diff --git a/grafana.yaml b/grafana.yaml index 13fe26c..5c618ea 100644 --- a/grafana.yaml +++ b/grafana.yaml @@ -11,7 +11,7 @@ data: - name: Prometheus type: prometheus access: proxy - url: http://prometheus-operated.monitoring.svc.cluster.local:9090 + url: http://prometheus.monitoring.svc.cluster.local:9090 isDefault: true editable: true @@ -72,7 +72,7 @@ spec: name: oidc-client-grafana-raiko-owner-secrets key: OIDC_CLIENT_SECRET - name: GF_AUTH_GENERIC_OAUTH_SCOPES - value: "openid profile" + value: "openid profile groups" - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL value: "https://auth.ee-lte-1.codemowers.io/auth" - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL @@ -82,11 +82,10 @@ spec: - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL value: "https://auth.ee-lte-1.codemowers.io/logout" - # Auto-assign admin role + # Give Admin role to allowed group members - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH - value: "contains(groups[*], 'admin') && 'Admin' || 'Editor'" + value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || 'Viewer'" - # Disable anonymous access - name: GF_AUTH_ANONYMOUS_ENABLED value: "false" @@ -96,19 +95,6 @@ spec: - name: datasources mountPath: /etc/grafana/provisioning/datasources - readinessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 10 - periodSeconds: 10 - - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - periodSeconds: 10 volumes: - name: datasources @@ -195,4 +181,7 @@ spec: availableScopes: - openid - profile + - groups + allowedGroups: + - github.com:codemowers:admins pkce: false