Commit 7183361c authored by Jelle van der Waa's avatar Jelle van der Waa 🚧 Committed by Sven-Hendrik Haase
Browse files

Setup Oauth for Grafana

Configure Grafana to use Keycloak OpenID Connect for authentication. For
now only DevOps is configured as admin and Arch Staff as general Viewer
roles.
parent 1dffa980
$ANSIBLE_VAULT;1.1;AES256
30343635623662626436393831386266353561386231373066373638393830306539343630393633
6436343736396133623364383261353937643037613435630a313662633335373365316230303234
32333336633738383435643762333561343034376264303736343138636564623432636133313765
6232333937613031330a353466656534376565636137653165396632316261306533366239656465
66663832306138343361346637636534396533623939333962653164643838316463666632643938
6165623333313564643834343262393538663435366432666131
...@@ -13,3 +13,4 @@ ...@@ -13,3 +13,4 @@
- { role: prometheus_exporters } - { role: prometheus_exporters }
- { role: certbot } - { role: certbot }
- { role: nginx } - { role: nginx }
- { role: grafana, grafana_domain: 'monitoring.archlinux.org' }
...@@ -139,14 +139,14 @@ enable_gzip = true ...@@ -139,14 +139,14 @@ enable_gzip = true
# No ip addresses are being tracked, only simple counters to track # No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us. # running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting. # Change this option to false to disable reporting.
;reporting_enabled = true reporting_enabled = false
# Set to false to disable all checks to https://grafana.net # Set to false to disable all checks to https://grafana.net
# for new vesions (grafana itself and plugins), check is used # for new vesions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists # in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information # This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions # only a GET request to http://grafana.com to get latest versions
;check_for_updates = true check_for_updates = false
# Google Analytics universal tracking code, only enabled if you specify an id here # Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id = ;google_analytics_ua_id =
...@@ -157,7 +157,7 @@ enable_gzip = true ...@@ -157,7 +157,7 @@ enable_gzip = true
#################################### Security #################################### #################################### Security ####################################
[security] [security]
# disable creation of admin user on first start of grafana # disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false disable_initial_admin_creation = true
# default admin user, created on startup # default admin user, created on startup
admin_user = admin admin_user = admin
...@@ -166,7 +166,7 @@ admin_user = admin ...@@ -166,7 +166,7 @@ admin_user = admin
;admin_password = admin ;admin_password = admin
# used for signing # used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm secret_key = {{ vault_grafana_secret_key }}
# disable gravatar profile images # disable gravatar profile images
;disable_gravatar = false ;disable_gravatar = false
...@@ -285,17 +285,17 @@ allow_sign_up = false ...@@ -285,17 +285,17 @@ allow_sign_up = false
;token_rotation_interval_minutes = 10 ;token_rotation_interval_minutes = 10
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
;disable_login_form = false disable_login_form = true
# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
;disable_signout_menu = false ;disable_signout_menu = false
# URL to redirect the user to after sign out # URL to redirect the user to after sign out
;signout_redirect_url = signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
# Set to true to attempt login with OAuth automatically, skipping the login screen. # Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured. # This setting is ignored if multiple OAuth providers are configured.
;oauth_auto_login = false oauth_auto_login = true
# limit of api_key seconds to live before expiration # limit of api_key seconds to live before expiration
;api_key_max_seconds_to_live = -1 ;api_key_max_seconds_to_live = -1
...@@ -375,21 +375,21 @@ allow_sign_up = false ...@@ -375,21 +375,21 @@ allow_sign_up = false
#################################### Generic OAuth ########################## #################################### Generic OAuth ##########################
[auth.generic_oauth] [auth.generic_oauth]
;enabled = false enabled = true
;name = OAuth name = OAuth
;allow_sign_up = true allow_sign_up = true
;client_id = some_id client_id = openid_grafana
;client_secret = some_secret client_secret = {{ vault_monitoring_grafana_client_secret }}
;scopes = user:email,read:org scopes = openid profile email
;email_attribute_name = email:primary email_attribute_name = email:primary
;email_attribute_path = email_attribute_path = email
;auth_url = https://foo.bar/login/oauth/authorize auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
;token_url = https://foo.bar/login/oauth/access_token token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
;api_url = https://foo.bar/user api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
;allowed_domains = ;allowed_domains =
;team_ids = ;team_ids =
;allowed_organizations = ;allowed_organizations =
;role_attribute_path = role_attribute_path: contains(roles[*], 'DevOps') && 'Admin' || contains(roles[*], 'Staff') && 'Viewer'
;tls_skip_verify_insecure = false ;tls_skip_verify_insecure = false
;tls_client_cert = ;tls_client_cert =
;tls_client_key = ;tls_client_key =
......
...@@ -27,6 +27,12 @@ data "external" "vault_github" { ...@@ -27,6 +27,12 @@ data "external" "vault_github" {
"--format", "json"] "--format", "json"]
} }
data "external" "vault_monitoring" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_monitoring.yml",
"vault_monitoring_grafana_client_secret",
"--format", "json"]
}
provider "keycloak" { provider "keycloak" {
client_id = "admin-cli" client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user username = data.external.vault_keycloak.result.vault_keycloak_admin_user
...@@ -606,3 +612,30 @@ output "gitlab_saml_configuration" { ...@@ -606,3 +612,30 @@ output "gitlab_saml_configuration" {
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
} }
} }
resource "keycloak_openid_client" "grafana_openid_client" {
realm_id = "archlinux"
client_id = "openid_grafana"
client_secret = data.external.vault_monitoring.result.vault_monitoring_grafana_client_secret
name = "Grafana"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://monitoring.archlinux.org",
"https://monitoring.archlinux.org/login/generic_oauth"
]
}
resource "keycloak_openid_user_realm_role_protocol_mapper" "user_realm_role_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.grafana_openid_client.id
name = "user realms"
claim_name = "roles"
multivalued = true
add_to_id_token = false
add_to_access_token = false
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment