34 lines
1.2 KiB
YAML
34 lines
1.2 KiB
YAML
# Authentik OIDC for Grafana; ForwardAuth to **oauth2-proxy** (OIDC to Authentik) for Prometheus / Alertmanager UIs.
|
|
|
|
prometheus:
|
|
ingress:
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
|
|
|
|
alertmanager:
|
|
ingress:
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
|
|
|
|
grafana:
|
|
env:
|
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-grafana-oauth
|
|
key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
|
|
grafana.ini:
|
|
auth:
|
|
disable_login_form: "false"
|
|
auth.generic_oauth:
|
|
enabled: true
|
|
name: Authentik
|
|
allow_sign_up: true
|
|
client_id: grafana
|
|
scopes: openid profile email groups
|
|
use_pkce: true
|
|
auth_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/authorize/
|
|
token_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/token/
|
|
api_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/userinfo/
|
|
role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"
|