feat(sso): introduced grafana OAUTH config

2025-08-15 10:01:04 +02:00 · 2025-08-15 10:01:04 +02:00 · c8d5195dc7
commit c8d5195dc7
parent b3f77644e9
1 changed files with 34 additions and 0 deletions
--- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml
+++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml
@ -17,6 +17,40 @@ spec:
      resources:
        requests:
          storage: 10Gi
+  deployment:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: grafana
+              env:
+                - name: OAUTH_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      key: clientSecret
+                      name: dex-grafana-client
+  config:
+    log.console:
+      level: debug
+    server:
+      root_url: "https://{{{ .Env.DOMAIN_GRAFANA }}}"
+    auth:
+      disable_login: "true"
+      disable_login_form: "true"
+    auth.generic_oauth:
+      enabled: "true"
+      name: Forgejo
+      allow_sign_up: "true"
+      use_refresh_token: "true"
+      client_id: grafana
+      client_secret: $__env{OAUTH_CLIENT_SECRET}
+      scopes: openid email profile offline_access groups
+      auth_url: https://{{{ .Env.DOMAIN_DEX }}}/auth
+      token_url: https://{{{ .Env.DOMAIN_DEX }}}/token
+      api_url: https://{{{ .Env.DOMAIN_DEX }}}/userinfo
+      redirect_uri: https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth
+      role_attribute_path: "contains(groups[*], 'DevFW') && 'GrafanaAdmin' || 'None'"
+      allow_assign_grafana_admin: "true"
  ingress:
    metadata:
      annotations: