grafana access

infra/values/base/grafana-values.yaml

@@ -35,7 +35,9 @@ grafana.ini:
     auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
     token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
     api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
-    role_attribute_path: ""
+    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
     auto_login: true
   auth:
     disable_login_form: true

infra/values/base/keycloak-values.yaml

@@ -115,10 +115,26 @@ keycloakConfigCli:
               "k8s.secret.name": "grafana-oidc-credentials",
               "k8s.secret.client-id-key": "client-id",
               "k8s.secret.client-secret-key": "client-secret"
+            },
+            "protocolMappers": [
+              {
+                "name": "client-roles",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usermodel-client-role-mapper",
+                "config": {
+                  "claim.name": "resource_access.grafana.roles",
+                  "jsonType.label": "String",
+                  "multivalued": "true",
+                  "usermodel.clientRoleMapping.clientId": "grafana",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
                 }
               }
             ]
           }
+        ]
+      }
 
 extraDeploy:
 # -- ServiceAccount for the client registrar CronJob