search

projectsyn / component-prometheus

Commodore component to wrap kube-prometheus jsonnet library.
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

Add ingress / oauth2 proxy to grafana deployment #38

Closed DebakelOrakel closed 2 years ago

DebakelOrakel commented 2 years ago

Context

I would like to expose grafana. I would like to secure access to grafana by oauth2.

Alternatives

Deploy a grafana helm chart.

bastjan commented 2 years ago

Grafana has built in oauth2 capabilities including role mapping.

For the grafana.ini (copied from infra.yml INTERNAL)

auth.generic_oauth:
  name: Example Keycloak
  enabled: true
  allow_sign_up: true
  auth_url: https://id.example.net/auth/realms/example-realm/protocol/openid-connect/auth
  token_url: https://id.example.net/auth/realms/example-realm/protocol/openid-connect/token
  api_url: https://id.example.net/auth/realms/example-realm/protocol/openid-connect/userinfo
  client_id: example
  client_secret: "?{vaultkv:${cluster:tenant}/${cluster:name}/example-grafana/client_secret}"
  scopes: profile
  role_attribute_strict: true
  role_attribute_path: "roles[?contains(@, 'admin')] && 'Admin' || roles[?contains(@, 'editor')] && 'Editor' || roles[?contains(@, 'viewer')] && 'Viewer' || 'Deny'"

Needs to be mapped to the jsonnet/commodore way.