feat(grafana): authenticate with keycloak via oidc

Authenticate against Keycloak via OIDC and disable persistence, as this
Grafana instance should be configured declaratively.

Author: d3adb5

argo/app-of-apps/templates/monitoring/kube-prometheus-stack.yaml

@@ -7,85 +7,114 @@ metadata:
 spec:
   project: monitoring
 
-  source:
-    repoURL: ghcr.io/prometheus-community/charts
-    chart: kube-prometheus-stack
-    targetRevision: 77.0.0
+  sources:
+    - repoURL: {{ .Values.repository.url }}
+      targetRevision: {{ .Values.repository.targetRevision }}
+      path: argo/monitoring
 
-    helm:
-      valuesObject:
-        crds:
-          enabled: true
-          upgradeJob:
-            enabled: false
-        kube-state-metrics:
-          resources:
-            limits:
-              cpu: 100m
-              memory: 64Mi
-            requests:
-              cpu: 10m
-              memory: 32Mi
-        prometheus-node-exporter:
-          resources:
-            limits:
-              cpu: 100m
-              memory: 64Mi
-            requests:
-              cpu: 10m
-              memory: 32Mi
-        prometheus:
-          prometheusSpec:
-            storageSpec:
-              volumeClaimTemplate:
-                spec:
-                  storageClassName: truenas-iscsi-hdd
-                  accessModes:
-                    - ReadWriteOnce
-                  resources:
-                    requests:
-                      storage: 20Gi
-        grafana:
-          persistence:
-            enabled: true
-            storageClassName: truenas-iscsi-hdd
-            size: 2Gi
-          ingress:
-            enabled: true
-            ingressClassName: nginx
-            annotations:
-              cert-manager.io/cluster-issuer: "letsencrypt"
-            hosts:
-              - grafana.d3adb5.ca
-            tls:
-              - hosts:
-                  - grafana.d3adb5.ca
-                secretName: grafana-tls
-          resources:
-            limits:
-              cpu: 250m
-              memory: 512Mi
-            requests:
-              cpu: 20m
-              memory: 512Mi
+    - repoURL: ghcr.io/prometheus-community/charts
+      chart: kube-prometheus-stack
+      targetRevision: 77.0.0
 
-          sidecar:
+      helm:
+        valuesObject:
+          crds:
+            enabled: true
+            upgradeJob:
+              enabled: false
+          kube-state-metrics:
             resources:
               limits:
-                cpu: 200m
-                memory: 128Mi
+                cpu: 100m
+                memory: 64Mi
               requests:
                 cpu: 10m
-                memory: 128Mi
-
-          initChownData:
+                memory: 32Mi
+          prometheus-node-exporter:
             resources:
               limits:
-                cpu: 10m
-                memory: 32Mi
+                cpu: 100m
+                memory: 64Mi
               requests:
                 cpu: 10m
                 memory: 32Mi
+          prometheus:
+            prometheusSpec:
+              storageSpec:
+                volumeClaimTemplate:
+                  spec:
+                    storageClassName: truenas-iscsi-hdd
+                    accessModes:
+                      - ReadWriteOnce
+                    resources:
+                      requests:
+                        storage: 20Gi
+          grafana:
+            persistence:
+              enabled: false
+            ingress:
+              enabled: true
+              ingressClassName: nginx
+              annotations:
+                cert-manager.io/cluster-issuer: "letsencrypt"
+              hosts:
+                - grafana.d3adb5.ca
+              tls:
+                - hosts:
+                    - grafana.d3adb5.ca
+                  secretName: grafana-tls
+            envValueFrom:
+              GRAFANA_OAUTH_CLIENT_ID:
+                secretKeyRef:
+                  name: grafana-oidc-secrets
+                  key: client-id
+              GRAFANA_OAUTH_CLIENT_SECRET:
+                secretKeyRef:
+                  name: grafana-oidc-secrets
+                  key: client-secret
+            grafana.ini:
+              server:
+                root_url: https://grafana.d3adb5.ca
+              auth.generic_oauth:
+                enabled: true
+                name: Keycloak
+                allow_sign_up: false
+                client_id: "${GRAFANA_OAUTH_CLIENT_ID}"
+                client_secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
+                scopes: openid email profile offline_access roles groups
+                email_attribute_path: email
+                login_attribute_path: username
+                name_attribute_path: full_name
+                auth_url: https://id.d3adb5.ca/realms/core/protocol/openid-connect/auth
+                token_url: https://id.d3adb5.ca/realms/core/protocol/openid-connect/token
+                api_url: https://id.d3adb5.ca/realms/core/protocol/openid-connect/userinfo
+                role_attribute_path: >-
+                  contains(groups[*], 'Admin') && 'Admin'
+                  || contains(groups[*], 'Grafana') && Editor
+                  || 'Viewer'
+
+            resources:
+              limits:
+                memory: 512Mi
+              requests:
+                cpu: 20m
+                memory: 512Mi
+
+            sidecar:
+              resources:
+                limits:
+                  memory: 128Mi
+                requests:
+                  cpu: 10m
+                  memory: 128Mi
+
+            initChownData:
+              resources:
+                limits:
+                  memory: 32Mi
+                requests:
+                  cpu: 10m
+                  memory: 32Mi
 
   destination:
     server: https://kubernetes.default.svc

argo/app-of-apps/templates/projects/monitoring.yaml

@@ -9,6 +9,7 @@ spec:
 
   sourceRepos:
     - ghcr.io/prometheus-community/charts
+    - {{ .Values.repository.url }}
 
   destinations:
     - namespace: {{ .Values.monitoring.namespace }}

argo/monitoring/oidc-secrets.yaml

@@ -0,0 +1,8 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: grafana-oidc-secrets
+spec:
+  encryptedData:
+    client-secret: AgC6yIiC4r9wE5UkpHdaavDrDWZzLUH1/l1VYkT4ez655478MXkP2q/o7VZQBKzKtgm/sOXO5+VHLGmeyq8fFK3hoJE4ftjycvnhsdJekXZzg6ijFV1kjX+BI7cHB0ZXy0JtLvXeADEC6obkAb7nN4z9yUiGO7lU8SV1odbz/t6TbtcaV/X5tCNpPDfbypuZTE6t/tiHO4Q/ktWbM6WH9iixzS6rKhWrSlLE7NojQlBVrX+ISHkCFkivIIXceO0qb0KZ/KabjudbKCBOOLF39kHPebyXWE+JmGj+M1O571qBxvkdzMaz54kVImnLDbhe3ooCcK59rVeN9oEQSPA4nan4k/yDkFSJ8tELxA6nbzq/dnW7LeDqJvhfAun1pqAXt8J2mF3S5LgAFRXXg1rBCDf1QkyWwMxDKKa34NqcKo9yRsuy9T4koAaX6wraYTbTnZ6p1ica4I/nLJCNIe7tIrsiu0A7d0U2FHZHVge2dUzz3V6DI8Q/K/HMQxCe20UsTcoGyQHOtUfrlm6S8+XxmekS/q/TDw8nOxQoiwahawh19SzwAL6i/MHWW3RV53EgSwudUTMe7w85dwXDvFc1489KLKmFpPpPJpyGuQq8o5QaEHFikrTqhGGOfh3dkoEx+WZ+QY4fPZJ2y4O726D/B5e+DElrxPpoXZrIT3ZLWkOiQlzD/t28c3b5aAZgslUQWTG0fS/xtA5jPG7Co4BZWs+Xyu6AlgahiSjTVVpgZZCVfg==
+    client-id: AgAxh2GgZNEstzl9C07D3Ak6mJjezhuiHnEF1B6V8JdOuK/iDFa395uqOFHn4FqNtJ4Oj/VKpj/wBvUQkEnjR7qJmXcf+gj0JH/L8Of28YXsOu685GrqeFfeK7BPLJmT9G0/nCt3t8uWhizOagbc8ZnppuaI4CJb5FbAYaQxMnX+l8TR0AAuw31umIueZwRyX0Xfjj+pf9bCjJ2Pl19kWpvUwwniLRjG3kERz8qi6qMgLpsPx2rReALTt37OCsR8+7Tlvzt4R1Em1n6rKvow717rM0ISMhuIpkbK9MU6NzuH4oatDYTpFrMIiDKUHS34lWSus3MzlG6qfM4FY5MI2LWKcr5gZfPpDPqXEW2a9yBV7KfsPXPWf0n+fQkTg/xDZhr3u2jPOmCp8BJjHnvkCssnI5d9wP0IAa7B9CRiXM+jG9url3VVfipnrlO/l/H1ppdMKOLLrLMTVb6+CYHCOve8LVXvrPxnIBvyTq86xNNfesIaye6/Z5U7Xj8YNsZB7HSowzY7xqx1LlZGhY91g/qR2kqxDs/pXEU1ynHwgT/C6DsxVYOtHRREEGUPetbBQhpWq4GCk6fGxgB40Jh47nwkclZpB2x1q8sF8mFvSjmMTG+6GJ/JqLOu1o1gDHAePSglwEbsyewA7OZgAPDjbAfEydy9WSzj9EvERNW3L8BFMVuasNiyrqziF/rt9fFc8pn+AX48eRb6