diff --git a/workloads/grafana/grafana-deploy.yml b/workloads/grafana/grafana-deploy.yml index a37df2e..787cf84 100644 --- a/workloads/grafana/grafana-deploy.yml +++ b/workloads/grafana/grafana-deploy.yml @@ -44,6 +44,20 @@ spec: secretKeyRef: name: postgres key: POSTGRES_PASSWORD + - name: GF_USERS_ALLOW_SIGN_UP + value: "false" + - name: GF_USERS_AUTO_ASSIGN_ORG + value: "true" + - name: GF_USERS_AUTO_ASSIGN_ORG_ROLE + value: Editor + - name: GF_AUTH_PROXY_ENABLED + value: "true" + - name: GF_AUTH_PROXY_HEADER_NAME + value: X-Forwarded-User + - name: GF_AUTH_PROXY_HEADER_PROPERTY + value: username + - name: GF_AUTH_PROXY_AUTO_SIGN_UP + value: "true" resources: requests: memory: "128Mi" diff --git a/workloads/grafana/grafana-proxy.yml b/workloads/grafana/grafana-proxy.yml new file mode 100644 index 0000000..0717fc6 --- /dev/null +++ b/workloads/grafana/grafana-proxy.yml @@ -0,0 +1,59 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana-proxy + namespace: grafana +spec: + replicas: 1 + selector: + matchLabels: + app: grafana-proxy + template: + metadata: + labels: + app: grafana-proxy + spec: + containers: + - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.0 + args: ["-email-domain=*"] + imagePullPolicy: IfNotPresent + name: grafana-proxy + env: + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: ":4180" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: grafana-proxy + key: cookie_secret + - name: OAUTH2_PROXY_UPSTREAM + value: http://grafana:3000 + - name: OAUTH2_PROXY_PROVIDER + value: nextcloud + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: grafana-proxy + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: grafana-proxy + key: client_secret + - name: OAUTH2_PROXY_LOGIN_URL + value: https://cloud.shoup.io/index.php/apps/oauth2/authorize + - name: OAUTH2_PROXY_REDEEM_URL + value: https://cloud.shoup.io/index.php/apps/oauth2/api/v1/token + - name: OAUTH2_PROXY_VALIDATE_URL + value: https://cloud.shoup.io/ocs/v2.php/cloud/user?format=json + livenessProbe: + tcpSocket: + port: 4180 + initialDelaySeconds: 600 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 2 + ports: + - containerPort: 443 diff --git a/workloads/grafana/grafana-service.yml b/workloads/grafana/grafana-service.yml index d2235a1..d42122b 100644 --- a/workloads/grafana/grafana-service.yml +++ b/workloads/grafana/grafana-service.yml @@ -11,6 +11,19 @@ spec: port: 3000 targetPort: 3000 --- +kind: Service +apiVersion: v1 +metadata: + name: grafana-proxy + namespace: grafana +spec: + selector: + app: grafana-proxy + ports: + - protocol: TCP + port: 4180 + targetPort: 4180 +--- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: @@ -22,6 +35,6 @@ spec: http: paths: - backend: - serviceName: grafana - servicePort: 3000 + serviceName: grafana-proxy + servicePort: 4180 path: / diff --git a/workloads/grafana/proxy-secret.yml b/workloads/grafana/proxy-secret.yml new file mode 100644 index 0000000..8c9e675 --- /dev/null +++ b/workloads/grafana/proxy-secret.yml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: grafana-proxy + namespace: grafana +spec: + encryptedData: + client_id: AgDCdksvGC53qaZTJrJbU6wdi/nBbfGKM1g/G2cjluzvaiQrJ9DLUPETv8NtJsznVMwZj5676JFX68jM8OR5YTC4W7dgaBmA3K7owvWi97gqU2Q/aFp6yFK3b2CKuvEuxIEVQaGskbmChlE/IqeAi2zxFwd7rL4cXrS/GB5mD7fQ6lpf6cH8Qkk+Ulip2t2bdGvkCizp9Jg1lWsguF1Kn+poUbviLRkpZ30LXXD/KBc5Una3CyIrknDOcnG+AdXNKCBzlMMmHQUCMdZYA2RbPEXnH87GpgoVv75qQIhINLuC6L3rDGB3AFeGDutEumbJWN8TlVQ0PD4kfpBUM8aGtHjpznOI7aUAUrtALtDtUqvt+SPebM27j9+I9lIMvkg4BuW0s5Nj4NKB/IGWwU6vo2xoKM/cMLXF88qJ6qfS0tgY4TfG/XVAEuzUXZs1HFSakVPI6qLSZgc4khxjdtWX7y3cM88Lr+TsD+crjPfJ3DZoYc1bIPWBW+bJGW3ImjsIc955Yr7KM4Ul7Owb/fp1aUHJ3+ejh1iWDOEN/Kod5VUlfHgOreX5jYozERYZmlsfSdPx4cftpOZyrYwuvBPGksPAKyql1e1zplnqTUZQsGlktllZ+Lpdq9snuG10bxz3kpLv/uW7gMn4ushV8SECMp2fsXfVuriTQ2CfpSGArmUNzQqKMLqmZw9kSCYg0j+aEigqDztRT91v6wrwCw3r0bw3gqXEGS0P4UH9Mf9C3QgAl3sUFGjPfIsn7djJ4fOSW5wlYXIJXSKG2LreQ3TBcUMk + client_secret: AgCSgn4YUutaOfuBKg7cq5Og8nOCcLlsObLR57h+W/NGZ+2/+auwYmtXaYBT9uOF5gXg5SBelxzWMDte+UbiAdJvAPPbQRlD838Rg+3JbmoTx6D2ZdRhK9QwwhL6U05rGxBZmIR/YC8GMwDJ5Z8FQSN3OARE0GAmzM4Iz2db9hI0w667cTpxqJozI7hbbhoGNgut9SVRj1COxVIJhGDOD8gemfjVLTKm0h10XLv+vKHTpytqkrogFUQP2x0uhlqFg+VPgbbnUbPGJ7wAM8ZnF42abCvLCC6ywXBzyepk2JXsUhClteUsvftg4C/W7lVjcGtzf3PPJyvfh0pJvy0R5itoNknsPgX+vr16L18Qhuy1MYRuTfEhsITUZdUXQ59cp0MnwvSNQI1TxgAiPTK3FeetUAZ7Jp+8HNblabdfcNzPLN/1m79pJpBcrgvBMZhCr82ZN59B+no8g2huHBVKQQAWzYnL3juKXPH8UV4UP1Tn3ArCGzRlbR9huGUU5LD9Wrr4GlU3/Ihk98gIlMtNNuh16tOWjgXUdKkdFIibKhok8FCc8VOhPPV+q9boljzE4I5qJveUOpEtK3As4+sx3uz/ipz0oX1db7O6gG56ksrc6PHugQBLlz3NXU4QOL0Ysv7/jru9HFOyeOPe8stxCWtH6FdVMb4Xymmnc0ptJNaLpC3NcfFjgy+/0uzhWRuKSmX84jh+AW7Tx0usp2i4fAH/UL4nNRFy/HIo6khw1EYWrd9KgpHKqMHtl/pmNU8Mg2Umek7ViPyd8ZjOpzoD8DuQ + cookie_secret: AgAYZJmKqfVGp6CNpDnOuIZIXIZcPdvreSoDPEBCEeo0TdzuzTG+ATYFAl8wUhCkmoXIR7xBn/2HCtsa99h6No2ghrW9jwi2MEygeUl/x6LobL/pAY6/IoPDGqwvVqbjtb9Kv6BENtUzAelfR3vzUvWP5H3ZwpfOfOxrNGYB1ITbub41G/HQnvMlOKXmcp867pmBwPELnD9dCZI8mnUvyoUU9EbHD3Yifa10FHzhWizKjMblFz3XF42gy/FS+nA8E5MM5ewf/njIirtgENWQoSX+l2dX/bm1/5vTPoIETL1bNb3PRct7M0vvfzIifZGJfhd7ghx2GLSQrnqEVL8UyIDML1yaY4RNpwcitnPJqJg8RHonQUW3GfufBYonScWnAG/ZXSnrWdHKXUb2LRie6upW96B9J2E4jmvol/15Ip3U/D987oJX1WFJdrZa54wjXMnM7vjKS6dor8ofYjZkxaqCLNAY9vdW5DGa1V6Q3BYqDySPm9BuBpvgx12RTqw1Nm2+GzJZqwO8wra6V/9WH8JDLCXrjcZkMZx+7xxL8kqHQmkkkAI17hNIO8CaBOhkIUo1XZhRF4H7jUnfJHzak41gXzy8q8JiRak3lU9NncrVKnXWrnhI2897tnPQEUXTJD6AZ30rE+0TNpnWLon5o4vQbwJgNd5hheVOaHG9UhwJCXoEBFGRYVUJ/Ps9X+qR0andw1he0+9vp7A9vTCBnRzAv9ChJd50Raslsca89agdhmcMCT6+GPvelUh3ORi/ft6Y5Yj26TIVw/lcDQ1zz9Ed + template: + metadata: + creationTimestamp: null + name: grafana-proxy + namespace: grafana +status: {} +