feat: adjustments to Grafana team permissions (#1563)

merll · Jehoszafat Zimnowoda · web-flow · commit 3d16c1d4cc09 · 2024-03-25T17:17:26.000+01:00
Co-authored-by: Jehoszafat Zimnowoda &lt;jehoszafat.zimnowoda@redkubes.com&gt;
diff --git a/helmfile.d/helmfile-60.teams.yaml b/helmfile.d/helmfile-60.teams.yaml
@@ -108,6 +108,8 @@ releases:
           nameOverride: {{ $teamId }}-po-grafana
           fullnameOverride: {{ $teamId }}-po-grafana
           grafana.ini:
+            "auth.generic_oauth":
+              role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin' || contains(groups[*], 'team-{{ $teamId }}') && 'Editor'{{ if not ($team | get "managedMonitoring.private" false) }} || 'Viewer'{{- end }}
             server:
               root_url: https://grafana-{{ $teamId }}.{{ $domain }}
           sidecar:
diff --git a/helmfile.d/snippets/grafana.gotmpl b/helmfile.d/snippets/grafana.gotmpl
@@ -11,11 +11,12 @@
   auth_url: {{ printf "%s/protocol/openid-connect/auth" .keycloakBase }}
   token_url: {{ printf "%s/protocol/openid-connect/token" .keycloakBase }}
   api_url: {{ printf "%s/protocol/openid-connect/userinfo" .keycloakBase }}
-  role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin' || 'Editor'
+  role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin'
+  role_attribute_strict: true
 log:
   level: error
 users:
-  allow_sign_up: true
+  allow_sign_up: false
   auto_assign_org: true
   # fall back to admin for anonymous when no auth is available
   auto_assign_org_role: Viewer
diff --git a/values-changes.yaml b/values-changes.yaml
@@ -125,6 +125,7 @@ changes:
   - version: 20
     networkPoliciesMigration: true
     additions:
+      - 'teamConfig.{team}.managedMonitoring.private': true
       - 'apps.loki.storage.gcs.serviceAccount'
     deletions:
       - 'apps.loki.storage.gcs.project'
diff --git a/values-schema.yaml b/values-schema.yaml
@@ -1246,6 +1246,9 @@ definitions:
           alertmanager:
             type: boolean
             default: false
+          private:
+            type: boolean
+            default: false
       networkPolicy:
         ingressPrivate:
           title: Enable filtering of ingress traffic inside the cluster
