benzht
commented
1 month ago I recently managed to deploy a gitops-like version for Keycloak and I hope this can help you along and other's using Keyloak
In values.yaml I've added the following section under grafana:
grafana.ini:
auth.generic_oauth:
enabled: true
name: "Keycloak SSO"
allow_sign_up: true
issuer: "test"
client_id: "grafana"
client_secret: "$__file{/etc/secrets/grafana_keycloak_secret/client_secret}"
scopes: "openid profile email"
auth_url: "https://KEYCLOAK-URL/realms/YOUR_REALM/protocol/openid-connect/auth"
token_url: "https://KEYCLOAK-URL/realms/YOUR_REALM/protocol/openid-connect/token"
api_url: "https://KEYCLOAK-URL/realms/YOUR_REALM/protocol/openid-connect/userinfo"
sign_out_redirect_url: "http://WHERE_TO_GO_AFTER_LOGOUT:PORT/"
email_attribute_path: "email"
login_attribute_path: "username"
name_attribute_path: "full_name"
role_attribute_path: "contains(resource_access.grafana.roles[*], 'grafana-admin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'grafana-editor') && 'Editor' || contains(resource_access.grafana.roles[*], 'viewer') && 'Viewer'"
role_attribute_strict_mode: true
allow_assign_grafana_admin: true
extraSecretMounts:
- name: auth-generic-oauth-secret-mount
secretName: grafana-keycloak-secret
defaultMode: 0440
mountPath: /etc/secrets/grafana_keycloak_secret
readOnly: trueThis stipulates a client grafana in keycloak with three roles defined under it (grafana-admin, admin, grafana-editor, and viewer) and any user with at least one of these roles can log in.
Next, I created a secrete that I packaged with bitnami's sealed secrets:
apiVersion: v1
kind: Secret
metadata:
name: grafana-keycloak-secret
namespace: NAMESPACE-OF-YOUR-GRAFANA-PROMETHEUS-STACK
stringData:
client_id: "grafana"
client_secret: "your secret password"For this to work I had to change in Keycloak the the Client-Scopes roles - Mappers the client roles to add those to the ID-Token
Is your feature request related to a problem ?
Hey Team,
I am trying to set up Okta SSO authentication for Grafana using GitOps. Do you have any reference on how we should enable Grafana to use SSO in any Helm file? I just wanted to see what the best way to implement SSO is.
Thanks!
Describe the solution you'd like.
I would like to know the correct way to enable sso for grafana .
Describe alternatives you've considered.
this is how I did set up now in my Gitops what else should be done to enable sso for grafana
"apiVersion: builtin kind: PatchTransformer metadata: name: enable-oidc patch: |- apiVersion: v1 kind: ConfigMap metadata: name: grafana-sso-cm data: oidc.config: | [auth.generic_oauth] name = Okta enabled = true allow_sign_up = true issuer = "test" client_id = $grafana-sso-secrets:clientID client_secret = $grafana-sso-secrets:clientSecret scopes = openid profile email auth_url = https://test/oauth2/v1/authorize token_url = https://test/oauth2/v1/token api_url = https://test/oauth2/v1/userinfo target: kind: ConfigMap name: grafana-sso-cm"
Additional context.
No response