authentik: add Grafana OAuth2/OIDC provider #2
Reference in New Issue
Block a user
Delete Branch "benvin/grafana-oidc"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
The in-cluster Grafana (grafana.k8s.syd1.au.unkin.net) authenticates via Authentik OIDC. This adds the provider + application.
Based on
benvin/initial-scaffold(the module isn't on main yet).Changes
data.authentik_flow) and scope mappings by managed identifier (data.authentik_property_mapping_provider_scope).client_secretfrom Vault kv-v2 (data.vault_kv_secret_v2) rather than committing it; adds thehashicorp/vaultprovider (auth viaVAULT_ADDR/VAULT_TOKENfrom the Makefile).allowed_redirect_uris.config/providers_oauth2/grafana.yaml: client_idgrafana, openid/email/profile scopes,login/generic_oauthredirect, secret atkv/kubernetes/namespace/grafana/default/oauth-credentials(already seeded).Notes / to verify in CI plan
default-provider-authorization-implicit-consentanddefault-provider-invalidation-flow— CIplanwill confirm (easy to adjust if this instance differs).tofu validatepasses locally.The module's versions.tf and the root.hcl-generated backend.tf both declared required_providers, which OpenTofu rejects ("A module may have only one required providers configuration"), so terragrunt init/plan failed. Keep them in the module's versions.tf (authentik + vault) and generate only the backend + provider blocks.