grafana: add Grafana on monitoring02 with Kanidm OIDC

Deploy Grafana test instance on monitoring02 with: - Kanidm OIDC authentication (admins -> Admin role, others -> Viewer) - PKCE enabled for secure OAuth2 flow (required by Kanidm) - Declarative datasources for Prometheus and Loki on monitoring01 - Local Caddy for TLS termination via internal ACME CA - DNS CNAME grafana-test.home.2rjus.net Terraform changes add OAuth2 client secret and AppRole policies for kanidm01 and monitoring02. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-08 19:58:19 +01:00
parent 9ffdd4f862
commit 030e8518c5
6 changed files with 144 additions and 0 deletions
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -89,6 +89,23 @@ locals {
      ]
    }

+    # kanidm01: Kanidm identity provider
+    "kanidm01" = {
+      paths = [
+        "secret/data/hosts/kanidm01/*",
+        "secret/data/kanidm/*",
+        "secret/data/services/grafana/*",
+      ]
+    }
+
+    # monitoring02: Grafana test instance
+    "monitoring02" = {
+      paths = [
+        "secret/data/hosts/monitoring02/*",
+        "secret/data/services/grafana/*",
+      ]
+    }
+
  }
 }

--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -108,6 +108,12 @@ locals {
      auto_generate   = true
      password_length = 32
    }
+
+    # Grafana OAuth2 client secret (for Kanidm OIDC)
+    "services/grafana/oauth2-client-secret" = {
+      auto_generate   = true
+      password_length = 64
+    }
  }
 }