Simplified Keycloaks Grafana config

2025-03-02 14:52:08 +01:00 · 2025-03-02 14:52:08 +01:00 · 2d3ebadd50
commit 2d3ebadd50
parent b58e373da9
2 changed files with 6 additions and 44 deletions
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@ -51,7 +51,7 @@ grafana:
      token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
      api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
      redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'"
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
      
  extraSecretMounts:
    - name: auth-generic-oauth-secret-mount
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@ -189,20 +189,13 @@ data:
      "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
      "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
      "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "surrogateAuthRequired": false,
-      "enabled": true,
      "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
      "redirectUris": [
        "http://{{{ .Env.DOMAIN }}}/grafana/*"
      ],
      "webOrigins": [
        "https://{{{ .Env.DOMAIN }}}/grafana"
      ],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
@ -211,50 +204,19 @@ data:
      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
        "oidc.ciba.grant.enabled": "false",
-        "backchannel.logout.session.required": "true",
-        "display.on.consent.screen": "false",
-        "oauth2.device.authorization.grant.enabled": "false",
-        "backchannel.logout.revoke.offline.tokens": "false"
+        "oauth2.device.authorization.grant.enabled": "false"
      },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "protocolMappers": [
-        {
-          "name": "client roles",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-client-role-mapper",
-          "consentRequired": false,
-          "config": {
-            "multivalued": "true",
-            "userinfo.token.claim": "false",
-            "user.attribute": "foo",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "resource_access.${client_id}.roles",
-            "jsonType.label": "String"
-          }
-        }
-      ],
      "defaultClientScopes": [
        "web-origins",
        "acr",
-        "roles",
        "offline_access",
+        "roles",
        "profile",
+        "groups",
        "email"
-      ],
-      "optionalClientScopes": [
-        "address",
-        "phone",
-        "microprofile-jwt"
-      ],
-      "access": {
-        "view": true,
-        "configure": true,
-        "manage": true
-      }
+      ]
    }

 ---