Add GCP SA to grafana notifcations to support IAP

[NissesSenap]

Summary

Currently, it's possible to send annotations to the Grafana API using notifications. https://argocd-notifications.readthedocs.io/en/stable/services/grafana/ My issue is that my Grafana instance is behind GCP IAP.

What change you think needs making.

Motivation

If you are hosting your own Grafana instance, there is no reason why it should be public on the internet. Most GCP users should have the Grafana instance behind IAP and doing so will make it impossible to use Grafana annotation feature.

Proposal

Add support to define a https://cloud.google.com/iap/docs/authentication-howto#obtaining_an_oidc_token_for_the_default_service_account

Add another field to the notification settings of service.grafana

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-notifications-cm
data:
  service.grafana: |
    apiUrl: https://grafana.example.com/api
    apiKey: $grafana-api-key
    gcpSAKey: $gcp-sa-key

apiVersion: v1
kind: Secret
metadata:
  name: argocd-notifications-secret
stringData:
  grafana-api-key: api-key
  gcpSAKey: superSecretGeneratedKey

[torfjor]

Since this is just plain ol' HTTP, can you leverage a sidecar container to the notifications controller that mints an ID token and forwards the requests to your IAP-protected resource?

If you're on GKE, you can probably get away with calling out to the metadata server to get a signed ID token with the correct audience claim. See this guide for details.

[NissesSenap]

Sure, it's not very user-friendly but it would work.