grafana oauth configuration

kustomize/bases/grafana/grafana-deployment.yaml

@@ -29,12 +29,13 @@ spec:
           env:
             - name: GF_SERVER_DOMAIN
               value: ${GRAFANA_EXTERNAL_HOST}
+            - name: GF_SERVER_ROOT_URL
+              value: https://${GRAFANA_EXTERNAL_HOST}/
             # - name: GF_AUTH_ANONYMOUS_ENABLED
             #   value: "true"
             - name: GF_INSTALL_PLUGINS
               value: marcusolsson-json-datasource,marcusolsson-treemap-panel
-            - name: GF_FEATURE_TOGGLES_ENABLE
-              value: ngalert
+          args: ['--config', '/etc/grafana/provisioning/config/custom.ini']
           readinessProbe:
             failureThreshold: 3
             httpGet:
@@ -66,12 +67,17 @@ spec:
           volumeMounts:
             - name: grafana-datasources
               mountPath: /etc/grafana/provisioning/datasources
+            - name: grafana-config
+              mountPath: /etc/grafana/provisioning/config
             - mountPath: /var/lib/grafana
               name: grafana-pv
       volumes:
         - name: grafana-datasources
           configMap:
             name: grafana-datasources
+        - name: grafana-config
+          secret:
+            secretName: grafana-config
         - name: grafana-pv
           persistentVolumeClaim:
             claimName: grafana-pvc

kustomize/bases/grafana/kustomization.yaml

@@ -7,6 +7,12 @@ configMapGenerator:
     files:
       - datasources.yaml=provision/datasources.yaml
 
+secretGenerator:
+  - name: grafana-config
+    type: Opaque
+    literals:
+      - custom.ini=
+
 # secretGenerator:
 #   - name: postgres-credentials
 #     type: Opaque

kustomize/overlays/prod/configurations/grafana/custom.ini

@@ -0,0 +1,9 @@
+[auth.generic_oauth]
+enabled = true
+allow_sign_up = false
+client_id = 5yCpX9YovdrEuBpy69438S8GzCUJZLxqFl4rOcIpjBHICRpJzjv56VMxslKj7iqm
+client_secret = ${ssm:/k3s/prod/nextcloud/oidc/grafana/client_secret}
+scopes = openid profile email
+auth_url = https://cloud.badjware.dev/apps/oidc/authorize
+token_url = https://cloud.badjware.dev/apps/oidc/token
+api_url = https://cloud.badjware.dev/apps/oidc/userinfo

kustomize/overlays/prod/kustomization.yaml

@@ -65,6 +65,12 @@ secretGenerator:
     behavior: replace
     files:
       - agent.yaml=configurations/grafana-agent/agent.yaml
+  - name: grafana-config
+    type: Opaque
+    namespace: grafana
+    behavior: replace
+    files:
+      - custom.ini=configurations/grafana/custom.ini
   # - name: grafana-cloud-credentials
   #   type: Opaque
   #   namespace: monitoring