feat(roles/grafana): Add JWT support

Author: danyalberchtoldlf

CHANGELOG.md

@@ -18,6 +18,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+* **role:icingaweb2_module_grafana**: Add JWT support
+* **role:grafana**: Add JWT support
 * **role:mariadb_server**: Add `mariadb_server__cnf_wsrep_log_conflicts` and `mariadb_server__cnf_wsrep_retry_autocommit` variables
 * **role:mariadb_server**: Add `mariadb_server__cnf_wsrep_gtid_mode` variable to configure `wsrep_gtid_mode` for Galera
 * **role:openvpn_server**: Add `openvpn_server:crl` tag to allow deploying the certificate revocation list independently

roles/grafana/README.md

@@ -47,6 +47,8 @@ grafana__root_url: 'https://monitoring.example.com/grafana'
 | `grafana__auth_anonymous_enabled` | Whether to allow anonymous (passwordless) access or not. Possible options: `true` or `false` | `false` |
 | `grafana__auth_anonymous_org_name` | The organization name that should be used for unauthenticated users. | `'Main Org.'` |
 | `grafana__auth_anonymous_org_role` | The role for unauthenticated users. | `'Viewer'` |
+| `grafana__auth_jwt` | Enable JWT-based authentication for Grafana requests. | `false` |
+| `grafana__auth_jwt_key_file` | Path to the public key file used to verify JWT signatures for Grafana authentication. | `/etc/grafana/icinga.pem` |
 | `grafana__bitwarden_collection_id` | Will be used to store the token of the created service accounts to this Bitwarden Collection. Can be obtained from the URL in Bitwarden WebGUI. | `'{{ lfops__bitwarden_collection_id | default() }}'` |
 | `grafana__bitwarden_organization_id` | Will be used to store the token of the created service accounts to this Bitwarden Organization. Can be obtained from the URL in Bitwarden WebGUI. | `'{{ lfops__bitwarden_organization_id | default() }}'` |
 | `grafana__cookie_samesite` | The [SameSite cookie attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite). Possible options:<br> * disabled<br> * lax<br> * none<br> * strict | `'lax'` |
@@ -71,6 +73,8 @@ grafana__api_url: 'https://grafana01.example.com/grafana'
 grafana__auth_anonymous_enabled: false
 grafana__auth_anonymous_org_name: 'Main Org.'
 grafana__auth_anonymous_org_role: 'Viewer'
+grafana__auth_jwt: false
+grafana__auth_jwt_key_file: '/etc/grafana/icinga.pem'
 grafana__cookie_samesite: 'lax'
 grafana__https_config:
   cert_file: '/etc/ssl/ssl-certificate.crt'

roles/grafana/defaults/main.yml

@@ -6,6 +6,8 @@ grafana__auth_anonymous_org_role: 'Viewer'
 grafana__bitwarden_collection_id: '{{ lfops__bitwarden_collection_id | default() }}'
 grafana__bitwarden_organization_id: '{{ lfops__bitwarden_organization_id | default() }}'
 grafana__cookie_samesite: 'lax'
+grafana__auth_jwt: false
+grafana__auth_jwt_key_file: '/etc/grafana/icinga.pem'
 grafana__plugins__dependent_var: []
 grafana__plugins__group_var: []
 grafana__plugins__host_var: []
@@ -58,3 +60,4 @@ grafana__serve_from_sub_path: false
 grafana__service_enabled: true
 grafana__skip_token_to_bitwarden: false
 grafana__validate_certs: true
+

roles/grafana/templates/etc/grafana/grafana.ini.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2024031901
+# 2026032301
 
 ##################### Grafana Configuration Example #####################
 #
@@ -1217,3 +1217,32 @@ interval_year = YYYY
 
 # Enable or disable loading other base map layers
 ;enable_custom_baselayers = true
+
+{% if grafana__auth_jwt %}
+[auth.jwt]
+# By default, auth.jwt is disabled.
+enabled = true
+
+# HTTP header to look into to get a JWT token.
+header_name = X-JWT-Assertion
+
+# Specify a claim to use as a username to sign in.
+username_claim = sub
+
+# Specify a claim to use as an email to sign in.
+email_claim = sub
+
+# enable JWT authentication in the URL
+url_login = true
+
+# PEM-encoded key file in PKIX, PKCS #1, PKCS #8 or SEC 1 format.
+key_file = {{ grafana__auth_jwt_key_file }}
+
+# This can be seen as a required "subset" of a JWT Claims Set.
+# expect_claims = {"iss": "https://icinga.yourdomain"}
+
+# role_attribute_path = contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'
+
+# To skip the assignment of roles and permissions upon login via JWT and handle them via other mechanisms like the user interface, we can skip the organization role synchronization with the following configuration.
+skip_org_role_sync = true
+{% endif %}

roles/icingaweb2_module_grafana/README.md

@@ -5,7 +5,7 @@ Additionally, it deploys the the graph configuration for the [Linuxfabrik Monito
 
 This role is tested with the following IcingaWeb2 Grafana Module versions:
 
-* 3.0.1
+* 3.1.3
 
 
 ## Mandatory Requirements
@@ -36,14 +36,15 @@ Example:
 ```yaml
 # mandatory
 icingaweb2_module_grafana__monitoring_plugins_version: '1.2.0.11'
-icingaweb2_module_grafana__version: 'v3.1.1'
+icingaweb2_module_grafana__version: 'v3.1.3'
 ```
 
 
 ## Optional Role Variables
 
 | Variable | Description | Default Value |
 | -------- | ----------- | ------------- |
+| `icingaweb2_module_grafana__auth_jwt` | Enable JWT-based authentication for Grafana requests | `false` |
 | `icingaweb2_module_grafana__custom_graphs_config` | Multiline string. Custom configuration for the Grafana Graphs, will be deployed to `/etc/icingweb2/modules/grafana/graphs.ini` along with the configuration for the [Linuxfabrik Monitoring Plugins](https://github.com/Linuxfabrik/monitoring-plugins) | `''` |
 | `icingaweb2_module_grafana__default_dashboard` | Name of the default Grafana dashboard | `'Default'` |
 | `icingaweb2_module_grafana__skip_monitoring_plugins_graphs_config` | Skip the deployment of the graph configuration for [Linuxfabrik Monitoring Plugins](https://github.com/Linuxfabrik/monitoring-plugins). | `false` |
@@ -53,6 +54,7 @@ icingaweb2_module_grafana__version: 'v3.1.1'
 Example:
 ```yaml
 # optional
+icingaweb2_module_grafana__auth_jwt: false
 icingaweb2_module_grafana__custom_graphs_config: |-
   [icingacli-x509]
   dashboard = "Default"

roles/icingaweb2_module_grafana/defaults/main.yml

@@ -4,6 +4,7 @@ icingaweb2_module_grafana__monitoring_plugins_version: '{{ lfops__monitoring_plu
 icingaweb2_module_grafana__skip_monitoring_plugins_graphs_config: false
 icingaweb2_module_grafana__theme: 'light'
 icingaweb2_module_grafana__url: '{{ grafana__root_url }}'
+icingaweb2_module_grafana__auth_jwt: '{{ grafana__auth_jwt }}'
 
 # -----------------------------------------------------------------------------
 

roles/icingaweb2_module_grafana/tasks/main.yml

@@ -87,6 +87,41 @@
       group: 'icingaweb2'
       mode: 0o660
 
+  - name: 'generate JWT RSA private key'
+    community.crypto.openssl_privatekey:
+      path: '/etc/icingaweb2/modules/grafana/jwt.key.priv'
+      size: 2048
+      type: 'RSA'
+      owner: 'apache'
+      group: 'icingaweb2'
+      mode: '0640'
+    when: icingaweb2_module_grafana__auth_jwt
+
+  - name: 'generate JWT RSA public key'
+    community.crypto.openssl_publickey:
+      path: '/etc/icingaweb2/modules/grafana/jwt.key.pub'
+      privatekey_path: '/etc/icingaweb2/modules/grafana/jwt.key.priv'
+      owner: 'apache'
+      group: 'icingaweb2'
+      mode: '0644'
+    when: icingaweb2_module_grafana__auth_jwt
+
+  - name: 'copy /etc/icingaweb2/modules/grafana/jwt.key.pub to /etc/grafana/icinga.pem'
+    ansible.builtin.copy:
+      src: '/etc/icingaweb2/modules/grafana/jwt.key.pub'
+      dest: '/etc/grafana/icinga.pem'
+      remote_src: true
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
+    when: icingaweb2_module_grafana__auth_jwt
+
+  - name: 'restart grafana'
+    ansible.builtin.systemd:
+      name: 'grafana-server'
+      state: 'restarted'
+    when: icingaweb2_module_grafana__auth_jwt
+
   tags:
     - 'icingaweb2_module_grafana'
     - 'icingaweb2_module_grafana:configure'

roles/icingaweb2_module_grafana/templates/etc/icingaweb2/modules/grafana/config.ini.j2

@@ -1,5 +1,5 @@
 ; {{ ansible_managed }}
-; 2023050802
+; 2026032301
 
 [grafana]
 accessmode = "iframe"
@@ -15,3 +15,12 @@ shadows = "0"
 theme = "{{ icingaweb2_module_grafana__theme }}"
 timerange = "2d"
 timerangeAll = "1w/w"
+ssl_verifypeer = "0"
+ssl_verifyhost = "0"
+dashboardlink = "0"
+{% if icingaweb2_module_grafana__auth_jwt %}
+jwtEnable = "1"
+jwtUser = "grafana-admin"
+jwtIssuer = "https://{{ (icingaweb2_module_grafana__url | split('://'))[1] }}"
+jwtExpires = "30"
+{% endif %}