Files
terraform-authentik/config/providers_oauth2/grafana.yaml
T
unkinben 97be93a9ff
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
authentik: add Grafana OAuth2/OIDC provider + application
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
2026-07-06 22:06:48 +10:00

18 lines
696 B
YAML

# OAuth2/OIDC provider + application for the in-cluster Grafana
# (grafana.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed.
name: Grafana
authorization_flow: default-provider-authorization-implicit-consent
invalidation_flow: default-provider-invalidation-flow
client_type: confidential
client_id: grafana
client_secret_vault:
mount: kv
path: kubernetes/namespace/grafana/default/oauth-credentials
scope_mappings:
- goauthentik.io/providers/oauth2/scope-openid
- goauthentik.io/providers/oauth2/scope-email
- goauthentik.io/providers/oauth2/scope-profile
redirect_uris:
- matching_mode: strict
url: https://grafana.k8s.syd1.au.unkin.net/login/generic_oauth