From 4432fec7827643225c9799ce55e427bcc97ec5d8 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Thu, 23 Nov 2023 09:46:00 +0100
Subject: [PATCH] chore(base-cluster/monitoring): adjust oauth settings

---
 .../kube-prometheus-stack/_grafana-config.yaml  | 17 ++++++++++-------
 .../oauth-proxy-secret.yaml                     |  6 +++---
 charts/base-cluster/values.yaml                 |  6 +++---
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
index 6f54e7d12d..0b569b155b 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
@@ -153,20 +153,23 @@ dashboards:
 grafana.ini:
   auth:
     signout_redirect_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}
-  {{- if .Values.global.authentication.config.clientId }}
+  {{- with .Values.global.authentication }}
+    {{- if .config.clientId }}
+    {{- $issuerUrl := printf "https://%s%s" .config.issuerHost .config.issuerPath}}
     oauth_auto_login: true
     disable_login_form: true
   auth.generic_oauth:
     enabled: true
     allow_sign_up: true
-    api_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.apiPath }}
-    auth_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.authenticationPath }}
-    token_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.tokenPath }}
-    client_id: {{ .Values.global.authentication.config.clientId }}
-    client_secret: {{ .Values.global.authentication.config.clientSecret }}
+    api_url: {{ printf "%s%s" $issuerUrl .grafana.apiPath }}
+    auth_url: {{ printf "%s%s" $issuerUrl .grafana.authenticationPath }}
+    token_url: {{ printf "%s%s" $issuerUrl .grafana.tokenPath }}
+    client_id: {{ .config.clientId }}
+    client_secret: {{ .config.clientSecret }}
     name: OAuth
-    role_attribute_path: {{ .Values.global.authentication.grafana.roleAttributePath }}
+    role_attribute_path: {{ .grafana.roleAttributePath }}
     scopes: openid profile email
+    {{- end }}
   {{- end }}
   server:
     root_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml
index 49a1fcdaaa..fbbfc7526b 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml
@@ -11,7 +11,7 @@ metadata:
 type: Opaque
 data:
   # This might change on every `template` call, this can be ignored
-  cookieSecret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookieSecret" "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
-  clientID: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
-  clientSecret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
+  cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookieSecret" "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
+  client-id: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
+  client-secret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
 {{- end }}
diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
index 58b52e7f8c..33c719447c 100644
--- a/charts/base-cluster/values.yaml
+++ b/charts/base-cluster/values.yaml
@@ -154,9 +154,9 @@ global:
       issuerHost: ""
       issuerPath: ""
     grafana:
-      authenticationPath: ""
-      apiPath: ""
-      tokenPath: ""
+      authenticationPath: /protocol/openid-connect/auth
+      apiPath: /protocol/openid-connect/userinfo
+      tokenPath: /protocol/openid-connect/token
       roleAttributePath: Viewer
     oauthProxy:
       emailDomains: []