ouranos/ansible/pplg/oauth2-proxy-prometheus.cfg.j2

# OAuth2-Proxy Configuration for Prometheus UI
# Authenticates users via Casdoor OIDC before proxying to Prometheus
# Red Panda Approved

# Provider Configuration (Casdoor OIDC)
provider = "oidc"
provider_display_name = "Casdoor"
oidc_issuer_url = "{{prometheus_oauth2_oidc_issuer_url}}"
client_id = "{{prometheus_oauth2_client_id}}"
client_secret = "{{prometheus_oauth2_client_secret}}"

# Redirect URL after authentication
redirect_url = "https://prometheus.{{pplg_domain}}/oauth2/callback"

# Upstream service (Prometheus)
upstreams = [
    "http://127.0.0.1:9090"
]

# Session/Cookie Configuration
cookie_secret = "{{prometheus_oauth2_cookie_secret}}"
cookie_name = "_oauth2_proxy_prometheus"
cookie_secure = true
cookie_httponly = true
cookie_expire = "168h"
cookie_refresh = "1h"
cookie_domains = ".{{pplg_domain}}"
session_store_type = "cookie"

# Authentication settings
email_domains = ["*"]
oidc_email_claim = "email"
oidc_groups_claim = "groups"
insecure_oidc_allow_unverified_email = true

# Request settings
pass_access_token = false
pass_authorization_header = false
set_authorization_header = false
set_xauthrequest = true

# Logging
request_logging = true
auth_logging = true
standard_logging = true

# Network settings
http_address = "0.0.0.0:{{prometheus_proxy_port}}"
reverse_proxy = true
real_client_ip_header = "X-Forwarded-For"

# Skip authentication for health check and machine-to-machine endpoints
skip_auth_routes = [
    "^/ping$",
    "^/api/v1/write$"
]

# OIDC specific settings
skip_provider_button = true
oidc_extra_audiences = []

# SSL verification
ssl_insecure_skip_verify = false