Skip to content

docs(monitoring): add OIDC authentication guide for Grafana#597

Open
IvanHunters wants to merge 1 commit into
mainfrom
docs/monitoring-oidc-authentication
Open

docs(monitoring): add OIDC authentication guide for Grafana#597
IvanHunters wants to merge 1 commit into
mainfrom
docs/monitoring-oidc-authentication

Conversation

@IvanHunters

@IvanHunters IvanHunters commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a new guide under content/en/docs/next/operations/services/monitoring/: OIDC authentication for Grafana.

Documents how to enable per-user OIDC authentication on the Grafana instance shipped by every Monitoring release, using the new spec.oidc selector. Ships alongside cozystack/cozystack#3176, the code PR that adds the selector to the chart. The identity model is per-instance audience isolation on the flat cozy realm — same shape as the tenant kube-apiserver's Phase 1 (cozystack/cozystack#3044); architectural rationale in cozystack/community#24.

What

  • New page content/en/docs/next/operations/services/monitoring/oidc-authentication.md (weight: 5, positioned between setup.md (2) and dashboards.md (10)).
  • Covers all three modes (None, System, CustomConfig), the three role-mapping KeycloakRealmGroups the chart owns, how a user is added via KeycloakRealmUser, browser login flow, and gotchas: emailVerified prescriptive requirement, self-signed CA under CustomConfig.secretRef, admin_user break-glass posture.
  • Explicit "out of scope" section (per-tenant realms, backend-logout-url, CEL claimValidationRules) so readers know where the boundary sits.
  • Only adds to docs/next/; version-specific pages (v1.5, ...) get the guide when the code PR lands in a release.

Why

  • The spec.oidc selector on the Monitoring CR is a new user-facing surface — needs a user-facing guide before v1.6.
  • Uses the same tone and section shape as the tenant Kubernetes OIDC page (content/en/docs/next/kubernetes/oidc-authentication.md, docs(kubernetes): add OIDC authentication guide #596), so operators land on a familiar layout.
  • Site builds cleanly in dev mode (Hugo, 1686+ pages, zero warnings); the page is reachable at /docs/next/operations/services/monitoring/oidc-authentication/.

Summary by CodeRabbit

  • Documentation
    • Added guidance for OIDC authentication in Monitoring deployments, including per-instance identity behavior.
    • Documented the available OIDC modes, setup requirements, and sign-in flow expectations.
    • Clarified how user roles are assigned from group membership and what happens on first login.
    • Added notes on fallback admin access, certificate handling, and current limitations.

Guide covers spec.oidc modes (None/System/CustomConfig) on the
Monitoring CR, how System mode provisions a per-instance Keycloak
client + audience scope + three role-mapping groups in the cozy
realm, and how a user logs in through the Grafana browser flow.
Placed under docs/next/operations/services/monitoring/ (weight 5,
between setup and dashboards); ships alongside the code PR that adds
the spec.oidc selector to the Monitoring chart.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit 5fd4658
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a4583614137bb0008433546
😎 Deploy Preview https://deploy-preview-597--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f7b501e-f950-4abc-9fed-b32ee480a910

📥 Commits

Reviewing files that changed from the base of the PR and between 3af9c1b and 5fd4658.

📒 Files selected for processing (1)
  • content/en/docs/next/operations/services/monitoring/oidc-authentication.md

📝 Walkthrough

Walkthrough

This PR adds a new documentation page describing OIDC authentication for Grafana instances in Cozystack Monitoring deployments, covering the None, System, and CustomConfig modes, role mapping, sign-in flow, break-glass access, prerequisites, and limitations.

Changes

OIDC Authentication Documentation

Layer / File(s) Summary
OIDC authentication doc page
content/en/docs/next/operations/services/monitoring/oidc-authentication.md
New documentation describing per-instance OIDC identity model, spec.oidc.mode options (None, System, CustomConfig), Keycloak group-to-role mapping via role_attribute_path, sign-in flow, break-glass admin credentials, prerequisites, and gotchas/out-of-scope items.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related PRs: None specified.

Suggested labels: documentation

Suggested reviewers: None specified.

🐰 A rabbit hops through Keycloak's gate,
with tokens bound per instance, sealed to fate.
Roles fall from groups, admin kept in reserve,
a doc now written, gotchas to observe.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the new monitoring documentation page for Grafana OIDC authentication.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/monitoring-oidc-authentication

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces documentation for configuring OIDC authentication for Grafana in Cozystack, detailing the available modes (System and CustomConfig), role assignment, and prerequisites. The review feedback suggests minor formatting improvements, such as replacing Unicode ellipsis characters with standard ASCII characters. Additionally, it corrects a technical inaccuracy by clarifying that Grafana does not support Kubernetes-style CEL claimValidationRules and that any such validation must be handled via JMESPath in role_attribute_path.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

role_attribute_path: "contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'"
```

…or via a pre-existing Secret in the tenant namespace holding a ready-made `[auth.generic_oauth]` ini fragment in the `auth.ini` key:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Using standard ASCII characters (like starting the sentence directly with Or) is preferred over the Unicode ellipsis character to ensure consistent rendering and avoid copy-paste issues.

Suggested change
…or via a pre-existing Secret in the tenant namespace holding a ready-made `[auth.generic_oauth]` ini fragment in the `auth.ini` key:
Or via a pre-existing Secret in the tenant namespace holding a ready-made `[auth.generic_oauth]` ini fragment in the `auth.ini` key:

username: alice@acme.example
email: alice@acme.example
emailVerified: true
password: "…"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Use standard three dots ... instead of the Unicode ellipsis inside the code block.

Suggested change
password: ""
password: "..."


## Prerequisites and gotchas

- **`emailVerified: true` on Keycloak users.** Phase 1 does not add a `claimValidationRules` entry — so `email_verified` is not chart-enforced. Set `emailVerified: true` on the `KeycloakRealmUser` (or complete the email-verify flow through the Keycloak UI) so the identity holding a given email is guaranteed authentic. The `cozy` realm's default `duplicateEmails: false` prevents a second account from claiming an already-registered address. CEL `claimValidationRules` to make this a hard gate is a follow-up hardening path.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The mention of CEL claimValidationRules seems to be a copy-paste leftover from the Kubernetes OIDC guide. Grafana's generic OAuth does not support Kubernetes-style CEL (Common Expression Language) or claimValidationRules. Instead, claim validation or enforcement of email_verified in Grafana is typically achieved using JMESPath expressions within role_attribute_path (potentially combined with role_attribute_strict: true). Let's update this to refer to JMESPath-based enforcement instead of CEL claimValidationRules.

Suggested change
- **`emailVerified: true` on Keycloak users.** Phase 1 does not add a `claimValidationRules` entry — so `email_verified` is not chart-enforced. Set `emailVerified: true` on the `KeycloakRealmUser` (or complete the email-verify flow through the Keycloak UI) so the identity holding a given email is guaranteed authentic. The `cozy` realm's default `duplicateEmails: false` prevents a second account from claiming an already-registered address. CEL `claimValidationRules` to make this a hard gate is a follow-up hardening path.
- **`emailVerified: true` on Keycloak users.** The default configuration does not enforce `email_verified` in the role mapping. Set `emailVerified: true` on the `KeycloakRealmUser` (or complete the email-verify flow through the Keycloak UI) so the identity holding a given email is guaranteed authentic. The `cozy` realm's default `duplicateEmails: false` prevents a second account from claiming an already-registered address. Enforcing this in Grafana's `role_attribute_path` via JMESPath is a follow-up hardening path.

- **Per-tenant Keycloak realms.** Managed multi-tenant identity is a separate proposal, evaluated against Keycloak Organizations. Track it in the [community proposal](https://github.com/cozystack/community/pull/24).
- **Federating an external IdP into the platform `cozy` realm.** BYO-for-Cozystack-itself is a distinct problem — this feature is BYO-for-a-managed-service.
- **Full-logout through Keycloak's end-session endpoint.** Native `auth.generic_oauth` covers the OAuth part; `backend-logout-url` wiring is a follow-up.
- **CEL `claimValidationRules` for `email_verified`.** Explicit-gate hardening; not required for Phase 1 given the layered guarantees above.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since Grafana does not support CEL or claimValidationRules, we should clarify that this is a limitation of Grafana's OAuth capabilities rather than an out-of-scope feature that could be added later using CEL.

Suggested change
- **CEL `claimValidationRules` for `email_verified`.** Explicit-gate hardening; not required for Phase 1 given the layered guarantees above.
- **CEL `claimValidationRules` for `email_verified`.** Grafana does not support Kubernetes-style CEL validation rules; any such validation must be done via JMESPath in `role_attribute_path`.

@IvanHunters IvanHunters marked this pull request as ready for review July 1, 2026 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant