Hey everyone!
We’ve recently moved from an on-prem K8s cluster to an AKS cluster and are using ArgoCD Autopilot to deploy everything as per the GitOps principles.
We’ve successfully deployed Grafana behind NGINX, but we encountered an issue when attempting to add Azure AD authentication into the mix; the issue in our case lies with Grafana. Essentially, we cannot inject values into ‘grafana.ini’ as per the suggested helm-chart approach.
Here are the approaches we’ve tried to take with this issue:
- Injecting values individually:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: grafana-app
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "55"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: keeper-dev
source:
repoURL: https://grafana.github.io/helm-charts
targetRevision: 6.51.2
chart: grafana
helm:
parameters:
- name: "'grafana.ini'.server.root_url"
value: "https://grafana.tmlab.local"
- name: "'grafana.ini'.'auth.azuerad'.name"
value: "AZ"
- name: "envFromSecret"
value: "grafana-azure-ad"
destination:
server: https://kubernetes.default.svc
namespace: grafana
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true
`
The referred secrets were actually passed through to the pod's environment:
"
GF_AUTH_AZUREAD_CLIENT_ID: "<CLIENTID>"
GF_AUTH_AZUREAD_CLIENT_SECRET: "<CLIENTSECRET>"
"
2) Injecting these parameters as variables, utilizing the helm chart's "envfromEnv" value:
"
GF_SERVER_ROOT_URL: <VALUE>
GF_AUTH_DISABLE_LOGIN: <VALUE>
GF_AUTH_AUTO_LOGIN: <VALUE>
GF_AUTH_AZURE_AUTH_ENABLED: <VALUE>
GF_AUTH_AZUREAD_NAME: <VALUE>
GF_AUTH_AZUREAD_ENABLED: <VALUE>
GF_AUTH_AZUREAD_AUTO_LOGIN: <VALUE>
GF_AUTH_AZUREAD_CLIENT_ID: <VALUE>
GF_AUTH_AZUREAD_CLIENT_SECRET: <VALUE>
GF_AUTH_AZUREAD_AUTH_URL: <VALUE>
GF_AUTH_AZUREAD_TOKEN_URL: <VALUE>
GF_AUTH_AZUREAD_ALLOWED_DOMAINS: <VALUE>
GF_AUTH_AZUREAD_ALLOW_GRAFANA_ADMIN: <VALUE>
GF_AUTH_AZUREAD_ALLOW_SIGN_UP: <VALUE>
"
The most progress I got was to receive the error 'err-too many redirects' upon passing these values as envfromSecret, as shown in the above code snippet.
3) Parsing all values as is written in the 'grafana.ini' file:
"
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: grafana-app
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "55"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: keeper-dev
source:
repoURL: https://grafana.github.io/helm-charts
targetRevision: 6.51.2
chart: grafana
helm:
parameters:
- name: "grafana.ini.auth.azuread"
value: -|
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
auto_login = false
scopes = openid email profile
auth_url = https://login.microsoftonline.com/7d524a33-f832-4631-9e10-bd43d817e0a5/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/7d524a33-f832-4631-9e10-bd43d817e0a5/oauth2/v2.0/token
allowed_domains =
allowed_groups =
role_attribute_strict = false
allow_assign_grafana_admin = true
skip_org_role_sync = false
- name: "envFromSecret"
value: "grafana-azure-ad"
destination:
server: https://kubernetes.default.svc
namespace: grafana
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true
"
Provided secrets:
"
GF_AUTH_AZUREAD_CLIENT_ID: "<CLIENTID>"
GF_AUTH_AZUREAD_CLIENT_SECRET: "<CLIENTSECRET>"
"
Any feedback would be highly appreciated.