setup grafana oauth2

deploy/grafana/grafana-deploy.yaml

@@ -71,6 +71,48 @@ spec:
               value: "redis"
             - name: GF_SESSION_PROVIDER_CONFIG
               value: "redis://redis-lb.redis.svc.cluster.local:6379"
+              # Enable Generic OAuth
+            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
+              value: "true"
+            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+              value: "grafana"
+            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: grafana-oauth-secret
+                  key: client-secret
+            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
+              value: "https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/auth"
+            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
+              value: "https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/token"
+            - name: GF_AUTH_GENERIC_OAUTH_API_URL
+              value: "https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/userinfo"
+            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
+              value: "openid email profile offline_access roles"
+            - name: GF_AUTH_GENERIC_OAUTH_DISCOVERY_URL
+              value: "https://sso.panic.haus/realms/panic-haus/.well-known/openid-configuration"
+            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
+              value: "true"
+            - name: GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN
+              value: "false"
+            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
+              value: "https://obs.prod.panic.haus/logout"
+            - name: GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH
+              value: "full_name"
+            - name: GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH
+              value: "username"
+            - name: GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME
+              value: "email:primary"
+            - name: GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH
+              value: "email"
+            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
+              value: "contains(groups, 'grafana_admin') && 'GrafanaAdmin' || contains(groups, 'grafana_editor') && 'Editor' || 'Viewer'"
+            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT
+              value: "false"
+            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN
+              value: "true"
+            - name: GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC
+              value: "false"
           resources:
             requests:
               cpu: 250m