Running Grafana behind a reverse proxy when TLS termination occurs at the load-balancer

Evening. I have Grafana running on a Kubernetes cluster behind a reverse-proxy. TLS termination occurs at the load balancer level, so no certs are set locally. The root_url is left as default and all is currently working fine using the standard login portal.

We now want to incorporate Azure AD via OAuth to allow users to use their MS email to login. This requires a redirect url that must use https. After setting up AD I see that authentication occurs successfully but the redirect uri generated in the response by Grafana uses the root_url which is localhost:3000 - and obviously not reachable from the internet.

If I change root_url to our actual domain (which uses https) then the Grafana container backs off and refuses to start because no cert file and key are set locally.

How is it best to configure Grafana to run behind a reverse proxy with TLS termination?

You need to provide reproducible example - you have many unknown variables, e.g. used docker image, grafana version, error message, …