From fe75fad467bfc8e7eda98bfa35b6493d5de64a49 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 10 May 2026 17:01:50 +0000 Subject: [PATCH] monitoring: protect grafana ingress with authentik + disable anonymous MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - add traefik-authentik-forward-auth to grafana ingress middleware list - disable auth.anonymous (was Viewer-by-default for the public) - enable auth.proxy with X-authentik-username so Authentik users get signed in seamlessly (no double-login UX) Prometheus and Alertmanager already had forward-auth — no change. --- .../modules/monitoring/grafana_chart_values.yaml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml index 6af2661c..2bcd474e 100644 --- a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml +++ b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml @@ -32,7 +32,7 @@ ingress: enabled: "true" ingressClassName: "traefik" annotations: - traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" + traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" gethomepage.dev/enabled: "true" gethomepage.dev/name: "Grafana" @@ -98,8 +98,18 @@ grafana.ini: password: $__env{GF_DATABASE_PASSWORD} ssl_mode: disable auth.anonymous: + enabled: false + auth.proxy: enabled: true - org_role: Viewer + header_name: X-authentik-username + header_property: username + auto_sign_up: true + sync_ttl: 60 + whitelist: "" + enable_login_token: false + users: + auto_assign_org: true + auto_assign_org_role: Viewer # auth.google: # enabled: true analytics: