diff --git a/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml b/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml index 00a5ac4cb..8b506f62a 100644 --- a/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml +++ b/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml @@ -50,6 +50,12 @@ entries: attrs: users: - !Find [authentik_core.user, [username, ixxel]] + - model: authentik_core.group + identifiers: + name: Grafana admins + attrs: + users: + - !Find [authentik_core.user, [username, ixxel]] - model: authentik_core.group identifiers: name: sa-homarr diff --git a/gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml b/gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml new file mode 100644 index 000000000..4ee4cd5bf --- /dev/null +++ b/gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml @@ -0,0 +1,44 @@ +# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json +# yamllint disable +--- +version: 1 +metadata: + name: genmachine-grafana +entries: + - id: provider + model: authentik_providers_oauth2.oauth2provider + state: present + identifiers: + name: genmachine-grafana + attrs: + authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + invalidation_flow: !Find [authentik_flows.flow, [slug, default-invalidation-flow]] + signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] + client_type: confidential + redirect_uris: + - url: https://grafana.talos-genmachine.fredcorp.com/login/generic_oauth + matching_mode: strict + + access_code_validity: minutes=1 + access_token_validity: hours=1 + refresh_token_validity: hours=2 + + sub_mode: hashed_user_id + property_mappings: + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'openid'"]] + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'profile'"]] + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'email'"]] + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'groups'"]] + + - id: application + model: authentik_core.application + state: present + identifiers: + name: genmachine-grafana + attrs: + name: genmachine-grafana + group: Monitoring + meta_description: Grafana + provider: !Find [authentik_providers_oauth2.oauth2provider, [name, genmachine-grafana]] + policy_engine_mode: any + slug: genmachine-grafana diff --git a/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml b/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml index 4a50196ff..f3e9f4bf9 100644 --- a/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml +++ b/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml @@ -12,6 +12,7 @@ configMapGenerator: - ./060-oidc-vault.yaml - ./050-oidc-homarr.yaml - ./070-oidc-wireguard.yaml + - ./130-oidc-grafana.yaml - ./100-proxy-traefik.yaml - ./090-proxy-adguard.yaml - ./030-groups.yaml diff --git a/gitops/manifests/prometheus/genmachine/genmachine-values.yaml b/gitops/manifests/prometheus/genmachine/genmachine-values.yaml index 1eb336ca3..b36ce9e37 100644 --- a/gitops/manifests/prometheus/genmachine/genmachine-values.yaml +++ b/gitops/manifests/prometheus/genmachine/genmachine-values.yaml @@ -46,6 +46,37 @@ kube-prometheus-stack: repository: grafana/grafana tag: '12.4.3' pullPolicy: IfNotPresent + podAnnotations: + reloader.stakater.com/auto: 'true' + envFrom: + - secretRef: + name: grafana-oidc + extraVolumes: + - name: fredcorp-ca-chain + secret: + defaultMode: 420 + secretName: fredcorp-ca-chain + extraVolumeMounts: + - name: fredcorp-ca-chain + mountPath: /etc/ssl/certs/fredcorp-ca-chain.pem + subPath: fredcorp-ca-chain.pem + readOnly: true + grafana.ini: + auth: + oauth_auto_login: true + signout_redirect_url: https://authentik.talos-genmachine.fredcorp.com/application/o/genmachine-grafana/end-session/ + auth.generic_oauth: + enabled: true + name: Authentik + allow_sign_up: true + client_id: ${GF_AUTH_GENERIC_OAUTH_CLIENT_ID} + client_secret: ${GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET} + scopes: openid email profile groups + auth_url: https://authentik.talos-genmachine.fredcorp.com/application/o/authorize/ + token_url: https://authentik.talos-genmachine.fredcorp.com/application/o/token/ + api_url: https://authentik.talos-genmachine.fredcorp.com/application/o/userinfo/ + role_attribute_path: contains(groups[*], 'Grafana admins') && 'Admin' || 'Viewer' + tls_client_ca: /etc/ssl/certs/fredcorp-ca-chain.pem ingress: enabled: true annotations: diff --git a/gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml b/gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml new file mode 100644 index 000000000..7de0a0b89 --- /dev/null +++ b/gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: grafana-oidc +spec: + refreshInterval: 12h + secretStoreRef: + kind: ClusterSecretStore + name: admin + target: + name: grafana-oidc + creationPolicy: Owner + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + key: prometheus/oidc/genmachine + property: client_id + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: prometheus/oidc/genmachine + property: client_secret diff --git a/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml b/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml index 602d66676..ab8cc3da6 100644 --- a/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml +++ b/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml @@ -5,7 +5,7 @@ metadata: name: renovate-ixxel-devops namespace: renovate-operator spec: - image: ghcr.io/renovatebot/renovate:43.178.0 + image: ghcr.io/renovatebot/renovate:43.179.0 schedule: "0 */6 * * *" parallelism: 1 provider: