website/integrations: grafana: add Helm and Terraform config examples (#7121)
* Added helm ref and Terraform Provider config Added disclaimer about secret's in Helm or i.e values.yaml Co-authored-by: risson <18313093+rissson@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: senare <senare@gmail.com> * fix formatting Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: senare <senare@gmail.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Manfred Nilsson <manfred.nilsson@synkzone.com> Co-authored-by: risson <18313093+rissson@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
48e8c568e2
commit
34367a7481
|
@ -26,6 +26,66 @@ Create an application in authentik. Create an OAuth2/OpenID provider with the fo
|
|||
|
||||
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
|
||||
|
||||
## Terraform provider
|
||||
|
||||
```hcl
|
||||
|
||||
data "authentik_flow" "default-provider-authorization-implicit-consent" {
|
||||
slug = "default-provider-authorization-implicit-consent"
|
||||
}
|
||||
|
||||
data "authentik_scope_mapping" "scope-email" {
|
||||
name = "authentik default OAuth Mapping: OpenID 'email'"
|
||||
}
|
||||
|
||||
data "authentik_scope_mapping" "scope-profile" {
|
||||
name = "authentik default OAuth Mapping: OpenID 'profile'"
|
||||
}
|
||||
|
||||
data "authentik_scope_mapping" "scope-openid" {
|
||||
name = "authentik default OAuth Mapping: OpenID 'openid'"
|
||||
}
|
||||
|
||||
resource "authentik_provider_oauth2" "grafana" {
|
||||
name = "Grafana"
|
||||
# Required. You can use the output of:
|
||||
# $ openssl rand -hex 16
|
||||
client_id = "my_client_id"
|
||||
|
||||
# Optional: will be generated if not provided
|
||||
# client_secret = "my_client_secret"
|
||||
|
||||
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
||||
|
||||
redirect_uris = ["https://grafana.company/login/generic_oauth"]
|
||||
|
||||
property_mappings = [
|
||||
data.authentik_scope_mapping.scope-email.id,
|
||||
data.authentik_scope_mapping.scope-profile.id,
|
||||
data.authentik_scope_mapping.scope-openid.id,
|
||||
]
|
||||
}
|
||||
|
||||
resource "authentik_application" "grafana" {
|
||||
name = "Grafana"
|
||||
slug = "grafana"
|
||||
protocol_provider = authentik_provider_oauth2.grafana.id
|
||||
}
|
||||
|
||||
resource "authentik_group" "grafana_admins" {
|
||||
name = "Grafana Admins"
|
||||
}
|
||||
|
||||
resource "authentik_group" "grafana_editors" {
|
||||
name = "Grafana Editors"
|
||||
}
|
||||
|
||||
resource "authentik_group" "grafana_viewers" {
|
||||
name = "Grafana Viewers"
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
## Grafana
|
||||
|
||||
import Tabs from "@theme/Tabs";
|
||||
|
@ -36,9 +96,10 @@ import TabItem from "@theme/TabItem";
|
|||
values={[
|
||||
{label: 'Docker', value: 'docker'},
|
||||
{label: 'Standalone', value: 'standalone'},
|
||||
{label: 'Helm', value: 'helm'},
|
||||
]}>
|
||||
<TabItem value="docker">
|
||||
If your Grafana is running in docker, set the following environment variables:
|
||||
If your Grafana instance is running in Docker, set the following environment variables:
|
||||
|
||||
```yaml
|
||||
environment:
|
||||
|
@ -80,6 +141,32 @@ api_url = https://authentik.company/application/o/userinfo/
|
|||
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="helm">
|
||||
If you are using a Helm `values.yaml` file instead, you have to set these options:
|
||||
|
||||
```yaml
|
||||
grafana.ini:
|
||||
auth:
|
||||
signout_redirect_url: "https://authentik.company/application/o/<Slug of the application from above>/end-session/"
|
||||
oauth_auto_login: true
|
||||
auth.generic_oauth:
|
||||
name: authentik
|
||||
enabled: true
|
||||
client_id: "<Client ID from above>"
|
||||
client_secret: "<Client Secret from above>"
|
||||
scopes: "openid profile email"
|
||||
auth_url: "https://authentik.company/application/o/authorize/"
|
||||
token_url: "https://authentik.company/application/o/token/"
|
||||
api_url: "https://authentik.company/application/o/userinfo/"
|
||||
# Optionally map user groups to Grafana roles
|
||||
role_attribute_path: contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
|
||||
```
|
||||
|
||||
:::note
|
||||
For security reasons you shouldn't inline the client_secret in the values, but use a secret instead. For more information, see https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#how-to-securely-reference-secrets-in-grafanaini
|
||||
:::
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
|
Reference in a new issue