Open NissesSenap opened 10 months ago
Since this is just plain ol' HTTP, can you leverage a sidecar container to the notifications controller that mints an ID token and forwards the requests to your IAP-protected resource?
If you're on GKE, you can probably get away with calling out to the metadata server to get a signed ID token with the correct audience claim. See this guide for details.
Sure, it's not very user-friendly but it would work.
Summary
Currently, it's possible to send annotations to the Grafana API using notifications. https://argocd-notifications.readthedocs.io/en/stable/services/grafana/ My issue is that my Grafana instance is behind GCP IAP.
What change you think needs making.
Motivation
If you are hosting your own Grafana instance, there is no reason why it should be public on the internet. Most GCP users should have the Grafana instance behind IAP and doing so will make it impossible to use Grafana annotation feature.
Proposal
Add support to define a https://cloud.google.com/iap/docs/authentication-howto#obtaining_an_oidc_token_for_the_default_service_account
Add another field to the notification settings of
service.grafana