fix(base-cluster/grafana): oidc secret handling (#756)

teutonet · Feb 13, 2024 · 73a15d2 · 73a15d2
1 parent 10adf69
commit 73a15d2
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml
@@ -137,6 +137,14 @@ dashboards:
   {{- end }}
 {{- include "base-cluster.monitoring.ingress" (dict "name" "grafana" "context" $) | nindent 0 }}
 {{- if and .Values.ingress.enabled .Values.monitoring.grafana.ingress.enabled .Values.certManager.email (or .Values.global.baseDomain .Values.monitoring.grafana.ingress.customDomain) }}
+  {{- if .Values.global.authentication }}
+envValueFrom:
+  OIDC_CLIENT_SECRET:
+    secretKeyRef:
+      key: client-secret
+      name: {{ include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) }}
+      optional: false
+  {{- end }}
 grafana.ini:
   auth:
     signout_redirect_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}
@@ -152,7 +160,7 @@ grafana.ini:
     auth_url: {{ printf "%s%s" $issuerUrl .grafana.authenticationPath }}
     token_url: {{ printf "%s%s" $issuerUrl .grafana.tokenPath }}
     client_id: {{ .config.clientId }}
-    client_secret: {{ .config.clientSecret }}
+    client_secret: ${OIDC_CLIENT_SECRET}
     name: OAuth
     role_attribute_path: {{ .grafana.roleAttributePath | quote }}
     scopes: openid profile email

diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.global.authentication.config.clientId .Values.monitoring.prometheus.enabled (or (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .)) (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .))) }}
+{{- if and .Values.global.authentication.config.clientId .Values.monitoring.prometheus.enabled (or (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .)) (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .)) (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "grafana" "context" .))) }}
 {{- $name := include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) -}}
 apiVersion: v1
 kind: Secret

diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
@@ -105,7 +105,7 @@ global:
     prometheus:
       url: https://prometheus-community.github.io/helm-charts
       charts:
-        kube-prometheus-stack: 55.x
+        kube-prometheus-stack: 56.x
       condition: "{{ .Values.monitoring.prometheus.enabled }}"
       interval: 5m
     grafana: