Commit 7183361c authored by Jelle van der Waa's avatar Jelle van der Waa 🚧 Committed by Sven-Hendrik Haase
Browse files

Setup Oauth for Grafana

Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.
parent 1dffa980
$ANSIBLE_VAULT;1.1;AES256
30343635623662626436393831386266353561386231373066373638393830306539343630393633
6436343736396133623364383261353937643037613435630a313662633335373365316230303234
32333336633738383435643762333561343034376264303736343138636564623432636133313765
6232333937613031330a353466656534376565636137653165396632316261306533366239656465
66663832306138343361346637636534396533623939333962653164643838316463666632643938
6165623333313564643834343262393538663435366432666131
......@@ -13,3 +13,4 @@
- { role: prometheus_exporters }
- { role: certbot }
- { role: nginx }
- { role: grafana, grafana_domain: 'monitoring.archlinux.org' }
......@@ -139,14 +139,14 @@ enable_gzip = true
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
;reporting_enabled = true
reporting_enabled = false
# Set to false to disable all checks to https://grafana.net
# for new vesions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions
;check_for_updates = true
check_for_updates = false
# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =
......@@ -157,7 +157,7 @@ enable_gzip = true
#################################### Security ####################################
[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false
disable_initial_admin_creation = true
# default admin user, created on startup
admin_user = admin
......@@ -166,7 +166,7 @@ admin_user = admin
;admin_password = admin
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
secret_key = {{ vault_grafana_secret_key }}
# disable gravatar profile images
;disable_gravatar = false
......@@ -285,17 +285,17 @@ allow_sign_up = false
;token_rotation_interval_minutes = 10
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
;disable_login_form = false
disable_login_form = true
# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
;disable_signout_menu = false
# URL to redirect the user to after sign out
;signout_redirect_url =
signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
# Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured.
;oauth_auto_login = false
oauth_auto_login = true
# limit of api_key seconds to live before expiration
;api_key_max_seconds_to_live = -1
......@@ -375,21 +375,21 @@ allow_sign_up = false
#################################### Generic OAuth ##########################
[auth.generic_oauth]
;enabled = false
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;email_attribute_name = email:primary
;email_attribute_path =
;auth_url = https://foo.bar/login/oauth/authorize
;token_url = https://foo.bar/login/oauth/access_token
;api_url = https://foo.bar/user
enabled = true
name = OAuth
allow_sign_up = true
client_id = openid_grafana
client_secret = {{ vault_monitoring_grafana_client_secret }}
scopes = openid profile email
email_attribute_name = email:primary
email_attribute_path = email
auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
;allowed_domains =
;team_ids =
;allowed_organizations =
;role_attribute_path =
role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer'
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
......
......@@ -27,6 +27,12 @@ data "external" "vault_github" {
"--format", "json"]
}
data "external" "vault_monitoring" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_monitoring.yml",
"vault_monitoring_grafana_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
......@@ -606,3 +612,30 @@ output "gitlab_saml_configuration" {
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
}
}
resource "keycloak_openid_client" "grafana_openid_client" {
realm_id = "archlinux"
client_id = "openid_grafana"
client_secret = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
name = "Grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://monitoring.archlinux.org",
"https://monitoring.archlinux.org/login/generic_oauth"
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment