From 2e7474d427fbc8ed0dbc2ffa766e8faaa08edef3 Mon Sep 17 00:00:00 2001
From: martinohmann <martinohmann@gmail.com>
Date: Sat, 6 Jan 2024 00:04:42 +0100
Subject: [PATCH] feat(grafana): switch OIDC auth to authentik

---
 .../monitoring/grafana/app/helmrelease.yaml   | 20 ++++++++-----------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
index 5c873a4e6..508754c26 100644
--- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
+++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
@@ -33,13 +33,12 @@ spec:
     admin:
       existingSecret: grafana-admin
     env:
-      GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.18b.haus/api/oidc/userinfo
-      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.18b.haus/api/oidc/authorization
+      GF_AUTH_GENERIC_OAUTH_API_URL: https://identity.18b.haus/application/o/userinfo/
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://identity.18b.haus/application/o/authorize/
       GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
-      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.18b.haus/api/oidc/token
-      GF_AUTH_SIGNOUT_REDIRECT_URL: https://auth.18b.haus/logout?rd=https://grafana.18b.haus/login
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://identity.18b.haus/application/o/token/
+      GF_AUTH_SIGNOUT_REDIRECT_URL: https://identity.18b.haus/application/o/grafana/end-session/
       GF_EXPLORE_ENABLED: true
-      GF_SECURITY_COOKIE_SAMESITE: grafana
       GF_SERVER_ROOT_URL: https://grafana.18b.haus
     envFromSecrets:
       - name: grafana
@@ -53,18 +52,15 @@ spec:
         oauth_allow_insecure_email_lookup: true
       auth.generic_oauth:
         enabled: true
-        name: Authelia
+        name: Authentik
         icon: signin
-        scopes: openid profile email groups
-        empty_scopes: false
-        login_attribute_path: preferred_username
-        groups_attribute_path: groups
-        name_attribute_path: name
+        scopes: openid profile email
         use_pkce: true
+        skip_org_role_sync: true
       auth.generic_oauth.group_mapping:
         org_id: 1
         role_attribute_path: |
-          contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer'
+          contains(groups[*], 'admins') && 'Admin' || 'Viewer'
       auth.basic:
         enabled: false
       auth.anonymous: