wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix(infra-monitoring): Improve secret handling for grafana

Browse source
This commit is contained in:
WrenIX 2024-01-27 13:00:50 +01:00
parent 706d2ca181
commit bbea21c468
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
2 changed files with 18 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
infra-monitoring/templates/kube-prometheus-stack/release.yaml
View file

@ -173,15 +173,20 @@ spec:
auth.generic_oauth: auth.generic_oauth:
name: authentik name: authentik
enabled: true enabled: true
client_id: {{ .Values.grafana.auth.authentik.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientID") | quote }} client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
client_secret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | quote }} client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
scopes: openid email profile scopes: openid email profile
auth_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/authorize/ auth_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/authorize/
token_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/token/ token_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/token/
api_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/userinfo/ api_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/userinfo/
role_attribute_path: "contains(groups[*], 'app: grafana - admin') && 'Admin' || contains(groups[*], 'app: grafana - editor') && 'Editor' || 'Viewer'" role_attribute_path: "contains(groups[*], 'app: grafana - admin') && 'Admin' || contains(groups[*], 'app: grafana - editor') && 'Editor' || 'Viewer'"
{{- end }} {{- end }}
extraSecretMounts:
- name: auth-generic-oauth-secret-mount
secretName: monitoring-grafana-auth-generic-oauth
defaultMode: 0440
mountPath: /etc/secrets/auth_generic_oauth
readOnly: true
testFramework: testFramework:
enabled: false enabled: false
sidecar: sidecar:

10
infra-monitoring/templates/kube-prometheus-stack/secret-grafana_auth_generic_oauth.yaml Normal file
View file

@ -0,0 +1,10 @@
{{- if and .Values.commons.auth.enabled (eq .Values.commons.auth.type "authentik") }}
---
apiVersion: v1
kind: Secret
metadata:
name: monitoring-grafana-auth-generic-oauth
data:
client_id: {{ .Values.grafana.auth.authentik.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientID") | b64enc }}
client_secret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | b64enc }}
{{- end }}