Add Authentik OAuth integration for Grafana and update Jellyfin configuration

2026-03-11 22:47:57 +09:00 · 2026-03-11 22:47:57 +09:00 · 3c50db2031
commit 3c50db2031
parent b2af26ead8
3 changed files with 42 additions and 3 deletions
--- a/manifests/authentik-grafana-secret.sh
+++ b/manifests/authentik-grafana-secret.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+source "$(dirname "$0")/../.env"
+
+kubectl create secret generic authentik-grafana-oauth \
+  --namespace monitoring \
+  --from-literal=client-id="${AUTHENTIK_GRAFANA_CLIENT_ID}" \
+  --from-literal=client-secret="${AUTHENTIK_GRAFANA_CLIENT_SECRET}" \
+  --dry-run=client -o yaml | kubectl apply -f -
--- a/manifests/jellyfin.yaml
+++ b/manifests/jellyfin.yaml
@ -93,12 +93,19 @@ spec:
          env:
            - name: JELLYFIN_PublishedServerUrl
              value: https://jellyfin.home.arpa
+            - name: LIBVA_DRIVER_NAME
+              value: radeonsi
          volumeMounts:
            - name: config
              mountPath: /config
            - name: media
              mountPath: /media
              readOnly: true
+            - name: dri
+              mountPath: /dev/dri
+      securityContext:
+        supplementalGroups:
+          - 992
      volumes:
        - name: config
          persistentVolumeClaim:
@ -106,6 +113,9 @@ spec:
        - name: media
          persistentVolumeClaim:
            claimName: jellyfin-media
+        - name: dri
+          hostPath:
+            path: /dev/dri
 ---
 apiVersion: v1
 kind: Service
--- a/values/kube-prometheus-stack.yaml
+++ b/values/kube-prometheus-stack.yaml
@ -10,7 +10,20 @@ grafana:
    existingSecret: grafana-admin-secret
    userKey: admin-user
    passwordKey: admin-password
-
+  "grafana.ini":
+    server:
+      root_url: https://grafana.nik4nao.com
+    auth.generic_oauth:
+      enabled: true
+      name: Authentik
+      allow_sign_up: true
+      client_id: $__file{/etc/secrets/authentik-grafana-oauth/client-id}
+      client_secret: $__file{/etc/secrets/authentik-grafana-oauth/client-secret}
+      scopes: openid email profile
+      auth_url: https://auth.nik4nao.com/application/o/authorize/
+      token_url: https://auth.nik4nao.com/application/o/token/
+      api_url: https://auth.nik4nao.com/application/o/userinfo/
+      role_attribute_path: contains(groups, 'authentik Admins') && 'Admin' || 'Viewer'
  ingress:
    enabled: true
    ingressClassName: traefik
@ -24,16 +37,23 @@ grafana:
      - secretName: grafana-tls
        hosts:
          - grafana.nik4nao.com
-
+  extraSecretMounts:
+    - name: authentik-grafana-oauth
+      secretName: authentik-grafana-oauth
+      mountPath: /etc/secrets/authentik-grafana-oauth
+      readOnly: true
  persistence:
    enabled: true
    size: 2Gi
    initChownData: true
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    fsGroup: 472

 prometheus:
  prometheusSpec:
    retention: 15d
-
    storageSpec:
      volumeClaimTemplate:
        metadata: