Merge branch '459-grafana-single-sign-on' into 'master'

Resolve "grafana single sign-on" Closes #459 See merge request openappstack/openappstack!199

Merge branch '459-grafana-single-sign-on' into 'master'
Resolve "grafana single sign-on" Closes #459 See merge request openappstack/openappstack!199
dc7a236f · Varac · 26b1c7c5 · 926aaafd · dc7a236f · dc7a236f
Commit dc7a236f authored 5 years ago by Varac
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -31,6 +31,7 @@ grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafan
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
 nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"
+grafana_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_oauth_client_secret chars=ascii_letters') }}"
 userbackend_postgres_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_postgres_password chars=ascii_letters') }}"
 userbackend_admin_username: "admin"
 userbackend_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/userbackend_admin_password chars=ascii_letters') }}"

--- a/ansible/roles/apps/templates/monitoring-settings.yaml
+++ b/ansible/roles/apps/templates/monitoring-settings.yaml
@@ -121,7 +121,20 @@ additionalPrometheusRulesMap:

 grafana:
  adminPassword: "{{ grafana_admin_password }}"
-
+  grafana.ini:
+    server:
+      root_url: "https://grafana.{{ domain }}"
+    auth:
+      generic_oauth:
+        name: OpenAppStack
+        enabled: true
+        client_id: grafana
+        client_secret: "{{ grafana_oauth_client_secret }}"
+        scopes: "openid profile email openappstack_roles"
+        auth_url: "https://sso.{{ domain }}/oauth2/auth"
+        token_url: "https://sso.{{ domain }}/oauth2/token"
+        api_url: "https://sso.{{ domain }}/userinfo"
+        role_attribute_path: contains(openappstack_roles[*], 'admin') && 'Admin' || 'Editor'
  ingress:
    enabled: true
    annotations:

--- a/ansible/roles/apps/templates/single-sign-on-settings.yaml
+++ b/ansible/roles/apps/templates/single-sign-on-settings.yaml
@@ -26,6 +26,8 @@ userbackend:
      description: Administration interface to manage user accounts
    - name: &NEXTCLOUD nextcloud
      description: "Nextcloud Files offers an on-premise Universal File Access and sync platform with powerful collaboration capabilities and desktop, mobile and web interfaces."
+    - name: &GRAFANA grafana
+      description: "Grafana allows you to query, visualize, alert on and understand metrics generated by OpenAppStack. It can be used to create explore and share dashboards."
  username: "{{ userbackend_admin_username }}"
  password: "{{ userbackend_admin_password }}"
  email: "{{ userbackend_admin_email }}"
@@ -88,3 +90,17 @@ oAuthClients:
    - "authorization_code"
    - "refresh_token"
    - "client_credentials"
+- clientName: *GRAFANA
+  clientSecret: "{{ grafana_oauth_client_secret }}"
+  redirectUri: "https://grafana.{{ domain }}/login/generic_oauth"
+  scopes: "openid profile email openappstack_roles"
+  clientUri: "https://grafana.{{ domain }}"
+  clientLogoUri: "https://grafana.{{ domain }}/public/img/grafana_icon.svg"
+  tokenEndpointAuthMethod: "client_secret_post"
+  responseTypes:
+    - "code"
+    - "id_token"
+  grantTypes:
+    - "authorization_code"
+    - "refresh_token"
+    - "client_credentials"