authentik: add Grafana OAuth2/OIDC provider + application
Adds an OIDC provider + application so the in-cluster Grafana (grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik. Extends the oauth2 module so provider config stays declarative and secret-free: - Resolve authorization/invalidation flows by slug (data.authentik_flow) and scope mappings by managed identifier (data.authentik_property_mapping_provider_scope). - Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/ VAULT_TOKEN from the Makefile). - Support allowed_redirect_uris on the oauth2 provider. config/providers_oauth2/grafana.yaml wires client_id `grafana`, the openid/email/profile scopes, the login/generic_oauth redirect URI, and points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
This commit is contained in:
@@ -20,18 +20,42 @@ resource "authentik_provider_saml" "this" {
|
||||
signing_kp = each.value.signing_kp
|
||||
}
|
||||
|
||||
# Resolve oauth2 flows by slug and scope mappings by managed identifier, and
|
||||
# read client secrets from Vault so nothing sensitive is committed.
|
||||
data "authentik_flow" "oauth2_authorization" {
|
||||
for_each = var.providers_oauth2
|
||||
slug = each.value.authorization_flow
|
||||
}
|
||||
|
||||
data "authentik_flow" "oauth2_invalidation" {
|
||||
for_each = var.providers_oauth2
|
||||
slug = each.value.invalidation_flow
|
||||
}
|
||||
|
||||
data "authentik_property_mapping_provider_scope" "oauth2" {
|
||||
for_each = { for k, v in var.providers_oauth2 : k => v if length(v.scope_mappings) > 0 }
|
||||
managed_list = each.value.scope_mappings
|
||||
}
|
||||
|
||||
data "vault_kv_secret_v2" "oauth2" {
|
||||
for_each = { for k, v in var.providers_oauth2 : k => v if v.client_secret_vault != null }
|
||||
mount = each.value.client_secret_vault.mount
|
||||
name = each.value.client_secret_vault.path
|
||||
}
|
||||
|
||||
resource "authentik_provider_oauth2" "this" {
|
||||
for_each = var.providers_oauth2
|
||||
|
||||
name = each.value.name
|
||||
authorization_flow = each.value.authorization_flow
|
||||
invalidation_flow = each.value.invalidation_flow
|
||||
authorization_flow = data.authentik_flow.oauth2_authorization[each.key].id
|
||||
invalidation_flow = data.authentik_flow.oauth2_invalidation[each.key].id
|
||||
client_type = each.value.client_type
|
||||
client_id = each.value.client_id
|
||||
client_secret = each.value.client_secret
|
||||
property_mappings = each.value.property_mappings
|
||||
client_secret = each.value.client_secret_vault != null ? data.vault_kv_secret_v2.oauth2[each.key].data["client_secret"] : null
|
||||
property_mappings = try(data.authentik_property_mapping_provider_scope.oauth2[each.key].ids, [])
|
||||
signing_key = each.value.signing_key
|
||||
access_token_validity = each.value.access_token_validity
|
||||
allowed_redirect_uris = each.value.redirect_uris
|
||||
}
|
||||
|
||||
resource "authentik_provider_ldap" "this" {
|
||||
|
||||
Reference in New Issue
Block a user