chore(base-cluster/monitoring): adjust oauth settings

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml

@@ -153,20 +153,23 @@ dashboards:
 grafana.ini:
   auth:
     signout_redirect_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}
-  {{- if .Values.global.authentication.config.clientId }}
+  {{- with .Values.global.authentication }}
+    {{- if .config.clientId }}
+    {{- $issuerUrl := printf "https://%s%s" .config.issuerHost .config.issuerPath}}
     oauth_auto_login: true
     disable_login_form: true
   auth.generic_oauth:
     enabled: true
     allow_sign_up: true
-    api_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.apiPath }}
-    auth_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.authenticationPath }}
-    token_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.tokenPath }}
-    client_id: {{ .Values.global.authentication.config.clientId }}
-    client_secret: {{ .Values.global.authentication.config.clientSecret }}
+    api_url: {{ printf "%s%s" $issuerUrl .grafana.apiPath }}
+    auth_url: {{ printf "%s%s" $issuerUrl .grafana.authenticationPath }}
+    token_url: {{ printf "%s%s" $issuerUrl .grafana.tokenPath }}
+    client_id: {{ .config.clientId }}
+    client_secret: {{ .config.clientSecret }}
     name: OAuth
-    role_attribute_path: {{ .Values.global.authentication.grafana.roleAttributePath }}
+    role_attribute_path: {{ .grafana.roleAttributePath }}
     scopes: openid profile email
+    {{- end }}
   {{- end }}
   server:
     root_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml

@@ -11,7 +11,7 @@ metadata:
 type: Opaque
 data:
   # This might change on every `template` call, this can be ignored
-  cookieSecret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookieSecret" "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
-  clientID: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
-  clientSecret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
+  cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookieSecret" "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
+  client-id: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
+  client-secret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
 {{- end }}

charts/base-cluster/values.yaml

@@ -154,9 +154,9 @@ global:
       issuerHost: ""
       issuerPath: ""
     grafana:
-      authenticationPath: ""
-      apiPath: ""
-      tokenPath: ""
+      authenticationPath: /protocol/openid-connect/auth
+      apiPath: /protocol/openid-connect/userinfo
+      tokenPath: /protocol/openid-connect/token
       roleAttributePath: Viewer
     oauthProxy:
       emailDomains: []