authentik: add Grafana OAuth2/OIDC provider + application
Adds an OIDC provider + application so the in-cluster Grafana (grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik. Extends the oauth2 module so provider config stays declarative and secret-free: - Resolve authorization/invalidation flows by slug (data.authentik_flow) and scope mappings by managed identifier (data.authentik_property_mapping_provider_scope). - Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/ VAULT_TOKEN from the Makefile). - Support allowed_redirect_uris on the oauth2 provider. config/providers_oauth2/grafana.yaml wires client_id `grafana`, the openid/email/profile scopes, the login/generic_oauth redirect URI, and points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
This commit is contained in:
@@ -7,6 +7,10 @@ provider "authentik" {
|
||||
token = var.authentik_token
|
||||
}
|
||||
|
||||
# Reads client secrets seeded in Vault (kv-v2). Auth via VAULT_ADDR + VAULT_TOKEN
|
||||
# from the environment (set by the Makefile vault_env helper).
|
||||
provider "vault" {}
|
||||
|
||||
variable "authentik_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
@@ -26,6 +30,10 @@ terraform {
|
||||
source = "goauthentik/authentik"
|
||||
version = "2026.5.0"
|
||||
}
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = ">= 4.0.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user