feat(grafana): bascule sur le domaine public HTTPS (grafana.funklab.online) (#90)

- IngressRoute websecure + Let's Encrypt
- OIDC : root_url + auth_url sur le domaine (token/api restent internes)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
ALI YESILKAYA 2026-07-07 16:41:21 +02:00 committed by GitHub
parent c51fa2dfb4
commit c0cbd74a9c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 5 deletions

View file

@ -0,0 +1,18 @@
# Accès public HTTPS — grafana.funklab.online (cert Let's Encrypt auto).
# Route interne grafana.lab.local conservée (Ingress du chart, http).
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: grafana-public
namespace: monitoring
spec:
entryPoints:
- websecure
routes:
- match: Host(`grafana.funklab.online`)
kind: Rule
services:
- name: kube-prometheus-stack-grafana
port: 80
tls:
certResolver: letsencrypt

View file

@ -11,11 +11,11 @@ grafana:
name: grafana
user: grafana
server:
# Requis pour construire le redirect_uri OAuth (LAN : grafana.lab.local)
root_url: http://grafana.lab.local
# URL canonique publique HTTPS (construit le redirect_uri OAuth)
root_url: https://grafana.funklab.online
# SSO OIDC via Authentik (app « grafana » dans l'UI Authentik).
# auth_url = navigateur (auth.lab.local) ; token/api = serveur→serveur (Service
# interne, les pods ne résolvent pas lab.local). Le login local reste actif
# auth_url = navigateur (domaine public) ; token/api = serveur→serveur (Service
# interne, les pods ne résolvent pas le domaine). Le login local reste actif
# (break-glass : admin / adminPassword ci-dessous) — ne pas mettre disable_login_form.
auth.generic_oauth:
enabled: true
@ -23,7 +23,7 @@ grafana:
client_id: grafana
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
scopes: openid profile email
auth_url: http://auth.lab.local/application/o/authorize/
auth_url: https://auth.funklab.online/application/o/authorize/
token_url: http://authentik.auth.svc.cluster.local:9000/application/o/token/
api_url: http://authentik.auth.svc.cluster.local:9000/application/o/userinfo/
# Repli si l'utilisateur Authentik n'a pas d'email : sans ça Grafana tente un