From ece4a8d1998afd8c3c13d0fffda1ccfa8f817938 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Fri, 24 Apr 2026 15:39:46 +0200
Subject: [PATCH] grafana tls

---
 infra/values/base/grafana-values.yaml  | 27 ++++++++++++++++++++++++++
 infra/values/base/keycloak-values.yaml | 19 ++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/infra/values/base/grafana-values.yaml b/infra/values/base/grafana-values.yaml
index 9fdf61f..6e021fc 100644
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -1,5 +1,13 @@
 ingress:
   enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+  - secretName: grafana-tls
+    hosts:
+    - grafana.forteapps.net
+
 resources:
   requests:
     cpu: 50m
@@ -11,6 +19,25 @@ resources:
 adminUser: admin
 adminPassword: "forte"
 
+envFromSecrets:
+- name: grafana-oidc-credentials
+
+grafana.ini:
+  server:
+    root_url: https://grafana.forteapps.net
+  auth.generic_oauth:
+    enabled: true
+    name: Forte SSO
+    allow_sign_up: true
+    client_id: ${client-id}
+    client_secret: ${client-secret}
+    scopes: openid email profile
+    auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
+    token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
+    api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
+    role_attribute_path: ""
+    auto_login: false
+
 datasources:
   datasources.yaml:
     apiVersion: 1
diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml
index f3c4eb4..d8f98e7 100644
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -97,6 +97,25 @@ keycloakConfigCli:
                 }
               }
             ]
+          },
+          {
+            "clientId": "grafana",
+            "name": "Grafana",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://grafana.forteapps.net/*"],
+            "webOrigins": ["https://grafana.forteapps.net"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "monitoring",
+              "k8s.secret.name": "grafana-oidc-credentials",
+              "k8s.secret.client-id-key": "client-id",
+              "k8s.secret.client-secret-key": "client-secret"
+            }
           }
         ]
       }