From a412f211025d68dedfdc29c1652493f2ae202165 Mon Sep 17 00:00:00 2001
From: Matthias Hinrichs <matthias.hinrichs@sbb.ch>
Date: Fri, 16 Jan 2026 11:28:54 +0100
Subject: [PATCH] =?UTF-8?q?F=C3=BCge=20OAuth-Authentifizierung=20f=C3=BCr?=
 =?UTF-8?q?=20Grafana=20in=20der=20Helm-Konfiguration=20hinzu?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../templates/kube-prometheus-stack.yaml            | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml b/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml
index 81139f6..b47fb73 100644
--- a/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml
+++ b/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml
@@ -20,6 +20,19 @@ spec:
             grafana.ini:
               server:
                 root_url: https://grafana.k8s.hnrx.net
+              auth.generic_oauth:
+                enabled: true
+                name: "authentik"
+                allow_sign_up: true
+                auto_login: false # Auf true setzen, wenn das Standard-Login-Formular übersprungen werden soll
+                client_id: "4JtTfw2apna4ZnnXgPH6mnDfLCPoW6qy5fXiC03z"
+                client_secret: "MI7Fsw22Fl6ruiOhG3Z55F1QhuMoQKzF2GR3qGO3x41encrmubcGeqJc0JpQIKEFiVIUiNXQkQU0FGiaTshEZx5HK8qzPBMz8VbR2gGmcNy7szHkTrBfNsosHDFndvWi" # Am besten via Secret einbinden (siehe unten)
+                scopes: "openid profile email"
+                auth_url: "https://auth.hnrx.net/application/o/authorize/"
+                token_url: "https://auth.hnrx.net/application/o/token/"
+                api_url: "https://auth.hnrx.net/application/o/userinfo/"
+
+                role_attribute_path: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
             adminPassword: "DeinSicheresPasswort"
             persistence:
               enabled: true