Deprecate Authelia

grafana/README.md

@@ -5,10 +5,6 @@ kubectl create namespace grafana
 kubectl apply -n grafana -f application.yml
 ```
 
-## OIDC secret
-
-See Authelia README on provisioning and updating OIDC secrets for Grafana
-
 ## Grafana post deployment steps
 
 * Configure Prometheus datasource with URL set to

grafana/application.yml

@@ -1,4 +1,25 @@
 ---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: grafana
+spec:
+  displayName: Grafana
+  uri: https://grafana.k-space.ee
+  redirectUris:
+    - https://grafana.k-space.ee/login/generic_oauth
+  allowedGroups:
+    - github.com:codemowers
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  tokenEndpointAuthMethod: none
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -14,14 +35,12 @@ data:
     name = OAuth
     icon = signin
     enabled = true
-    client_id = grafana
-    scopes = openid profile email groups
     empty_scopes = false
-    auth_url = https://auth.k-space.ee/api/oidc/authorize
-    token_url = https://auth.k-space.ee/api/oidc/token
-    api_url = https://auth.k-space.ee/api/oidc/userinfo
     allow_sign_up = true
-    role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || 'Viewer'
+    use_pkce = true
+    role_attribute_path = contains(groups[*], 'github.com:codemowers') && 'Admin' || 'Viewer'
+    [security]
+    disable_initial_admin_creation = true
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -49,9 +68,42 @@ spec:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 472
-          envFrom:
-            - secretRef:
-                name: oidc-secret
+          env:
+            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_URI
+            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_CLIENT_ID
+            - name: GF_AUTH_GENERIC_OAUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_CLIENT_SECRET
+            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_AVAILABLE_SCOPES
+            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_AUTH_URI
+            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_TOKEN_URI
+            - name: GF_AUTH_GENERIC_OAUTH_API_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_USERINFO_URI
           ports:
             - containerPort: 3000
               name: http-grafana