From c37adb4709ff3d6e85c40dcef8241fe5b397d1d0 Mon Sep 17 00:00:00 2001 From: alkatrazz Date: Tue, 7 Jul 2026 16:38:54 +0200 Subject: [PATCH] feat(grafana): bascule sur le domaine public HTTPS (grafana.funklab.online) - IngressRoute websecure + Let's Encrypt - OIDC : root_url + auth_url sur le domaine (token/api restent internes) Co-Authored-By: Claude Fable 5 --- k8s/infra/monitoring/ingressroute-public.yaml | 18 ++++++++++++++++++ k8s/infra/monitoring/values.yaml | 10 +++++----- 2 files changed, 23 insertions(+), 5 deletions(-) create mode 100644 k8s/infra/monitoring/ingressroute-public.yaml diff --git a/k8s/infra/monitoring/ingressroute-public.yaml b/k8s/infra/monitoring/ingressroute-public.yaml new file mode 100644 index 0000000..af098e4 --- /dev/null +++ b/k8s/infra/monitoring/ingressroute-public.yaml @@ -0,0 +1,18 @@ +# Accès public HTTPS — grafana.funklab.online (cert Let's Encrypt auto). +# Route interne grafana.lab.local conservée (Ingress du chart, http). +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: grafana-public + namespace: monitoring +spec: + entryPoints: + - websecure + routes: + - match: Host(`grafana.funklab.online`) + kind: Rule + services: + - name: kube-prometheus-stack-grafana + port: 80 + tls: + certResolver: letsencrypt diff --git a/k8s/infra/monitoring/values.yaml b/k8s/infra/monitoring/values.yaml index 630fa9c..1cdf5a5 100644 --- a/k8s/infra/monitoring/values.yaml +++ b/k8s/infra/monitoring/values.yaml @@ -11,11 +11,11 @@ grafana: name: grafana user: grafana server: - # Requis pour construire le redirect_uri OAuth (LAN : grafana.lab.local) - root_url: http://grafana.lab.local + # URL canonique publique HTTPS (construit le redirect_uri OAuth) + root_url: https://grafana.funklab.online # SSO OIDC via Authentik (app « grafana » dans l'UI Authentik). - # auth_url = navigateur (auth.lab.local) ; token/api = serveur→serveur (Service - # interne, les pods ne résolvent pas lab.local). Le login local reste actif + # auth_url = navigateur (domaine public) ; token/api = serveur→serveur (Service + # interne, les pods ne résolvent pas le domaine). Le login local reste actif # (break-glass : admin / adminPassword ci-dessous) — ne pas mettre disable_login_form. auth.generic_oauth: enabled: true @@ -23,7 +23,7 @@ grafana: client_id: grafana client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET} scopes: openid profile email - auth_url: http://auth.lab.local/application/o/authorize/ + auth_url: https://auth.funklab.online/application/o/authorize/ token_url: http://authentik.auth.svc.cluster.local:9000/application/o/token/ api_url: http://authentik.auth.svc.cluster.local:9000/application/o/userinfo/ # Repli si l'utilisateur Authentik n'a pas d'email : sans ça Grafana tente un