mirror of
https://github.com/Alkatrazz24/Funk-lab.git
synced 2026-07-10 18:34:42 +02:00
feat(grafana): bascule sur le domaine public HTTPS (grafana.funklab.online) (#90)
- IngressRoute websecure + Let's Encrypt - OIDC : root_url + auth_url sur le domaine (token/api restent internes) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
c51fa2dfb4
commit
c0cbd74a9c
2 changed files with 23 additions and 5 deletions
18
k8s/infra/monitoring/ingressroute-public.yaml
Normal file
18
k8s/infra/monitoring/ingressroute-public.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Accès public HTTPS — grafana.funklab.online (cert Let's Encrypt auto).
|
||||||
|
# Route interne grafana.lab.local conservée (Ingress du chart, http).
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: grafana-public
|
||||||
|
namespace: monitoring
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- websecure
|
||||||
|
routes:
|
||||||
|
- match: Host(`grafana.funklab.online`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- name: kube-prometheus-stack-grafana
|
||||||
|
port: 80
|
||||||
|
tls:
|
||||||
|
certResolver: letsencrypt
|
||||||
|
|
@ -11,11 +11,11 @@ grafana:
|
||||||
name: grafana
|
name: grafana
|
||||||
user: grafana
|
user: grafana
|
||||||
server:
|
server:
|
||||||
# Requis pour construire le redirect_uri OAuth (LAN : grafana.lab.local)
|
# URL canonique publique HTTPS (construit le redirect_uri OAuth)
|
||||||
root_url: http://grafana.lab.local
|
root_url: https://grafana.funklab.online
|
||||||
# SSO OIDC via Authentik (app « grafana » dans l'UI Authentik).
|
# SSO OIDC via Authentik (app « grafana » dans l'UI Authentik).
|
||||||
# auth_url = navigateur (auth.lab.local) ; token/api = serveur→serveur (Service
|
# auth_url = navigateur (domaine public) ; token/api = serveur→serveur (Service
|
||||||
# interne, les pods ne résolvent pas lab.local). Le login local reste actif
|
# interne, les pods ne résolvent pas le domaine). Le login local reste actif
|
||||||
# (break-glass : admin / adminPassword ci-dessous) — ne pas mettre disable_login_form.
|
# (break-glass : admin / adminPassword ci-dessous) — ne pas mettre disable_login_form.
|
||||||
auth.generic_oauth:
|
auth.generic_oauth:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
@ -23,7 +23,7 @@ grafana:
|
||||||
client_id: grafana
|
client_id: grafana
|
||||||
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
|
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
|
||||||
scopes: openid profile email
|
scopes: openid profile email
|
||||||
auth_url: http://auth.lab.local/application/o/authorize/
|
auth_url: https://auth.funklab.online/application/o/authorize/
|
||||||
token_url: http://authentik.auth.svc.cluster.local:9000/application/o/token/
|
token_url: http://authentik.auth.svc.cluster.local:9000/application/o/token/
|
||||||
api_url: http://authentik.auth.svc.cluster.local:9000/application/o/userinfo/
|
api_url: http://authentik.auth.svc.cluster.local:9000/application/o/userinfo/
|
||||||
# Repli si l'utilisateur Authentik n'a pas d'email : sans ça Grafana tente un
|
# Repli si l'utilisateur Authentik n'a pas d'email : sans ça Grafana tente un
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue