# Authentik OIDC for Grafana; ForwardAuth to **oauth2-proxy** (OIDC to Authentik) for Prometheus / Alertmanager UIs.

prometheus:
  ingress:
    annotations:
      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd

alertmanager:
  ingress:
    annotations:
      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd

grafana:
  # Grafana chart maps plain strings under **env** only. Use **envValueFrom** for secretKeyRef.
  envValueFrom:
    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
      secretKeyRef:
        name: authentik-grafana-oauth
        key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
  grafana.ini:
    auth:
      disable_login_form: "false"
    auth.generic_oauth:
      enabled: true
      name: Authentik
      allow_sign_up: true
      client_id: grafana
      scopes: openid profile email groups
      use_pkce: true
      # Authentik 2026.x: OAuth endpoints live under /application/o/authorize|token|userinfo/ (no …/oauth2/… per app).
      # Use issuer discovery like Argo CD — do not hardcode legacy /application/o/<slug>/oauth2/* URLs (they 404).
      server_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/
      role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"