authentik: add Grafana OAuth2/OIDC provider + application
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed

Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
This commit is contained in:
2026-07-06 22:06:48 +10:00
parent 00a122135e
commit 97be93a9ff
6 changed files with 98 additions and 11 deletions
+8
View File
@@ -7,6 +7,10 @@ provider "authentik" {
token = var.authentik_token
}
# Reads client secrets seeded in Vault (kv-v2). Auth via VAULT_ADDR + VAULT_TOKEN
# from the environment (set by the Makefile vault_env helper).
provider "vault" {}
variable "authentik_token" {
type = string
sensitive = true
@@ -26,6 +30,10 @@ terraform {
source = "goauthentik/authentik"
version = "2026.5.0"
}
vault = {
source = "hashicorp/vault"
version = ">= 4.0.0"
}
}
}
EOF