feat(grafana): add variable for JWT TLS key and issue cert via role

Author: danyalberchtoldlf

roles/grafana/README.md

@@ -48,7 +48,8 @@ grafana__root_url: 'https://monitoring.example.com/grafana'
 | `grafana__auth_anonymous_org_name` | The organization name that should be used for unauthenticated users. | `'Main Org.'` |
 | `grafana__auth_anonymous_org_role` | The role for unauthenticated users. | `'Viewer'` |
 | `grafana__auth_jwt` | Enable JWT-based authentication for Grafana requests. | `false` |
-| `grafana__auth_jwt_key_file` | Path to the public key file used to verify JWT signatures for Grafana authentication. | `/etc/grafana/icinga.pem` |
+| `grafana__auth_jwt__priv_key_file` | Path to the private key file used to verify JWT signatures for Grafana authentication. | `'/etc/grafana/jwt.key.priv'` |
+| `grafana__auth_jwt__pub_key_file` | Path to the public key file used to verify JWT signatures for Grafana authentication. | `'/etc/grafana/jwt.key.pub'` |
 | `grafana__bitwarden_collection_id` | Will be used to store the token of the created service accounts to this Bitwarden Collection. Can be obtained from the URL in Bitwarden WebGUI. | `'{{ lfops__bitwarden_collection_id | default() }}'` |
 | `grafana__bitwarden_organization_id` | Will be used to store the token of the created service accounts to this Bitwarden Organization. Can be obtained from the URL in Bitwarden WebGUI. | `'{{ lfops__bitwarden_organization_id | default() }}'` |
 | `grafana__cookie_samesite` | The [SameSite cookie attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite). Possible options:<br> * disabled<br> * lax<br> * none<br> * strict | `'lax'` |
@@ -74,7 +75,8 @@ grafana__auth_anonymous_enabled: false
 grafana__auth_anonymous_org_name: 'Main Org.'
 grafana__auth_anonymous_org_role: 'Viewer'
 grafana__auth_jwt: false
-grafana__auth_jwt_key_file: '/etc/grafana/icinga.pem'
+grafana__auth_jwt__priv_key_file: '/etc/grafana/jwt.key.priv'
+grafana__auth_jwt__pub_key_file: '/etc/grafana/jwt.key.pub'
 grafana__cookie_samesite: 'lax'
 grafana__https_config:
   cert_file: '/etc/ssl/ssl-certificate.crt'

roles/grafana/defaults/main.yml

@@ -1,13 +1,14 @@
 grafana__allow_embedding: true
 grafana__api_url: '{{ grafana__root_url }}'
+grafana__auth_jwt: false
+grafana__auth_jwt__priv_key_file: '/etc/grafana/jwt.key.priv'
+grafana__auth_jwt__pub_key_file: '/etc/grafana/jwt.key.pub'
 grafana__auth_anonymous_enabled: false
 grafana__auth_anonymous_org_name: 'Main Org.'
 grafana__auth_anonymous_org_role: 'Viewer'
 grafana__bitwarden_collection_id: '{{ lfops__bitwarden_collection_id | default() }}'
 grafana__bitwarden_organization_id: '{{ lfops__bitwarden_organization_id | default() }}'
 grafana__cookie_samesite: 'lax'
-grafana__auth_jwt: false
-grafana__auth_jwt_key_file: '/etc/grafana/icinga.pem'
 grafana__plugins__dependent_var: []
 grafana__plugins__group_var: []
 grafana__plugins__host_var: []

roles/grafana/tasks/main.yml

@@ -26,6 +26,23 @@
     when:
       - 'grafana__https_config is defined and grafana__https_config | length > 0'
 
+  - name: 'generate JWT RSA private key'
+    community.crypto.openssl_privatekey:
+      path: '{{ grafana__auth_jwt__priv_key_file }}'
+      size: 2048
+      type: 'RSA'
+      owner: 'apache'
+      group: 'icingaweb2'
+      mode: 0o644
+
+  - name: 'generate JWT RSA public key'
+    community.crypto.openssl_publickey:
+      path: '{{ grafana__auth_jwt__pub_key_file }}'
+      privatekey_path: '{{ grafana__auth_jwt__priv_key_file }}'
+      owner: 'apache'
+      group: 'icingaweb2'
+      mode: 0o644
+
   - name: 'deploy /etc/grafana/grafana.ini'
     ansible.builtin.template:
       src: 'etc/grafana/grafana.ini.j2'

roles/grafana/templates/etc/grafana/grafana.ini.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2026032301
+# 2026032701
 
 ##################### Grafana Configuration Example #####################
 #
@@ -606,16 +606,18 @@ hide_version = true
 
 #################################### Auth JWT ##########################
 [auth.jwt]
-;enabled = true
-;header_name = X-JWT-Assertion
-;email_claim = sub
-;username_claim = sub
+enabled = {{ grafana__auth_jwt | lower }}
+header_name = X-JWT-Assertion
+email_claim = sub
+username_claim = sub
 ;jwk_set_url = https://foo.bar/.well-known/jwks.json
 ;jwk_set_file = /path/to/jwks.json
 ;cache_ttl = 60m
 ;expected_claims = {"aud": ["foo", "bar"]}
-;key_file = /path/to/key/file
-;auto_sign_up = false
+key_file = {{ grafana__auth_jwt__pub_key_file }}
+auto_sign_up = false
+url_login = true
+skip_org_role_sync = true
 
 #################################### Auth LDAP ##########################
 [auth.ldap]
@@ -1217,32 +1219,3 @@ interval_year = YYYY
 
 # Enable or disable loading other base map layers
 ;enable_custom_baselayers = true
-
-{% if grafana__auth_jwt %}
-[auth.jwt]
-# By default, auth.jwt is disabled.
-enabled = true
-
-# HTTP header to look into to get a JWT token.
-header_name = X-JWT-Assertion
-
-# Specify a claim to use as a username to sign in.
-username_claim = sub
-
-# Specify a claim to use as an email to sign in.
-email_claim = sub
-
-# enable JWT authentication in the URL
-url_login = true
-
-# PEM-encoded key file in PKIX, PKCS #1, PKCS #8 or SEC 1 format.
-key_file = {{ grafana__auth_jwt_key_file }}
-
-# This can be seen as a required "subset" of a JWT Claims Set.
-# expect_claims = {"iss": "https://icinga.yourdomain"}
-
-# role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
-
-# To skip the assignment of roles and permissions upon login via JWT and handle them via other mechanisms like the user interface, we can skip the organization role synchronization with the following configuration.
-skip_org_role_sync = true
-{% endif %}