SSO: Wire Grafana → Keycloak OIDC #337

New issue

Closed

opened 2026-05-05 04:06:21 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-05-05 04:06:21 +00:00

Contributor

Type

Feature

Lineage

Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform admin
I want to click through to Grafana from my dashboard and be automatically logged in
So that I can check metrics without a separate login

Context

Grafana has built-in generic_oauth support. Config goes in kube-prometheus-stack Helm values under grafana.grafana.ini.auth.generic_oauth. The Keycloak session cookie from the initial pal-e-admin login means Grafana's redirect to Keycloak returns immediately with a token — no login form shown.

File Targets

Files the agent should modify or create:

terraform/modules/monitoring/main.tf — add generic_oauth config to kube-prometheus-stack Helm values

Files the agent should NOT touch:

terraform/modules/keycloak/main.tf — realm managed separately
Alert rules or Grafana dashboards

Acceptance Criteria

Grafana login page shows "Sign in with Keycloak" option
ldraney lands as Grafana admin (org_role mapping via Keycloak groups or client roles)
No second login prompt when navigating from pal-e-admin
Local admin fallback still works

Test Expectations

Integration: authenticate via Keycloak, verify Grafana session
Verify role mapping: ldraney gets Admin org role
Run command: curl -s https://grafana.tail5b443a.ts.net/api/health | jq .

Constraints

Use generic_oauth (not Grafana's dedicated Keycloak provider — it's deprecated)
OIDC client secret stored in k8s secret
Map Keycloak admin role → Grafana Admin org role

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform — platform project

### Type Feature ### Lineage Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform admin I want to click through to Grafana from my dashboard and be automatically logged in So that I can check metrics without a separate login ### Context Grafana has built-in generic_oauth support. Config goes in kube-prometheus-stack Helm values under `grafana.grafana.ini.auth.generic_oauth`. The Keycloak session cookie from the initial pal-e-admin login means Grafana's redirect to Keycloak returns immediately with a token — no login form shown. ### File Targets Files the agent should modify or create: - `terraform/modules/monitoring/main.tf` — add generic_oauth config to kube-prometheus-stack Helm values Files the agent should NOT touch: - `terraform/modules/keycloak/main.tf` — realm managed separately - Alert rules or Grafana dashboards ### Acceptance Criteria - [ ] Grafana login page shows "Sign in with Keycloak" option - [ ] ldraney lands as Grafana admin (org_role mapping via Keycloak groups or client roles) - [ ] No second login prompt when navigating from pal-e-admin - [ ] Local admin fallback still works ### Test Expectations - [ ] Integration: authenticate via Keycloak, verify Grafana session - [ ] Verify role mapping: ldraney gets Admin org role - Run command: `curl -s https://grafana.tail5b443a.ts.net/api/health | jq .` ### Constraints - Use `generic_oauth` (not Grafana's dedicated Keycloak provider — it's deprecated) - OIDC client secret stored in k8s secret - Map Keycloak admin role → Grafana Admin org role ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform project