From 88d599a69109dc026ac0fe284fef85f89a9a0519 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 28 Feb 2025 13:30:29 +0000 Subject: [PATCH 01/14] Update template/stacks/monitoring/kube-prometheus/values.yaml --- .../monitoring/kube-prometheus/values.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 9c0ca32..942f6a6 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -33,6 +33,26 @@ grafana: domain: {{{ .Env.DOMAIN }}} root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true + auth: + oauth_allow_insecure_email_lookup: true + disable_login: true + disable_login_form: true + auth.generic_oauth: + enabled: true + name: Keycloak-OAuth + allow_sign_up: true + client_id: grafana-oauth + #client_secret: todo need to be set elsewhere + scopes: openid email profile offline_access roles + email_attribute_path: email + login_attribute_path: username + name_attribute_path: full_name + tls_skip_verify_insecure: true + auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth + token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token + api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo + redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth + role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' serviceMonitor: # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator From 0f8282ead68f085dd4c47416333c7335175dd1b6 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Fri, 28 Feb 2025 14:08:07 +0000 Subject: [PATCH 02/14] Update template/stacks/monitoring/kube-prometheus/values.yaml --- .../monitoring/kube-prometheus/values.yaml | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 942f6a6..22ffb4c 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -30,7 +30,7 @@ grafana: grafana.ini: server: - domain: {{{ .Env.DOMAIN }}} + domain: factory-172-18-0-2.traefik.me root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true auth: @@ -41,19 +41,26 @@ grafana: enabled: true name: Keycloak-OAuth allow_sign_up: true - client_id: grafana-oauth - #client_secret: todo need to be set elsewhere + client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} scopes: openid email profile offline_access roles email_attribute_path: email login_attribute_path: username name_attribute_path: full_name tls_skip_verify_insecure: true - auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth - token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token - api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo - redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth + auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth + token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token + api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo + redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' + extraSecretMounts: + - name: auth-generic-oauth-secret-mount + secretName: auth-generic-oauth-secret + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true + serviceMonitor: # If true, a ServiceMonitor CRD is created for a prometheus operator https://github.com/coreos/prometheus-operator enabled: true From ce6c51eea97f94d27109a1774585347c9425f39d Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 10:47:25 +0100 Subject: [PATCH 03/14] Enhanced grafana yaml --- .../stacks/monitoring/kube-prometheus/values.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 22ffb4c..c0754b6 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -30,11 +30,10 @@ grafana: grafana.ini: server: - domain: factory-172-18-0-2.traefik.me + domain: {{{ .Env.DOMAIN }}} root_url: "%(protocol)s://%(domain)s/grafana" serve_from_sub_path: true auth: - oauth_allow_insecure_email_lookup: true disable_login: true disable_login_form: true auth.generic_oauth: @@ -47,12 +46,11 @@ grafana: email_attribute_path: email login_attribute_path: username name_attribute_path: full_name - tls_skip_verify_insecure: true - auth_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/auth - token_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/token - api_url: https://factory-172-18-0-2.traefik.me/keycloak/realms/cnoe/protocol/openid-connect/userinfo - redirect_uri: http://factory-172-18-0-2.traefik.me/grafana/login/generic_oauth - role_attribute_path: contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' + auth_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/auth + token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token + api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo + redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth + role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'" extraSecretMounts: - name: auth-generic-oauth-secret-mount From 65c5321ce687d78ab6c8f774c4e3d2b1b12838d9 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:11:38 +0100 Subject: [PATCH 04/14] Added Grafana client config to Keycloak --- .../keycloak/manifests/keycloak-config.yaml | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index e2a0981..2dd6d9b 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -181,6 +181,82 @@ data: ] } + grafana-client-payload.json: | + { + "clientId": "grafana-oauth", + "name": "grafana-oauth", + "description": "Used for Grafana SSO", + "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", + "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", + "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL", + "redirectUris": [ + "http://{{{ .Env.DOMAIN }}}/grafana/*" + ], + "webOrigins": [ + "https://{{{ .Env.DOMAIN }}}/grafana" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "false", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "offline_access", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + } + --- apiVersion: batch/v1 kind: Job From efa3a6e4dceb74b3eb9321d59492cdddf3fe9c7c Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:18:04 +0100 Subject: [PATCH 05/14] Added ArgoCD sync retry to Grafana --- template/stacks/monitoring/kube-prometheus.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml index 32cdc88..1f5218c 100644 --- a/template/stacks/monitoring/kube-prometheus.yaml +++ b/template/stacks/monitoring/kube-prometheus.yaml @@ -15,6 +15,8 @@ spec: syncOptions: - CreateNamespace=true - ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure + retry: + limit: -1 destination: name: in-cluster namespace: monitoring From e02d4bb272b1df68e4fa5e4171d0dfbf5d77edf4 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:27:51 +0100 Subject: [PATCH 06/14] Added more Grafana client config to Keycloak --- .../keycloak/manifests/keycloak-config.yaml | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 2dd6d9b..d071f9a 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -183,8 +183,8 @@ data: grafana-client-payload.json: | { - "clientId": "grafana-oauth", - "name": "grafana-oauth", + "clientId": "grafana", + "name": "Grafana Client", "description": "Used for Grafana SSO", "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", @@ -406,7 +406,30 @@ spec: ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + + + + echo "creating Grafana client" + curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X POST --data @/var/config/grafana-client-payload.json \ + ${KEYCLOAK_URL}/admin/realms/cnoe/clients + CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r '.[] | select(.clientId == "grafana") | .id') + + CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r '.[] | select(.name == "groups") | .id') + curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID} + + GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ + -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ + -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') + + + + echo "creating Backstage client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -441,6 +464,8 @@ spec: ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN} BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET} BACKSTAGE_CLIENT_ID: backstage + GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET} + GRAFANA_CLIENT_ID: grafana " > /tmp/secret.yaml ./kubectl apply -f /tmp/secret.yaml From 688795ffadb37d1a4bc491610b6b7c1ad92318bf Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 13:46:20 +0100 Subject: [PATCH 07/14] Added more Grafana client config to Keycloak --- template/stacks/monitoring/kube-prometheus/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index c0754b6..7a0a4f1 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -40,6 +40,7 @@ grafana: enabled: true name: Keycloak-OAuth allow_sign_up: true + use_refresh_token: true client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} scopes: openid email profile offline_access roles @@ -50,7 +51,7 @@ grafana: token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth - role_attribute_path: "contains(resource_access.\"grafana-oauth\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana-oauth\".roles[*], 'editor') && 'Editor' || 'Viewer'" + role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'" extraSecretMounts: - name: auth-generic-oauth-secret-mount From b58e373da9de3d870491053249954192c2f900b1 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 14:19:07 +0100 Subject: [PATCH 08/14] Added email to Keycloak users and upgraded ArgoCD again as it requires more work --- template/stacks/core/argocd.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 4433721..4f65e09 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -21,7 +21,7 @@ spec: # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.6.12 + targetRevision: argo-cd-7.7.5 helm: valueFiles: - $values/stacks/core/argocd/values.yaml diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index d071f9a..604d714 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -100,11 +100,11 @@ data: user-user1.json: | { "username": "user1", - "email": "", + "email": "user1@user.de", "firstName": "user", "lastName": "one", "requiredActions": [], - "emailVerified": false, + "emailVerified": true, "groups": [ "/admin" ], @@ -113,11 +113,11 @@ data: user-user2.json: | { "username": "user2", - "email": "", + "email": "user2@user.de", "firstName": "user", "lastName": "two", "requiredActions": [], - "emailVerified": false, + "emailVerified": true, "groups": [ "/base-user" ], From 2d3ebadd506e8453d69e3a444337a8b84c98be2a Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 14:52:08 +0100 Subject: [PATCH 09/14] Simplified Keycloaks Grafana config --- .../monitoring/kube-prometheus/values.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 48 ++----------------- 2 files changed, 6 insertions(+), 44 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 7a0a4f1..1e42733 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -51,7 +51,7 @@ grafana: token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth - role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'" + role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'" extraSecretMounts: - name: auth-generic-oauth-secret-mount diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 604d714..1b5681f 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -189,20 +189,13 @@ data: "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana", "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana", "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana", - "surrogateAuthRequired": false, - "enabled": true, "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL", "redirectUris": [ "http://{{{ .Env.DOMAIN }}}/grafana/*" ], "webOrigins": [ "https://{{{ .Env.DOMAIN }}}/grafana" ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, @@ -211,50 +204,19 @@ data: "frontchannelLogout": true, "protocol": "openid-connect", "attributes": { + "saml_idp_initiated_sso_url_name": "", "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" + "oauth2.device.authorization.grant.enabled": "false" }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "false", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String" - } - } - ], "defaultClientScopes": [ "web-origins", "acr", - "roles", "offline_access", + "roles", "profile", + "groups", "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } + ] } --- From ec31f988896a20f53e6d4d965ab70201e2f12658 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 15:28:48 +0100 Subject: [PATCH 10/14] Added external secret for grafana keycloak client secret --- .../monitoring/kube-prometheus/values.yaml | 2 +- .../keycloak/manifests/keycloak-config.yaml | 6 ------ .../keycloak/manifests/secret-grafana.yaml | 21 +++++++++++++++++++ 3 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 1e42733..901345f 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -41,7 +41,7 @@ grafana: name: Keycloak-OAuth allow_sign_up: true use_refresh_token: true - client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} + client_id: grafana client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} scopes: openid email profile offline_access roles email_attribute_path: email diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml index 1b5681f..c271336 100644 --- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml +++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml @@ -369,9 +369,6 @@ spec: -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - - echo "creating Grafana client" curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ @@ -388,9 +385,6 @@ spec: GRAFANA_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \ -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \ -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret') - - - echo "creating Backstage client" curl -sS -H "Content-Type: application/json" \ diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml new file mode 100644 index 0000000..896ec1b --- /dev/null +++ b/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: auth-generic-oauth-secret + namespace: monitoring +spec: + secretStoreRef: + name: keycloak + kind: ClusterSecretStore + refreshInterval: "0" + target: + name: auth-generic-oauth-secret + template: + engineVersion: v2 + data: + client_secret: "{{.GRAFANA_CLIENT_SECRET}}" + data: + - secretKey: GRAFANA_CLIENT_SECRET + remoteRef: + key: keycloak-clients + property: GRAFANA_CLIENT_SECRET From 6eb52e654cddcfcea0d6d366886a38933542d446 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 15:46:06 +0100 Subject: [PATCH 11/14] Refactored external secret for grafana keycloak client secret --- .../monitoring/kube-prometheus-sso.yaml | 23 +++++++++++++++++++ .../kube-prometheus-sso}/secret-grafana.yaml | 0 2 files changed, 23 insertions(+) create mode 100644 template/stacks/monitoring/kube-prometheus-sso.yaml rename template/stacks/{ref-implementation/keycloak/manifests => monitoring/kube-prometheus-sso}/secret-grafana.yaml (100%) diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml new file mode 100644 index 0000000..d38d81e --- /dev/null +++ b/template/stacks/monitoring/kube-prometheus-sso.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kube-prometheus-sso + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://{{{ .Env.DOMAIN_GITEA }}}/giteaAdmin/edfbuilder + targetRevision: HEAD + path: "stacks/monitoring/kube-prometheus-sso" + destination: + server: "https://kubernetes.default.svc" + namespace: monitoring + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true diff --git a/template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml b/template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml similarity index 100% rename from template/stacks/ref-implementation/keycloak/manifests/secret-grafana.yaml rename to template/stacks/monitoring/kube-prometheus-sso/secret-grafana.yaml From 63a694d17c894fdaf37bfdb7d1b62e895eb2daaa Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 17:09:02 +0100 Subject: [PATCH 12/14] Removed Grafana admin account --- template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 901345f..584b767 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -1,10 +1,10 @@ grafana: namespaceOverride: "monitoring" - admin: - existingSecret: "kube-prometheus-stack-grafana-admin-password" - userKey: admin-user - passwordKey: admin-password + #admin: + # existingSecret: "kube-prometheus-stack-grafana-admin-password" + # userKey: admin-user + # passwordKey: admin-password defaultDashboardsTimezone: Europe/Berlin From 1ef1029e1f8c3750f5e22a167193aa626dfe8fae Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Sun, 2 Mar 2025 17:26:29 +0100 Subject: [PATCH 13/14] Added Grafana admin account --- template/stacks/monitoring/kube-prometheus/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml index 584b767..901345f 100644 --- a/template/stacks/monitoring/kube-prometheus/values.yaml +++ b/template/stacks/monitoring/kube-prometheus/values.yaml @@ -1,10 +1,10 @@ grafana: namespaceOverride: "monitoring" - #admin: - # existingSecret: "kube-prometheus-stack-grafana-admin-password" - # userKey: admin-user - # passwordKey: admin-password + admin: + existingSecret: "kube-prometheus-stack-grafana-admin-password" + userKey: admin-user + passwordKey: admin-password defaultDashboardsTimezone: Europe/Berlin From a9c69d6c24cd5f6b7032e8513d4afd4ba867b5f2 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Tue, 4 Mar 2025 19:23:19 +0100 Subject: [PATCH 14/14] adjusted retry backoff time --- template/stacks/monitoring/kube-prometheus-sso.yaml | 6 ++++++ template/stacks/monitoring/kube-prometheus.yaml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/template/stacks/monitoring/kube-prometheus-sso.yaml b/template/stacks/monitoring/kube-prometheus-sso.yaml index d38d81e..0e6e43a 100644 --- a/template/stacks/monitoring/kube-prometheus-sso.yaml +++ b/template/stacks/monitoring/kube-prometheus-sso.yaml @@ -21,3 +21,9 @@ spec: - CreateNamespace=true automated: selfHeal: true + retry: + limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s diff --git a/template/stacks/monitoring/kube-prometheus.yaml b/template/stacks/monitoring/kube-prometheus.yaml index 1f5218c..7bcf3ca 100644 --- a/template/stacks/monitoring/kube-prometheus.yaml +++ b/template/stacks/monitoring/kube-prometheus.yaml @@ -17,6 +17,10 @@ spec: - ServerSideApply=true # do not copy metdata, since (because of its large size) it can lead to sync failure retry: limit: -1 + backoff: + duration: 15s + factor: 1 + maxDuration: 15s destination: name: in-cluster namespace: monitoring