From 0ceb513216a978bf5e59795d645e61dca7b54375 Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Fri, 7 Jul 2023 00:40:19 -0700 Subject: [PATCH] Switch Grafana to OIDC from proxy auth --- core/metrics/grafana.nomad | 3 ++- core/metrics/grafana/grafana.ini | 23 ++++++++++++++--------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/core/metrics/grafana.nomad b/core/metrics/grafana.nomad index 7eca11b..dd41b5a 100644 --- a/core/metrics/grafana.nomad +++ b/core/metrics/grafana.nomad @@ -26,7 +26,7 @@ job "grafana" { tags = [ "traefik.enable=true", "traefik.http.routers.grafana.entryPoints=websecure", - "traefik.http.routers.grafana.middlewares=authelia@nomad", + # "traefik.http.routers.grafana.middlewares=authelia@nomad", ] } @@ -162,6 +162,7 @@ GF_SMTP_PASSWORD={{ .smtp_password }} GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }} GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }} GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }} +GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET={{ .oidc_secret }} {{ if .db_name -}} # Database storage GF_DATABASE_TYPE=mysql diff --git a/core/metrics/grafana/grafana.ini b/core/metrics/grafana/grafana.ini index 8558a1f..d2f4f10 100644 --- a/core/metrics/grafana/grafana.ini +++ b/core/metrics/grafana/grafana.ini @@ -258,15 +258,20 @@ log_queries = #################################### Generic OAuth ########################## [auth.generic_oauth] -;enabled = true -;name = Cloudron +enabled = true +name = Authelia ;allow_sign_up = true -;client_id = some_id -;client_secret = some_secret -;scopes = user:email,read:org -;auth_url = https://foo.bar/login/oauth/authorize -;token_url = https://foo.bar/login/oauth/access_token -;api_url = https://foo.bar/user +client_id = grafana +client_secret = from_env +scopes = openid profile email groups +auth_url = https://authelia.thefij.rocks/api/oidc/authorization +token_url = https://authelia.thefij.rocks/api/oidc/token +api_url = https://authelia.thefij.rocks/api/oidc/userinfo +login_attribute_path = preferred_username +groups_attribute_path = groups +name_attribute_path = name +use_pkce = true + ;team_ids = ;allowed_organizations = @@ -282,7 +287,7 @@ log_queries = #################################### Auth Proxy ########################## [auth.proxy] {{ with nomadService "traefik" -}} -enabled = true +enabled = false header_name = Remote-User header_property = username auto_sign_up = true