCnF2a2FNa0RyNkxNL0d1S2lBam9Z + RmUrTStWc09IQUJDZ3IrZVZhVUthNWcKLS0tIFhERHM4Vis4ZmMxNWR0RFdyTk1B + VERTZ05haHJLaytWVnhRR1J1bzVCdmsKNFKU077vNGWdyQiQkYi48E4j8ZXD/aXS + p/PX9jmmy0CU8zd16R0T8tDOmKxO1hIXfkUh292KwHnlSFSGrDlmhw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-28T18:38:28Z" + mac: ENC[AES256_GCM,data:KO/jV5OBK0TyPZM8WK/fbgZ1409q8hUnYVi6jzeg/S6xdQtnsCu2zxBkr5oZAAth7RJ4fmnwJ4/OqHVKDaCUVE5ZmIogsaL73+MXNpFKcPyAa5HNpubMO0fHoH6m2Z3iabyteY0onr5wYig4BdYUcBRtHFrPS1yVNiQX7Sv3zmU=,iv:MIjn4WDhnovJ7xudbrfpoW+xN+LEMuU86bAt1Ku6+50=,tag:vLuH+eAp6k1mNyCrO5G4Ow==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml b/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml index b50f80c5e..3104ec4b3 100644 --- a/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml +++ b/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml @@ -1,11 +1,9 @@ apiVersion: v1 kind: Secret metadata: - name: grafana-admin-secret - namespace: monitoring + name: grafana stringData: - admin-password: ENC[AES256_GCM,data:EdlmuudhUy8ny/fvb9FMSfnAh2ajTmTq,iv:WJ0RJmEzFlQN5kMk1RJaVd3b6DHcIyim06kTzmMXyTc=,tag:T2fm+sleaqCMQyHIfI4Qdg==,type:str] - admin-user: ENC[AES256_GCM,data:/RPRmOs=,iv:G1noxFd1buw66sc2sbry92ZRhfwG8CEVRFkBnlQNek4=,tag:WnXkYL8WkmiTquPqgDj9KQ==,type:str] + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:u3eXLNS+l0XvT7fTvjcoLD/ODwTrXr74eVhzvQN0XBh7+w1h/ApNw/PgjtnO/IXFV1l8NEnYdln7FacD6j6wSS+JJpmtX1yd,iv:qEcOuiRuNA0sk7uOYU2EMZJyZEd4YyERUfzSPsA3gcI=,tag:2gBT1MRQXGCvoJn2KzHNEg==,type:str] sops: kms: [] gcp_kms: [] @@ -21,8 +19,8 @@ sops: VERTZ05haHJLaytWVnhRR1J1bzVCdmsKNFKU077vNGWdyQiQkYi48E4j8ZXD/aXS p/PX9jmmy0CU8zd16R0T8tDOmKxO1hIXfkUh292KwHnlSFSGrDlmhw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-09T07:29:46Z" - mac: ENC[AES256_GCM,data:8ATrBa3iAFpL22VNGdZNtEuqxeNvQpuEuFxVNiXKiAjLy4blJVTbn8SPDgRH/uWqlC74jFTqBrYpA5oiI5crXwTvoXqsg4zMjp+NZEiDOlfZnWw5AZ9XTBHzBMpelIF7FwY/wYpFv3vb+5Og43xX3pN1Q5QC6wuNkX+69LiARok=,iv:Zzf9rboYrat9dZFDx266XHeONQnzBG/JjNdh961zlwE=,tag:88s+08vF9P+ZNapC2JUP9Q==,type:str] + lastmodified: "2023-12-28T18:38:13Z" + mac: ENC[AES256_GCM,data:hEfqhjDuv3xfqN2eDrZGP8HdAWHcdVw985VGSCRtkaikuwyPhoCXBgLFa5KtMIMM+pu7rQZ7mRSWamyUCnBsoH9d26JXnhuiEaGpjgehR4g2YqKgfnkq45CVKdzcA/k2Ks8LVOr1mmrgoiBKBBlKf1TZPjJKloq9DUS9A918NN0=,iv:2EfZCdlaDjC/8xDaeTkuZNZZ5vpKBnPdyilQLN+Y5Pg=,tag:23QtUGn46KOf8HiPM3VDsQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/monitoring/grafana/ks.yaml b/kubernetes/apps/monitoring/grafana/ks.yaml index 7d85ca8a0..d4da82fb4 100644 --- a/kubernetes/apps/monitoring/grafana/ks.yaml +++ b/kubernetes/apps/monitoring/grafana/ks.yaml @@ -6,6 +6,10 @@ metadata: name: &app grafana namespace: flux-system spec: + targetNamespace: monitoring + commonMetadata: + labels: + app.kubernetes.io/name: *app dependsOn: - name: volsync path: ./kubernetes/apps/monitoring/grafana/app