authentik: add Grafana OAuth2/OIDC provider #2

Merged
benvin merged 7 commits from benvin/grafana-oidc into benvin/initial-scaffold 2026-07-06 23:50:14 +10:00
Owner

Why

The in-cluster Grafana (grafana.k8s.syd1.au.unkin.net) authenticates via Authentik OIDC. This adds the provider + application.

Based on benvin/initial-scaffold (the module isn't on main yet).

Changes

  • Extend the oauth2 module to stay declarative + secret-free:
    • Resolve authorization/invalidation flows by slug (data.authentik_flow) and scope mappings by managed identifier (data.authentik_property_mapping_provider_scope).
    • Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) rather than committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/VAULT_TOKEN from the Makefile).
    • Support allowed_redirect_uris.
  • config/providers_oauth2/grafana.yaml: client_id grafana, openid/email/profile scopes, login/generic_oauth redirect, secret at kv/kubernetes/namespace/grafana/default/oauth-credentials (already seeded).

Notes / to verify in CI plan

  • Assumes the default Authentik flow slugs default-provider-authorization-implicit-consent and default-provider-invalidation-flow — CI plan will confirm (easy to adjust if this instance differs).
  • tofu validate passes locally.
## Why The in-cluster Grafana (grafana.k8s.syd1.au.unkin.net) authenticates via Authentik OIDC. This adds the provider + application. Based on `benvin/initial-scaffold` (the module isn't on main yet). ## Changes - Extend the oauth2 module to stay declarative + secret-free: - Resolve authorization/invalidation **flows by slug** (`data.authentik_flow`) and **scope mappings by managed identifier** (`data.authentik_property_mapping_provider_scope`). - Read `client_secret` from **Vault kv-v2** (`data.vault_kv_secret_v2`) rather than committing it; adds the `hashicorp/vault` provider (auth via `VAULT_ADDR`/`VAULT_TOKEN` from the Makefile). - Support `allowed_redirect_uris`. - `config/providers_oauth2/grafana.yaml`: client_id `grafana`, openid/email/profile scopes, `login/generic_oauth` redirect, secret at `kv/kubernetes/namespace/grafana/default/oauth-credentials` (already seeded). ## Notes / to verify in CI plan - Assumes the default Authentik flow slugs `default-provider-authorization-implicit-consent` and `default-provider-invalidation-flow` — CI `plan` will confirm (easy to adjust if this instance differs). - `tofu validate` passes locally.
unkinben added 1 commit 2026-07-06 22:07:01 +10:00
authentik: add Grafana OAuth2/OIDC provider + application
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
97be93a9ff
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
unkinben added 1 commit 2026-07-06 23:08:04 +10:00
ci: re-run plan after terraform-vault kv policy applied
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
3d7131032f
unkinben added 1 commit 2026-07-06 23:12:44 +10:00
fix: drop duplicate required_providers from generated backend.tf
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
d1aef45d1d
The module's versions.tf and the root.hcl-generated backend.tf both
declared required_providers, which OpenTofu rejects ("A module may have
only one required providers configuration"), so terragrunt init/plan
failed. Keep them in the module's versions.tf (authentik + vault) and
generate only the backend + provider blocks.
unkinben added 1 commit 2026-07-06 23:17:38 +10:00
ci: re-run plan on fixed head (duplicate required_providers resolved)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
41cc0fce8b
unkinben added 1 commit 2026-07-06 23:32:23 +10:00
makefile: source TF_VAR_authentik_token from vault (kv/service/terraform/authentik)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
d96d36a079
The authentik provider needs a token but nothing supplied it, so plan
failed with 'No value for required variable authentik_token'. Source it
from Vault in vault_env like the consul creds, from the dedicated
terraform-service path kv/service/terraform/authentik (field: token),
overridable via AUTHENTIK_TOKEN_KV_* vars.
unkinben added 1 commit 2026-07-06 23:43:17 +10:00
fix: skip_child_token on vault provider
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
93742883a5
The CI VAULT_TOKEN (short-lived k8s-auth role token) can't create child
tokens, so the vault provider failed with 'failed to create limited child
token: permission denied'. Use the token directly.
unkinben added 1 commit 2026-07-06 23:44:06 +10:00
ci: re-run after vault #82 applied (token + oauth read policy live)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
0b1b67fbd5
benvin merged commit 11a25fdca0 into benvin/initial-scaffold 2026-07-06 23:50:14 +10:00
benvin deleted branch benvin/grafana-oidc 2026-07-06 23:50:14 +10:00
Sign in to join this conversation.