authentik: add Grafana OAuth2/OIDC provider + application
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed

Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
This commit is contained in:
2026-07-06 22:06:48 +10:00
parent 00a122135e
commit 97be93a9ff
6 changed files with 98 additions and 11 deletions
+28 -4
View File
@@ -20,18 +20,42 @@ resource "authentik_provider_saml" "this" {
signing_kp = each.value.signing_kp
}
# Resolve oauth2 flows by slug and scope mappings by managed identifier, and
# read client secrets from Vault so nothing sensitive is committed.
data "authentik_flow" "oauth2_authorization" {
for_each = var.providers_oauth2
slug = each.value.authorization_flow
}
data "authentik_flow" "oauth2_invalidation" {
for_each = var.providers_oauth2
slug = each.value.invalidation_flow
}
data "authentik_property_mapping_provider_scope" "oauth2" {
for_each = { for k, v in var.providers_oauth2 : k => v if length(v.scope_mappings) > 0 }
managed_list = each.value.scope_mappings
}
data "vault_kv_secret_v2" "oauth2" {
for_each = { for k, v in var.providers_oauth2 : k => v if v.client_secret_vault != null }
mount = each.value.client_secret_vault.mount
name = each.value.client_secret_vault.path
}
resource "authentik_provider_oauth2" "this" {
for_each = var.providers_oauth2
name = each.value.name
authorization_flow = each.value.authorization_flow
invalidation_flow = each.value.invalidation_flow
authorization_flow = data.authentik_flow.oauth2_authorization[each.key].id
invalidation_flow = data.authentik_flow.oauth2_invalidation[each.key].id
client_type = each.value.client_type
client_id = each.value.client_id
client_secret = each.value.client_secret
property_mappings = each.value.property_mappings
client_secret = each.value.client_secret_vault != null ? data.vault_kv_secret_v2.oauth2[each.key].data["client_secret"] : null
property_mappings = try(data.authentik_property_mapping_provider_scope.oauth2[each.key].ids, [])
signing_key = each.value.signing_key
access_token_validity = each.value.access_token_validity
allowed_redirect_uris = each.value.redirect_uris
}
resource "authentik_provider_ldap" "this" {