34 lines
1.3 KiB
YAML
34 lines
1.3 KiB
YAML
# Authentik OIDC for Grafana; ForwardAuth to **oauth2-proxy** (OIDC to Authentik) for Prometheus / Alertmanager UIs.
|
|
|
|
prometheus:
|
|
ingress:
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
|
|
|
|
alertmanager:
|
|
ingress:
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
|
|
|
|
grafana:
|
|
# Grafana chart maps plain strings under **env** only. Use **envValueFrom** for secretKeyRef.
|
|
envValueFrom:
|
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
|
|
secretKeyRef:
|
|
name: authentik-grafana-oauth
|
|
key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
|
|
grafana.ini:
|
|
auth:
|
|
disable_login_form: "false"
|
|
auth.generic_oauth:
|
|
enabled: true
|
|
name: Authentik
|
|
allow_sign_up: true
|
|
client_id: grafana
|
|
scopes: openid profile email groups
|
|
use_pkce: true
|
|
# Authentik 2026.x: OAuth endpoints live under /application/o/authorize|token|userinfo/ (no …/oauth2/… per app).
|
|
# Use issuer discovery like Argo CD — do not hardcode legacy /application/o/<slug>/oauth2/* URLs (they 404).
|
|
server_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/
|
|
role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"
|