Add Authentik OAuth integration for Grafana and update Jellyfin configuration
This commit is contained in:
parent
b2af26ead8
commit
3c50db2031
9
manifests/authentik-grafana-secret.sh
Executable file
9
manifests/authentik-grafana-secret.sh
Executable file
@ -0,0 +1,9 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
source "$(dirname "$0")/../.env"
|
||||||
|
|
||||||
|
kubectl create secret generic authentik-grafana-oauth \
|
||||||
|
--namespace monitoring \
|
||||||
|
--from-literal=client-id="${AUTHENTIK_GRAFANA_CLIENT_ID}" \
|
||||||
|
--from-literal=client-secret="${AUTHENTIK_GRAFANA_CLIENT_SECRET}" \
|
||||||
|
--dry-run=client -o yaml | kubectl apply -f -
|
||||||
@ -93,12 +93,19 @@ spec:
|
|||||||
env:
|
env:
|
||||||
- name: JELLYFIN_PublishedServerUrl
|
- name: JELLYFIN_PublishedServerUrl
|
||||||
value: https://jellyfin.home.arpa
|
value: https://jellyfin.home.arpa
|
||||||
|
- name: LIBVA_DRIVER_NAME
|
||||||
|
value: radeonsi
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /config
|
mountPath: /config
|
||||||
- name: media
|
- name: media
|
||||||
mountPath: /media
|
mountPath: /media
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: dri
|
||||||
|
mountPath: /dev/dri
|
||||||
|
securityContext:
|
||||||
|
supplementalGroups:
|
||||||
|
- 992
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
@ -106,6 +113,9 @@ spec:
|
|||||||
- name: media
|
- name: media
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: jellyfin-media
|
claimName: jellyfin-media
|
||||||
|
- name: dri
|
||||||
|
hostPath:
|
||||||
|
path: /dev/dri
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
|
|||||||
@ -10,7 +10,20 @@ grafana:
|
|||||||
existingSecret: grafana-admin-secret
|
existingSecret: grafana-admin-secret
|
||||||
userKey: admin-user
|
userKey: admin-user
|
||||||
passwordKey: admin-password
|
passwordKey: admin-password
|
||||||
|
"grafana.ini":
|
||||||
|
server:
|
||||||
|
root_url: https://grafana.nik4nao.com
|
||||||
|
auth.generic_oauth:
|
||||||
|
enabled: true
|
||||||
|
name: Authentik
|
||||||
|
allow_sign_up: true
|
||||||
|
client_id: $__file{/etc/secrets/authentik-grafana-oauth/client-id}
|
||||||
|
client_secret: $__file{/etc/secrets/authentik-grafana-oauth/client-secret}
|
||||||
|
scopes: openid email profile
|
||||||
|
auth_url: https://auth.nik4nao.com/application/o/authorize/
|
||||||
|
token_url: https://auth.nik4nao.com/application/o/token/
|
||||||
|
api_url: https://auth.nik4nao.com/application/o/userinfo/
|
||||||
|
role_attribute_path: contains(groups, 'authentik Admins') && 'Admin' || 'Viewer'
|
||||||
ingress:
|
ingress:
|
||||||
enabled: true
|
enabled: true
|
||||||
ingressClassName: traefik
|
ingressClassName: traefik
|
||||||
@ -24,16 +37,23 @@ grafana:
|
|||||||
- secretName: grafana-tls
|
- secretName: grafana-tls
|
||||||
hosts:
|
hosts:
|
||||||
- grafana.nik4nao.com
|
- grafana.nik4nao.com
|
||||||
|
extraSecretMounts:
|
||||||
|
- name: authentik-grafana-oauth
|
||||||
|
secretName: authentik-grafana-oauth
|
||||||
|
mountPath: /etc/secrets/authentik-grafana-oauth
|
||||||
|
readOnly: true
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
size: 2Gi
|
size: 2Gi
|
||||||
initChownData: true
|
initChownData: true
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: false
|
||||||
|
runAsUser: 0
|
||||||
|
fsGroup: 472
|
||||||
|
|
||||||
prometheus:
|
prometheus:
|
||||||
prometheusSpec:
|
prometheusSpec:
|
||||||
retention: 15d
|
retention: 15d
|
||||||
|
|
||||||
storageSpec:
|
storageSpec:
|
||||||
volumeClaimTemplate:
|
volumeClaimTemplate:
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user