diff --git a/deployment/modules/1password/account/k8s-secrets.tf b/deployment/modules/1password/account/k8s-secrets.tf index 6bc3b727..0c89ab62 100644 --- a/deployment/modules/1password/account/k8s-secrets.tf +++ b/deployment/modules/1password/account/k8s-secrets.tf @@ -116,3 +116,24 @@ resource "onepassword_item" "hedgedoc_oauth_secret" { } } } + +resource "random_password" "grafana_oauth_client_secret" { + length = 40 + special = false +} + +resource "onepassword_item" "grafana_oauth_client_secret" { + vault = data.onepassword_vault.kubernetes.uuid + title = "grafana-oauth-client-secret" + category = "secure_note" + + section { + label = "OAuth secret for grafana" + + field { + label = "GRAFANA_OAUTH_CLIENT_SECRET" + type = "CONCEALED" + value = random_password.grafana_oauth_client_secret.result + } + } +} diff --git a/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml b/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml index 4c3b7eca..54d726cc 100644 --- a/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml +++ b/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml @@ -27,6 +27,8 @@ spec: name: github-oauth-client - secretRef: name: hedgedoc-oauth + - secretRef: + name: grafana-oauth ingress: enabled: true className: nginx @@ -97,6 +99,11 @@ spec: public: true redirectURIs: - "/device/callback" + - id: grafana + name: grafana + secretEnv: GRAFANA_OAUTH_CLIENT_SECRET + redirectURIs: + - "https://monitoring.immich.cloud/login/generic_oauth" resources: requests: diff --git a/kubernetes/apps/authentication/dexidp/app/secrets.yaml b/kubernetes/apps/authentication/dexidp/app/secrets.yaml index 14b6dc2f..dfa49965 100644 --- a/kubernetes/apps/authentication/dexidp/app/secrets.yaml +++ b/kubernetes/apps/authentication/dexidp/app/secrets.yaml @@ -13,3 +13,11 @@ metadata: namespace: authentication spec: itemPath: "vaults/Kubernetes/items/hedgedoc-oauth" +--- +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: grafana-oauth + namespace: authentication +spec: + itemPath: "vaults/Kubernetes/items/grafana-oauth-client-secret" diff --git a/kubernetes/apps/monitoring/grafana/app/grafana.yaml b/kubernetes/apps/monitoring/grafana/app/grafana.yaml index 809019ac..dfe36701 100644 --- a/kubernetes/apps/monitoring/grafana/app/grafana.yaml +++ b/kubernetes/apps/monitoring/grafana/app/grafana.yaml @@ -6,7 +6,15 @@ metadata: labels: dashboards: "grafana" spec: - # TODO: Oauth login + config: + auth.generic_oauth: + enabled: "true" + client_id: grafana + client_secret: ${GRAFANA_OAUTH_CLIENT_SECRET} + scopes: openid email profile groups offline_access + auth_url: https://auth.immich.cloud/auth + token_url: https://auth.immich.cloud/token + api_url: https://auth.immich.cloud/userinfo persistentVolumeClaim: spec: accessModes: diff --git a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml index 40369f3e..856bf963 100644 --- a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml @@ -2,6 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./secret.yaml - ./datasource.yaml - ./grafana.yaml diff --git a/kubernetes/apps/monitoring/grafana/ks.yaml b/kubernetes/apps/monitoring/grafana/ks.yaml index 6b02181e..e2dbedfc 100644 --- a/kubernetes/apps/monitoring/grafana/ks.yaml +++ b/kubernetes/apps/monitoring/grafana/ks.yaml @@ -1,5 +1,26 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization +metadata: + name: &app grafana-secrets + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/monitoring/grafana/secrets + prune: true + sourceRef: + kind: GitRepository + name: immich-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m + dependsOn: + - name: cluster-apps-onepassword +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization metadata: name: &app grafana namespace: flux-system @@ -19,3 +40,8 @@ spec: dependsOn: - name: grafana-operator - name: victoria-metrics + - name: grafana-secrets + postBuild: + substituteFrom: + - kind: Secret + name: grafana-oauth diff --git a/kubernetes/apps/monitoring/grafana/app/secret.yaml b/kubernetes/apps/monitoring/grafana/secrets/admin.yaml similarity index 100% rename from kubernetes/apps/monitoring/grafana/app/secret.yaml rename to kubernetes/apps/monitoring/grafana/secrets/admin.yaml diff --git a/kubernetes/apps/monitoring/grafana/secrets/kustomization.yaml b/kubernetes/apps/monitoring/grafana/secrets/kustomization.yaml new file mode 100644 index 00000000..157e8400 --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/secrets/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./oauth.yaml + - ./admin.yaml diff --git a/kubernetes/apps/monitoring/grafana/secrets/oauth.yaml b/kubernetes/apps/monitoring/grafana/secrets/oauth.yaml new file mode 100644 index 00000000..d2a8d100 --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/secrets/oauth.yaml @@ -0,0 +1,7 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: grafana-oauth + namespace: monitoring +spec: + itemPath: "vaults/Kubernetes/items/grafana-oauth-client-secret"