mirror of
https://github.com/Alkatrazz24/Funk-lab.git
synced 2026-07-08 04:34:41 +02:00
feat(grafana): bascule sur le domaine public HTTPS (grafana.funklab.online) (#90)
- IngressRoute websecure + Let's Encrypt - OIDC : root_url + auth_url sur le domaine (token/api restent internes) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
c51fa2dfb4
commit
c0cbd74a9c
2 changed files with 23 additions and 5 deletions
18
k8s/infra/monitoring/ingressroute-public.yaml
Normal file
18
k8s/infra/monitoring/ingressroute-public.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# Accès public HTTPS — grafana.funklab.online (cert Let's Encrypt auto).
|
||||
# Route interne grafana.lab.local conservée (Ingress du chart, http).
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: grafana-public
|
||||
namespace: monitoring
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`grafana.funklab.online`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: kube-prometheus-stack-grafana
|
||||
port: 80
|
||||
tls:
|
||||
certResolver: letsencrypt
|
||||
|
|
@ -11,11 +11,11 @@ grafana:
|
|||
name: grafana
|
||||
user: grafana
|
||||
server:
|
||||
# Requis pour construire le redirect_uri OAuth (LAN : grafana.lab.local)
|
||||
root_url: http://grafana.lab.local
|
||||
# URL canonique publique HTTPS (construit le redirect_uri OAuth)
|
||||
root_url: https://grafana.funklab.online
|
||||
# SSO OIDC via Authentik (app « grafana » dans l'UI Authentik).
|
||||
# auth_url = navigateur (auth.lab.local) ; token/api = serveur→serveur (Service
|
||||
# interne, les pods ne résolvent pas lab.local). Le login local reste actif
|
||||
# auth_url = navigateur (domaine public) ; token/api = serveur→serveur (Service
|
||||
# interne, les pods ne résolvent pas le domaine). Le login local reste actif
|
||||
# (break-glass : admin / adminPassword ci-dessous) — ne pas mettre disable_login_form.
|
||||
auth.generic_oauth:
|
||||
enabled: true
|
||||
|
|
@ -23,7 +23,7 @@ grafana:
|
|||
client_id: grafana
|
||||
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
|
||||
scopes: openid profile email
|
||||
auth_url: http://auth.lab.local/application/o/authorize/
|
||||
auth_url: https://auth.funklab.online/application/o/authorize/
|
||||
token_url: http://authentik.auth.svc.cluster.local:9000/application/o/token/
|
||||
api_url: http://authentik.auth.svc.cluster.local:9000/application/o/userinfo/
|
||||
# Repli si l'utilisateur Authentik n'a pas d'email : sans ça Grafana tente un
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue