From 527bacb8914322a2f85f39a3e473a5f5fd16fe81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20SPIERS?= Date: Thu, 14 May 2026 08:20:04 +0200 Subject: [PATCH 1/2] feat(grafana): configure SSO OIDC with Authentik (#1760) * feat(authentik): add Grafana OIDC blueprint for genmachine * feat(authentik): add Grafana admins group * feat(authentik): add groups scope mapping for Grafana OIDC * feat(authentik): register Grafana OIDC blueprint in kustomization * feat(prometheus): add ExternalSecret for Grafana OIDC credentials * feat(prometheus): configure Grafana OIDC with Authentik SSO * fix(authentik): remove redundant groups mapping, use Authentik built-in * fix(authentik): use built-in groups mapping in Grafana OIDC blueprint --- .../genmachine/blueprints/030-groups.yaml | 6 +++ .../blueprints/130-oidc-grafana.yaml | 44 +++++++++++++++++++ .../genmachine/blueprints/kustomization.yaml | 1 + .../genmachine/genmachine-values.yaml | 31 +++++++++++++ .../externalsecret-grafana-oidc.yaml | 22 ++++++++++ 5 files changed, 104 insertions(+) create mode 100644 gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml create mode 100644 gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml diff --git a/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml b/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml index 00a5ac4cb..8b506f62a 100644 --- a/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml +++ b/gitops/manifests/authentik/genmachine/blueprints/030-groups.yaml @@ -50,6 +50,12 @@ entries: attrs: users: - !Find [authentik_core.user, [username, ixxel]] + - model: authentik_core.group + identifiers: + name: Grafana admins + attrs: + users: + - !Find [authentik_core.user, [username, ixxel]] - model: authentik_core.group identifiers: name: sa-homarr diff --git a/gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml b/gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml new file mode 100644 index 000000000..4ee4cd5bf --- /dev/null +++ b/gitops/manifests/authentik/genmachine/blueprints/130-oidc-grafana.yaml @@ -0,0 +1,44 @@ +# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json +# yamllint disable +--- +version: 1 +metadata: + name: genmachine-grafana +entries: + - id: provider + model: authentik_providers_oauth2.oauth2provider + state: present + identifiers: + name: genmachine-grafana + attrs: + authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + invalidation_flow: !Find [authentik_flows.flow, [slug, default-invalidation-flow]] + signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] + client_type: confidential + redirect_uris: + - url: https://grafana.talos-genmachine.fredcorp.com/login/generic_oauth + matching_mode: strict + + access_code_validity: minutes=1 + access_token_validity: hours=1 + refresh_token_validity: hours=2 + + sub_mode: hashed_user_id + property_mappings: + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'openid'"]] + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'profile'"]] + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'email'"]] + - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'groups'"]] + + - id: application + model: authentik_core.application + state: present + identifiers: + name: genmachine-grafana + attrs: + name: genmachine-grafana + group: Monitoring + meta_description: Grafana + provider: !Find [authentik_providers_oauth2.oauth2provider, [name, genmachine-grafana]] + policy_engine_mode: any + slug: genmachine-grafana diff --git a/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml b/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml index 4a50196ff..f3e9f4bf9 100644 --- a/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml +++ b/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml @@ -12,6 +12,7 @@ configMapGenerator: - ./060-oidc-vault.yaml - ./050-oidc-homarr.yaml - ./070-oidc-wireguard.yaml + - ./130-oidc-grafana.yaml - ./100-proxy-traefik.yaml - ./090-proxy-adguard.yaml - ./030-groups.yaml diff --git a/gitops/manifests/prometheus/genmachine/genmachine-values.yaml b/gitops/manifests/prometheus/genmachine/genmachine-values.yaml index 1eb336ca3..b36ce9e37 100644 --- a/gitops/manifests/prometheus/genmachine/genmachine-values.yaml +++ b/gitops/manifests/prometheus/genmachine/genmachine-values.yaml @@ -46,6 +46,37 @@ kube-prometheus-stack: repository: grafana/grafana tag: '12.4.3' pullPolicy: IfNotPresent + podAnnotations: + reloader.stakater.com/auto: 'true' + envFrom: + - secretRef: + name: grafana-oidc + extraVolumes: + - name: fredcorp-ca-chain + secret: + defaultMode: 420 + secretName: fredcorp-ca-chain + extraVolumeMounts: + - name: fredcorp-ca-chain + mountPath: /etc/ssl/certs/fredcorp-ca-chain.pem + subPath: fredcorp-ca-chain.pem + readOnly: true + grafana.ini: + auth: + oauth_auto_login: true + signout_redirect_url: https://authentik.talos-genmachine.fredcorp.com/application/o/genmachine-grafana/end-session/ + auth.generic_oauth: + enabled: true + name: Authentik + allow_sign_up: true + client_id: ${GF_AUTH_GENERIC_OAUTH_CLIENT_ID} + client_secret: ${GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET} + scopes: openid email profile groups + auth_url: https://authentik.talos-genmachine.fredcorp.com/application/o/authorize/ + token_url: https://authentik.talos-genmachine.fredcorp.com/application/o/token/ + api_url: https://authentik.talos-genmachine.fredcorp.com/application/o/userinfo/ + role_attribute_path: contains(groups[*], 'Grafana admins') && 'Admin' || 'Viewer' + tls_client_ca: /etc/ssl/certs/fredcorp-ca-chain.pem ingress: enabled: true annotations: diff --git a/gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml b/gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml new file mode 100644 index 000000000..7de0a0b89 --- /dev/null +++ b/gitops/manifests/prometheus/genmachine/templates/externalsecret-grafana-oidc.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: grafana-oidc +spec: + refreshInterval: 12h + secretStoreRef: + kind: ClusterSecretStore + name: admin + target: + name: grafana-oidc + creationPolicy: Owner + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + key: prometheus/oidc/genmachine + property: client_id + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: prometheus/oidc/genmachine + property: client_secret From 7be3ab06bd452036bcbdddf55dda2a3725a9495d Mon Sep 17 00:00:00 2001 From: "ixxel-bot[bot]" <200609713+ixxel-bot[bot]@users.noreply.github.com> Date: Thu, 14 May 2026 06:33:30 +0000 Subject: [PATCH 2/2] =?UTF-8?q?feat(container):=20update=20image=20ghcr.io?= =?UTF-8?q?/renovatebot/renovate=20(43.178.0=20=E2=86=92=2043.179.0)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit | datasource | package | from | to | | ---------- | ---------------------------- | -------- | -------- | | docker | ghcr.io/renovatebot/renovate | 43.178.0 | 43.179.0 | Co-authored-by: renovate[bot] --- .../renovate-operator/genmachine/templates/renovatejob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml b/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml index 602d66676..ab8cc3da6 100644 --- a/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml +++ b/gitops/manifests/renovate-operator/genmachine/templates/renovatejob.yaml @@ -5,7 +5,7 @@ metadata: name: renovate-ixxel-devops namespace: renovate-operator spec: - image: ghcr.io/renovatebot/renovate:43.178.0 + image: ghcr.io/renovatebot/renovate:43.179.0 schedule: "0 */6 * * *" parallelism: 1 provider: