OIDC

kubernetes/monitoring/grafana/deployment.yaml

@@ -19,6 +19,35 @@ spec:
         image: grafana/grafana
         ports:
         - containerPort: 3000
+        env:
+          - name: GF_AUTH_GENERIC_OAUTH_ENABLED
+            value: "true"
+          - name: GF_AUTH_GENERIC_OAUTH_NAME
+            value: "authentk"
+          - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                key: client-id
+                name: grafana-oidc-secret
+          - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                key: client-secret
+                name: grafana-oidc-secret
+          - name: GF_AUTH_GENERIC_OAUTH_SCOPES
+            value: "openid profile email"
+          - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
+            value: "https://auth.dontddos.me/application/o/authorize/"
+          - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
+            value: "https://auth.dontddos.me/application/o/token/"
+          - name: GF_AUTH_GENERIC_OAUTH_API_URL
+            value: "https://auth.dontddos.me/application/o/userinfo/"
+          - name: GF_AUTH_SIGNOUT_REDIRECT_URL
+            value: "https://auth.dontddos.me/application/o/grafana/end-session/"
+          - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
+            value: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+          - name: GF_SERVER_ROOT_URL
+            value: "https://grafana.local.dontddos.me"
         volumeMounts:
         - name: grafana-storage
           mountPath: /var/lib/grafana