Setup Oauth for Grafana

Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.

group_vars/all/vault_grafana.yml

+$ANSIBLE_VAULT;1.1;AES256
+30343635623662626436393831386266353561386231373066373638393830306539343630393633
+6436343736396133623364383261353937643037613435630a313662633335373365316230303234
+32333336633738383435643762333561343034376264303736343138636564623432636133313765
+6232333937613031330a353466656534376565636137653165396632316261306533366239656465
+66663832306138343361346637636534396533623939333962653164643838316463666632643938
+6165623333313564643834343262393538663435366432666131

playbooks/monitoring.archlinux.org.yml

@@ -13,3 +13,4 @@
     - { role: prometheus_exporters }
     - { role: certbot }
     - { role: nginx }
+    - { role: grafana, grafana_domain: 'monitoring.archlinux.org' }

roles/grafana/templates/grafana.ini.j2

@@ -139,14 +139,14 @@ enable_gzip = true
 # No ip addresses are being tracked, only simple counters to track
 # running instances, dashboard and error counts. It is very helpful to us.
 # Change this option to false to disable reporting.
-;reporting_enabled = true
+reporting_enabled = false
 
 # Set to false to disable all checks to https://grafana.net
 # for new vesions (grafana itself and plugins), check is used
 # in some UI views to notify that grafana or plugin update exists
 # This option does not cause any auto updates, nor send any information
 # only a GET request to http://grafana.com to get latest versions
-;check_for_updates = true
+check_for_updates = false
 
 # Google Analytics universal tracking code, only enabled if you specify an id here
 ;google_analytics_ua_id =
@@ -157,7 +157,7 @@ enable_gzip = true
 #################################### Security ####################################
 [security]
 # disable creation of admin user on first start of grafana
-;disable_initial_admin_creation = false
+disable_initial_admin_creation = true
 
 # default admin user, created on startup
 admin_user = admin
@@ -166,7 +166,7 @@ admin_user = admin
 ;admin_password = admin
 
 # used for signing
-;secret_key = SW2YcwTIb9zpOOhoPsMm
+secret_key = {{ vault_grafana_secret_key }}
 
 # disable gravatar profile images
 ;disable_gravatar = false
@@ -285,17 +285,17 @@ allow_sign_up = false
 ;token_rotation_interval_minutes = 10
 
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
-;disable_login_form = false
+disable_login_form = true
 
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false
 
 # URL to redirect the user to after sign out
-;signout_redirect_url =
+signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
 
 # Set to true to attempt login with OAuth automatically, skipping the login screen.
 # This setting is ignored if multiple OAuth providers are configured.
-;oauth_auto_login = false
+oauth_auto_login = true
 
 # limit of api_key seconds to live before expiration
 ;api_key_max_seconds_to_live = -1
@@ -375,21 +375,21 @@ allow_sign_up = false
 
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
-;enabled = false
-;name = OAuth
-;allow_sign_up = true
-;client_id = some_id
-;client_secret = some_secret
-;scopes = user:email,read:org
-;email_attribute_name = email:primary
-;email_attribute_path =
-;auth_url = https://foo.bar/login/oauth/authorize
-;token_url = https://foo.bar/login/oauth/access_token
-;api_url = https://foo.bar/user
+enabled = true
+name = OAuth
+allow_sign_up = true
+client_id = openid_grafana
+client_secret = {{ vault_monitoring_grafana_client_secret }}
+scopes = openid profile email
+email_attribute_name = email:primary
+email_attribute_path = email
+auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
+token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
+api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
 ;allowed_domains =
 ;team_ids =
 ;allowed_organizations =
-;role_attribute_path =
+role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer'
 ;tls_skip_verify_insecure = false
 ;tls_client_cert =
 ;tls_client_key =

tf-stage2/keycloak.tf

@@ -27,6 +27,12 @@ data "external" "vault_github" {
     "--format", "json"]
 }
 
+data "external" "vault_monitoring" {
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_monitoring.yml",
+    "vault_monitoring_grafana_client_secret",
+    "--format", "json"]
+}
+
 provider "keycloak" {
   client_id = "admin-cli"
   username = data.external.vault_keycloak.result.vault_keycloak_admin_user
@@ -606,3 +612,30 @@ output "gitlab_saml_configuration" {
     signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
   }
 }
+
+resource "keycloak_openid_client" "grafana_openid_client" {
+  realm_id = "archlinux"
+  client_id = "openid_grafana"
+  client_secret   = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
+
+  name = "Grafana"
+  enabled = true
+
+  access_type = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "https://monitoring.archlinux.org",
+    "https://monitoring.archlinux.org/login/generic_oauth"
+  ]
+}
+
+resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
+  realm_id        = "archlinux"
+  client_id       = keycloak_openid_client.grafana_openid_client.id
+  name            = "user realms"
+
+  claim_name      = "roles"
+  multivalued     = true
+  add_to_id_token = false
+  add_to_access_token = false
+}