[ci skip] Remove Authentik forward auth from Grafana, add admin password management
Fixes HA mobile app 403 when embedding Grafana dashboards - the webview blocks third-party cookies needed by Authentik forward auth. Grafana already has anonymous Viewer access enabled, so forward auth is not needed. Also adds grafana_admin_password variable and explicit resource limits to prevent ResourceQuota issues during rolling updates.
This commit is contained in:
Viktor Barzin
parent
41d3358cc1
commit
9889728c49
5 changed files with 28 additions and 14 deletions
10
main.tf
10
main.tf
|
|
@ -138,6 +138,7 @@ variable "tiny_tuya_slack_url" { type = string }
|
|||
variable "haos_api_token" { type = string }
|
||||
variable "pve_password" { type = string }
|
||||
variable "grafana_db_password" { type = string }
|
||||
variable "grafana_admin_password" { type = string }
|
||||
variable "clickhouse_password" { type = string }
|
||||
variable "clickhouse_postgres_password" { type = string }
|
||||
variable "wealthfolio_password_hash" { type = string }
|
||||
|
|
@ -154,8 +155,8 @@ variable "slack_channel" { type = string }
|
|||
variable "affine_postgresql_password" { type = string }
|
||||
variable "health_postgresql_password" { type = string }
|
||||
variable "health_secret_key" { type = string }
|
||||
variable "moltbot_ssh_key" { type = string }
|
||||
variable "moltbot_skill_secrets" { type = map(string) }
|
||||
variable "openclaw_ssh_key" { type = string }
|
||||
variable "openclaw_skill_secrets" { type = map(string) }
|
||||
variable "gemini_api_key" { type = string }
|
||||
variable "llama_api_key" { type = string }
|
||||
variable "brave_api_key" { type = string }
|
||||
|
|
@ -676,6 +677,7 @@ module "kubernetes_cluster" {
|
|||
haos_api_token = var.haos_api_token
|
||||
pve_password = var.pve_password
|
||||
grafana_db_password = var.grafana_db_password
|
||||
grafana_admin_password = var.grafana_admin_password
|
||||
|
||||
clickhouse_password = var.clickhouse_password
|
||||
clickhouse_postgres_password = var.clickhouse_postgres_password
|
||||
|
|
@ -700,8 +702,8 @@ module "kubernetes_cluster" {
|
|||
affine_postgresql_password = var.affine_postgresql_password
|
||||
health_postgresql_password = var.health_postgresql_password
|
||||
health_secret_key = var.health_secret_key
|
||||
moltbot_ssh_key = var.moltbot_ssh_key
|
||||
moltbot_skill_secrets = var.moltbot_skill_secrets
|
||||
openclaw_ssh_key = var.openclaw_ssh_key
|
||||
openclaw_skill_secrets = var.openclaw_skill_secrets
|
||||
gemini_api_key = var.gemini_api_key
|
||||
llama_api_key = var.llama_api_key
|
||||
brave_api_key = var.brave_api_key
|
||||
|
|
|
|||
|
|
@ -109,6 +109,7 @@ variable "tiny_tuya_slack_url" { type = string }
|
|||
variable "haos_api_token" { type = string }
|
||||
variable "pve_password" { type = string }
|
||||
variable "grafana_db_password" { type = string }
|
||||
variable "grafana_admin_password" { type = string }
|
||||
variable "clickhouse_password" { type = string }
|
||||
variable "clickhouse_postgres_password" { type = string }
|
||||
variable "wealthfolio_password_hash" { type = string }
|
||||
|
|
@ -125,8 +126,8 @@ variable "slack_channel" { type = string }
|
|||
variable "affine_postgresql_password" { type = string }
|
||||
variable "health_postgresql_password" { type = string }
|
||||
variable "health_secret_key" { type = string }
|
||||
variable "moltbot_ssh_key" { type = string }
|
||||
variable "moltbot_skill_secrets" { type = map(string) }
|
||||
variable "openclaw_ssh_key" { type = string }
|
||||
variable "openclaw_skill_secrets" { type = map(string) }
|
||||
variable "gemini_api_key" { type = string }
|
||||
variable "llama_api_key" { type = string }
|
||||
variable "brave_api_key" { type = string }
|
||||
|
|
@ -165,7 +166,7 @@ locals {
|
|||
"url", "excalidraw", "travel_blog", "dashy", "send", "ytdlp", "wealthfolio", "rybbit", "stirling-pdf",
|
||||
"networking-toolbox", "navidrome", "freshrss", "forgejo", "tor-proxy", "real-estate-crawler", "n8n",
|
||||
"changedetection", "linkwarden", "matrix", "homepage", "meshcentral", "diun", "cyberchef", "ntfy", "ollama",
|
||||
"servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "tandoor", "ebook2audiobook", "netbox", "speedtest", "resume", "freedify", "mcaptcha", "affine", "plotting-book", "whisper", "grampsweb", "osm-routing", "moltbot"
|
||||
"servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "tandoor", "ebook2audiobook", "netbox", "speedtest", "resume", "freedify", "mcaptcha", "affine", "plotting-book", "whisper", "grampsweb", "osm-routing", "openclaw"
|
||||
],
|
||||
}
|
||||
active_modules = distinct(flatten([
|
||||
|
|
@ -320,6 +321,7 @@ module "monitoring" {
|
|||
haos_api_token = var.haos_api_token
|
||||
pve_password = var.pve_password
|
||||
grafana_db_password = var.grafana_db_password
|
||||
grafana_admin_password = var.grafana_admin_password
|
||||
tier = local.tiers.cluster
|
||||
}
|
||||
|
||||
|
|
@ -1164,12 +1166,12 @@ module "grampsweb" {
|
|||
depends_on = [null_resource.core_services]
|
||||
}
|
||||
|
||||
module "moltbot" {
|
||||
source = "./moltbot"
|
||||
for_each = contains(local.active_modules, "moltbot") ? { moltbot = true } : {}
|
||||
module "openclaw" {
|
||||
source = "./openclaw"
|
||||
for_each = contains(local.active_modules, "openclaw") ? { openclaw = true } : {}
|
||||
tls_secret_name = var.tls_secret_name
|
||||
ssh_key = var.moltbot_ssh_key
|
||||
skill_secrets = var.moltbot_skill_secrets
|
||||
ssh_key = var.openclaw_ssh_key
|
||||
skill_secrets = var.openclaw_skill_secrets
|
||||
gemini_api_key = var.gemini_api_key
|
||||
llama_api_key = var.llama_api_key
|
||||
brave_api_key = var.brave_api_key
|
||||
|
|
|
|||
|
|
@ -60,9 +60,10 @@ resource "helm_release" "grafana" {
|
|||
create_namespace = true
|
||||
name = "grafana"
|
||||
atomic = true
|
||||
timeout = 600
|
||||
|
||||
repository = "https://grafana.github.io/helm-charts"
|
||||
chart = "grafana"
|
||||
|
||||
values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password })]
|
||||
values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password, grafana_admin_password = var.grafana_admin_password })]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,14 @@
|
|||
deploymentStrategy:
|
||||
type: RollingUpdate
|
||||
replicas: 3
|
||||
adminPassword: "${grafana_admin_password}"
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
persistence:
|
||||
enabled: false # using external mysql
|
||||
existingClaim: "grafana-pvc"
|
||||
|
|
@ -8,7 +16,7 @@ ingress:
|
|||
enabled: "true"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
tls:
|
||||
- secretName: "tls-secret"
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ variable "tiny_tuya_service_secret" { type = string }
|
|||
variable "haos_api_token" { type = string }
|
||||
variable "pve_password" { type = string }
|
||||
variable "grafana_db_password" { type = string }
|
||||
variable "grafana_admin_password" { type = string }
|
||||
variable "tier" { type = string }
|
||||
|
||||
resource "kubernetes_namespace" "monitoring" {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue