diff --git a/ansible/group_vars/all/oas.yml b/ansible/group_vars/all/oas.yml
index 2e306966c297de3737c1f1bf9ed561e634ac4a40..05c0cdc1cb2627f52d1a96606416275f34460e99 100644
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -24,6 +24,7 @@ grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafan
# Single sign-on passwords
userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"
+grafana_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_oauth_client_secret chars=ascii_letters') }}"
userbackend_postgres_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_postgres_password chars=ascii_letters') }}"
userbackend_admin_username: "admin"
userbackend_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_admin_password chars=ascii_letters') }}"
diff --git a/ansible/roles/apps/templates/monitoring-settings.yaml b/ansible/roles/apps/templates/monitoring-settings.yaml
index c367320591d0af222cd4e5b552d79c7f2ff595f8..9180c501fdbcf805199c637f81dafecd64e90256 100644
--- a/ansible/roles/apps/templates/monitoring-settings.yaml
+++ b/ansible/roles/apps/templates/monitoring-settings.yaml
@@ -121,7 +121,19 @@ additionalPrometheusRulesMap:
grafana:
adminPassword: "{{ grafana_admin_password }}"
-
+ grafana.ini:
+ server:
+ root_url: "https://grafana.{{ domain }}"
+ auth.generic_oauth:
+ name: grafana
+ enabled: true
+ client_id: grafana
+ client_secret: "{{ grafana_oauth_client_secret }}"
+ scopes: "openid profile email openappstack_roles"
+ auth_url: "https://sso.{{ domain }}/oauth2/auth"
+ token_url: "https://sso.{{ domain }}/oauth2/token"
+ api_url: "https://sso.{{ domain }}/userinfo"
+ role_attribute_path: contains(openappstack_roles[*], 'admin') && 'Admin' || 'Viewer'
ingress:
enabled: true
annotations:
diff --git a/ansible/roles/apps/templates/single-sign-on-settings.yaml b/ansible/roles/apps/templates/single-sign-on-settings.yaml
index 79e48aad65f1efc45dd2e09e2fba575c0ceb2867..247a27f19196f23fd879279dcc8bc5e1eef73909 100644
--- a/ansible/roles/apps/templates/single-sign-on-settings.yaml
+++ b/ansible/roles/apps/templates/single-sign-on-settings.yaml
@@ -26,6 +26,8 @@ userbackend:
description: Administration interface to manage user accounts
- name: &NEXTCLOUD nextcloud
description: "Nextcloud Files offers an on-premise Universal File Access and sync platform with powerful collaboration capabilities and desktop, mobile and web interfaces."
+ - name: &GRAFANA grafana
+ description: "Grafana allows you to query, visualize, alert on and understand metrics generated by OpenAppStack. It can be used to create explore and share dashboards."
username: "{{ userbackend_admin_username }}"
password: "{{ userbackend_admin_password }}"
email: "{{ userbackend_admin_email }}"
@@ -91,3 +93,17 @@ oAuthClients:
- "authorization_code"
- "refresh_token"
- "client_credentials"
+- clientName: *GRAFANA
+ clientSecret: "{{ grafana_oauth_client_secret }}"
+ redirectUri: "https://grafana.{{ domain }}/login/generic_oauth"
+ scopes: "openid profile email openappstack_roles"
+ clientUri: "https://grafana.{{ domain }}"
+ clientLogoUri: "https://files.{{ domain }}/public/img/grafana_icon.svg"
+ tokenEndpointAuthMethod: "client_secret_post"
+ responseTypes:
+ - "code"
+ - "id_token"
+ grantTypes:
+ - "authorization_code"
+ - "refresh_token"
+ - "client_credentials"