From 73934d9233851dff893239521002a497689d9b16 Mon Sep 17 00:00:00 2001
From: Mark <mark@openappstack.net>
Date: Fri, 20 Dec 2019 00:00:22 +0100
Subject: [PATCH] Enable Grafana single-sign on
---
ansible/group_vars/all/oas.yml | 1 +
.../apps/templates/monitoring-settings.yaml | 14 +++++++++++++-
.../apps/templates/single-sign-on-settings.yaml | 16 ++++++++++++++++
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/ansible/group_vars/all/oas.yml b/ansible/group_vars/all/oas.yml
index 2e306966c..05c0cdc1c 100644
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -24,6 +24,7 @@ grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafan
# Single sign-on passwords
userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"
+grafana_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_oauth_client_secret chars=ascii_letters') }}"
userbackend_postgres_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_postgres_password chars=ascii_letters') }}"
userbackend_admin_username: "admin"
userbackend_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_admin_password chars=ascii_letters') }}"
diff --git a/ansible/roles/apps/templates/monitoring-settings.yaml b/ansible/roles/apps/templates/monitoring-settings.yaml
index c36732059..9180c501f 100644
--- a/ansible/roles/apps/templates/monitoring-settings.yaml
+++ b/ansible/roles/apps/templates/monitoring-settings.yaml
@@ -121,7 +121,19 @@ additionalPrometheusRulesMap:
grafana:
adminPassword: "{{ grafana_admin_password }}"
-
+ grafana.ini:
+ server:
+ root_url: "https://grafana.{{ domain }}"
+ auth.generic_oauth:
+ name: grafana
+ enabled: true
+ client_id: grafana
+ client_secret: "{{ grafana_oauth_client_secret }}"
+ scopes: "openid profile email openappstack_roles"
+ auth_url: "https://sso.{{ domain }}/oauth2/auth"
+ token_url: "https://sso.{{ domain }}/oauth2/token"
+ api_url: "https://sso.{{ domain }}/userinfo"
+ role_attribute_path: contains(openappstack_roles[*], 'admin') && 'Admin' || 'Viewer'
ingress:
enabled: true
annotations:
diff --git a/ansible/roles/apps/templates/single-sign-on-settings.yaml b/ansible/roles/apps/templates/single-sign-on-settings.yaml
index 79e48aad6..247a27f19 100644
--- a/ansible/roles/apps/templates/single-sign-on-settings.yaml
+++ b/ansible/roles/apps/templates/single-sign-on-settings.yaml
@@ -26,6 +26,8 @@ userbackend:
description: Administration interface to manage user accounts
- name: &NEXTCLOUD nextcloud
description: "Nextcloud Files offers an on-premise Universal File Access and sync platform with powerful collaboration capabilities and desktop, mobile and web interfaces."
+ - name: &GRAFANA grafana
+ description: "Grafana allows you to query, visualize, alert on and understand metrics generated by OpenAppStack. It can be used to create explore and share dashboards."
username: "{{ userbackend_admin_username }}"
password: "{{ userbackend_admin_password }}"
email: "{{ userbackend_admin_email }}"
@@ -91,3 +93,17 @@ oAuthClients:
- "authorization_code"
- "refresh_token"
- "client_credentials"
+- clientName: *GRAFANA
+ clientSecret: "{{ grafana_oauth_client_secret }}"
+ redirectUri: "https://grafana.{{ domain }}/login/generic_oauth"
+ scopes: "openid profile email openappstack_roles"
+ clientUri: "https://grafana.{{ domain }}"
+ clientLogoUri: "https://files.{{ domain }}/public/img/grafana_icon.svg"
+ tokenEndpointAuthMethod: "client_secret_post"
+ responseTypes:
+ - "code"
+ - "id_token"
+ grantTypes:
+ - "authorization_code"
+ - "refresh_token"
+ - "client_credentials"
--
GitLab