Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.

2026-05-14 00:23:48 -04:00
parent 2bf7277917
commit 78b524a044
25 changed files with 1125 additions and 7 deletions
--- a/clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml
+++ b/clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml
@@ -0,0 +1,33 @@
+# Authentik OIDC for Grafana; ForwardAuth to **oauth2-proxy** (OIDC to Authentik) for Prometheus / Alertmanager UIs.
+
+prometheus:
+  ingress:
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+
+alertmanager:
+  ingress:
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+
+grafana:
+  env:
+    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
+      valueFrom:
+        secretKeyRef:
+          name: authentik-grafana-oauth
+          key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+  grafana.ini:
+    auth:
+      disable_login_form: "false"
+    auth.generic_oauth:
+      enabled: true
+      name: Authentik
+      allow_sign_up: true
+      client_id: grafana
+      scopes: openid profile email groups
+      use_pkce: true
+      auth_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/authorize/
+      token_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/token/
+      api_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/userinfo/
+      role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"