feat: oauth login for grafana (#219)

deployment/modules/1password/account/k8s-secrets.tf

@@ -116,3 +116,24 @@ resource "onepassword_item" "hedgedoc_oauth_secret" {
     }
   }
 }
+
+resource "random_password" "grafana_oauth_client_secret" {
+  length  = 40
+  special = false
+}
+
+resource "onepassword_item" "grafana_oauth_client_secret" {
+  vault    = data.onepassword_vault.kubernetes.uuid
+  title    = "grafana-oauth-client-secret"
+  category = "secure_note"
+
+  section {
+    label = "OAuth secret for grafana"
+
+    field {
+      label = "GRAFANA_OAUTH_CLIENT_SECRET"
+      type  = "CONCEALED"
+      value = random_password.grafana_oauth_client_secret.result
+    }
+  }
+}

kubernetes/apps/authentication/dexidp/app/helmrelease.yaml

@@ -27,6 +27,8 @@ spec:
           name: github-oauth-client
       - secretRef:
           name: hedgedoc-oauth
+      - secretRef:
+          name: grafana-oauth
     ingress:
       enabled: true
       className: nginx
@@ -97,6 +99,11 @@ spec:
           public: true
           redirectURIs:
             - "/device/callback"
+        - id: grafana
+          name: grafana
+          secretEnv: GRAFANA_OAUTH_CLIENT_SECRET
+          redirectURIs:
+            - "https://monitoring.immich.cloud/login/generic_oauth"
 
     resources:
       requests:

kubernetes/apps/authentication/dexidp/app/secrets.yaml

@@ -13,3 +13,11 @@ metadata:
   namespace: authentication
 spec:
   itemPath: "vaults/Kubernetes/items/hedgedoc-oauth"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: grafana-oauth
+  namespace: authentication
+spec:
+  itemPath: "vaults/Kubernetes/items/grafana-oauth-client-secret"

kubernetes/apps/monitoring/grafana/app/grafana.yaml

@@ -6,7 +6,15 @@ metadata:
   labels:
     dashboards: "grafana"
 spec:
-  # TODO: Oauth login
+  config:
+    auth.generic_oauth:
+        enabled: "true"
+        client_id: grafana
+        client_secret: ${GRAFANA_OAUTH_CLIENT_SECRET}
+        scopes: openid email profile groups offline_access
+        auth_url: https://auth.immich.cloud/auth
+        token_url: https://auth.immich.cloud/token
+        api_url: https://auth.immich.cloud/userinfo
   persistentVolumeClaim:
     spec:
       accessModes:

kubernetes/apps/monitoring/grafana/app/kustomization.yaml

@@ -2,6 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./secret.yaml
   - ./datasource.yaml
   - ./grafana.yaml

kubernetes/apps/monitoring/grafana/ks.yaml

@@ -1,5 +1,26 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: &app grafana-secrets
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/monitoring/grafana/secrets
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: immich-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  dependsOn:
+    - name: cluster-apps-onepassword
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: &app grafana
   namespace: flux-system
@@ -19,3 +40,8 @@ spec:
   dependsOn:
     - name: grafana-operator
     - name: victoria-metrics
+    - name: grafana-secrets
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: grafana-oauth

kubernetes/apps/monitoring/grafana/secrets/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./oauth.yaml
+  - ./admin.yaml

kubernetes/apps/monitoring/grafana/secrets/oauth.yaml

@@ -0,0 +1,7 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: grafana-oauth
+  namespace: monitoring
+spec:
+  itemPath: "vaults/Kubernetes/items/grafana-oauth-client-secret"