Add proxy

workloads/grafana/grafana-deploy.yml

@@ -44,6 +44,20 @@ spec:
             secretKeyRef:
               name: postgres
               key: POSTGRES_PASSWORD
+        - name: GF_USERS_ALLOW_SIGN_UP
+          value: "false"
+        - name: GF_USERS_AUTO_ASSIGN_ORG
+          value: "true"
+        - name: GF_USERS_AUTO_ASSIGN_ORG_ROLE
+          value: Editor
+        - name: GF_AUTH_PROXY_ENABLED
+          value: "true"
+        - name: GF_AUTH_PROXY_HEADER_NAME
+          value: X-Forwarded-User
+        - name: GF_AUTH_PROXY_HEADER_PROPERTY
+          value: username
+        - name: GF_AUTH_PROXY_AUTO_SIGN_UP
+          value: "true"
         resources:
           requests:
             memory: "128Mi"

workloads/grafana/grafana-proxy.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grafana-proxy
+  namespace: grafana
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grafana-proxy
+  template:
+    metadata:
+      labels:
+        app: grafana-proxy
+    spec:
+      containers:
+      - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.0
+        args: ["-email-domain=*"]
+        imagePullPolicy: IfNotPresent
+        name: grafana-proxy
+        env:
+        - name: OAUTH2_PROXY_HTTP_ADDRESS
+          value: ":4180"
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: grafana-proxy
+              key: cookie_secret
+        - name: OAUTH2_PROXY_UPSTREAM
+          value: http://grafana:3000
+        - name: OAUTH2_PROXY_PROVIDER
+          value: nextcloud
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: grafana-proxy
+              key: client_id
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: grafana-proxy
+              key: client_secret
+        - name: OAUTH2_PROXY_LOGIN_URL
+          value: https://cloud.shoup.io/index.php/apps/oauth2/authorize
+        - name: OAUTH2_PROXY_REDEEM_URL
+          value: https://cloud.shoup.io/index.php/apps/oauth2/api/v1/token
+        - name: OAUTH2_PROXY_VALIDATE_URL
+          value: https://cloud.shoup.io/ocs/v2.php/cloud/user?format=json
+        livenessProbe:
+          tcpSocket:
+            port: 4180
+          initialDelaySeconds: 600
+          periodSeconds: 30
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 2
+        ports:
+        - containerPort: 443

workloads/grafana/grafana-service.yml

@@ -11,6 +11,19 @@ spec:
     port: 3000
     targetPort: 3000
 ---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-proxy
+  namespace: grafana
+spec:
+  selector:
+    app: grafana-proxy
+  ports:
+  - protocol: TCP
+    port: 4180
+    targetPort: 4180
+---
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
@@ -22,6 +35,6 @@ spec:
     http:
       paths:
       - backend:
-          serviceName: grafana
+          serviceName: grafana-proxy
-          servicePort: 3000
+          servicePort: 4180
         path: /

workloads/grafana/proxy-secret.yml

@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-proxy
+  namespace: grafana
+spec:
+  encryptedData:
+    client_id: AgDCdksvGC53qaZTJrJbU6wdi/nBbfGKM1g/G2cjluzvaiQrJ9DLUPETv8NtJsznVMwZj5676JFX68jM8OR5YTC4W7dgaBmA3K7owvWi97gqU2Q/aFp6yFK3b2CKuvEuxIEVQaGskbmChlE/IqeAi2zxFwd7rL4cXrS/GB5mD7fQ6lpf6cH8Qkk+Ulip2t2bdGvkCizp9Jg1lWsguF1Kn+poUbviLRkpZ30LXXD/KBc5Una3CyIrknDOcnG+AdXNKCBzlMMmHQUCMdZYA2RbPEXnH87GpgoVv75qQIhINLuC6L3rDGB3AFeGDutEumbJWN8TlVQ0PD4kfpBUM8aGtHjpznOI7aUAUrtALtDtUqvt+SPebM27j9+I9lIMvkg4BuW0s5Nj4NKB/IGWwU6vo2xoKM/cMLXF88qJ6qfS0tgY4TfG/XVAEuzUXZs1HFSakVPI6qLSZgc4khxjdtWX7y3cM88Lr+TsD+crjPfJ3DZoYc1bIPWBW+bJGW3ImjsIc955Yr7KM4Ul7Owb/fp1aUHJ3+ejh1iWDOEN/Kod5VUlfHgOreX5jYozERYZmlsfSdPx4cftpOZyrYwuvBPGksPAKyql1e1zplnqTUZQsGlktllZ+Lpdq9snuG10bxz3kpLv/uW7gMn4ushV8SECMp2fsXfVuriTQ2CfpSGArmUNzQqKMLqmZw9kSCYg0j+aEigqDztRT91v6wrwCw3r0bw3gqXEGS0P4UH9Mf9C3QgAl3sUFGjPfIsn7djJ4fOSW5wlYXIJXSKG2LreQ3TBcUMk
+    client_secret: AgCSgn4YUutaOfuBKg7cq5Og8nOCcLlsObLR57h+W/NGZ+2/+auwYmtXaYBT9uOF5gXg5SBelxzWMDte+UbiAdJvAPPbQRlD838Rg+3JbmoTx6D2ZdRhK9QwwhL6U05rGxBZmIR/YC8GMwDJ5Z8FQSN3OARE0GAmzM4Iz2db9hI0w667cTpxqJozI7hbbhoGNgut9SVRj1COxVIJhGDOD8gemfjVLTKm0h10XLv+vKHTpytqkrogFUQP2x0uhlqFg+VPgbbnUbPGJ7wAM8ZnF42abCvLCC6ywXBzyepk2JXsUhClteUsvftg4C/W7lVjcGtzf3PPJyvfh0pJvy0R5itoNknsPgX+vr16L18Qhuy1MYRuTfEhsITUZdUXQ59cp0MnwvSNQI1TxgAiPTK3FeetUAZ7Jp+8HNblabdfcNzPLN/1m79pJpBcrgvBMZhCr82ZN59B+no8g2huHBVKQQAWzYnL3juKXPH8UV4UP1Tn3ArCGzRlbR9huGUU5LD9Wrr4GlU3/Ihk98gIlMtNNuh16tOWjgXUdKkdFIibKhok8FCc8VOhPPV+q9boljzE4I5qJveUOpEtK3As4+sx3uz/ipz0oX1db7O6gG56ksrc6PHugQBLlz3NXU4QOL0Ysv7/jru9HFOyeOPe8stxCWtH6FdVMb4Xymmnc0ptJNaLpC3NcfFjgy+/0uzhWRuKSmX84jh+AW7Tx0usp2i4fAH/UL4nNRFy/HIo6khw1EYWrd9KgpHKqMHtl/pmNU8Mg2Umek7ViPyd8ZjOpzoD8DuQ
+    cookie_secret: AgAYZJmKqfVGp6CNpDnOuIZIXIZcPdvreSoDPEBCEeo0TdzuzTG+ATYFAl8wUhCkmoXIR7xBn/2HCtsa99h6No2ghrW9jwi2MEygeUl/x6LobL/pAY6/IoPDGqwvVqbjtb9Kv6BENtUzAelfR3vzUvWP5H3ZwpfOfOxrNGYB1ITbub41G/HQnvMlOKXmcp867pmBwPELnD9dCZI8mnUvyoUU9EbHD3Yifa10FHzhWizKjMblFz3XF42gy/FS+nA8E5MM5ewf/njIirtgENWQoSX+l2dX/bm1/5vTPoIETL1bNb3PRct7M0vvfzIifZGJfhd7ghx2GLSQrnqEVL8UyIDML1yaY4RNpwcitnPJqJg8RHonQUW3GfufBYonScWnAG/ZXSnrWdHKXUb2LRie6upW96B9J2E4jmvol/15Ip3U/D987oJX1WFJdrZa54wjXMnM7vjKS6dor8ofYjZkxaqCLNAY9vdW5DGa1V6Q3BYqDySPm9BuBpvgx12RTqw1Nm2+GzJZqwO8wra6V/9WH8JDLCXrjcZkMZx+7xxL8kqHQmkkkAI17hNIO8CaBOhkIUo1XZhRF4H7jUnfJHzak41gXzy8q8JiRak3lU9NncrVKnXWrnhI2897tnPQEUXTJD6AZ30rE+0TNpnWLon5o4vQbwJgNd5hheVOaHG9UhwJCXoEBFGRYVUJ/Ps9X+qR0andw1he0+9vp7A9vTCBnRzAv9ChJd50Raslsca89agdhmcMCT6+GPvelUh3ORi/ft6Y5Yj26TIVw/lcDQ1zz9Ed
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-proxy
+      namespace: grafana
+status: {}
+