# Authentik OIDC for Grafana; ForwardAuth to **oauth2-proxy** (OIDC to Authentik) for Prometheus / Alertmanager UIs.

prometheus:
  ingress:
    annotations:
      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd

alertmanager:
  ingress:
    annotations:
      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd

grafana:
  env:
    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
      valueFrom:
        secretKeyRef:
          name: authentik-grafana-oauth
          key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
  grafana.ini:
    auth:
      disable_login_form: "false"
    auth.generic_oauth:
      enabled: true
      name: Authentik
      allow_sign_up: true
      client_id: grafana
      scopes: openid profile email groups
      use_pkce: true
      auth_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/authorize/
      token_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/token/
      api_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/userinfo/
      role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"