Prerequisites

  • You will need a IDP service like Authentik, Authelia or some other IDP already setup.
  • You will need client_id, client_secret, base_auth_url, metadata_url
  • You will have to build a custom caddy binary with the caddy-security plugin

Ansible Jinja2 config template for Prometheus and Alertmanager

If you’re not using Ansible, replace every double braces e.g. {{ portal_sso_client_id }} with your value.

This config will reverse proxy prometheus and alertmanager and use OIDC groups to enforce RBAC. Prometheus will be publicly accessible, while alertmanager is limited to the admins group.

Within e.g. Authentik you can set an app url: If you set it to prometheus.domain/oauth2/sso, clicking the app in Authentik will automatically trigger oauth. To automatically trigger OIDC auth rewrite /login to /oauth2/sso.

{
	http_port 80
	https_port 443

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider generic {
			realm sso
			driver generic
			client_id "{{ portal_sso_client_id }}"
			client_secret "{{ portal_sso_client_secret }}"
			scopes openid email profile
			base_auth_url "{{ portal_sso_base_auth_url }}"
			metadata_url "{{ portal_sso_metadata_url }}"
		}

		authentication portal auth_portal {
			crypto default token lifetime 3600
			crypto key sign-verify "{{ portal_jwt_token_key }}"

			enable identity provider generic

			cookie lifetime 28800
			cookie domain  {
				ansible_fqdn
			}
		}

		ui {
			links {
				"My Identity" "/whoami" icon "las la-user"
				"Prometheus" "/prometheus" icon "las la-fire"
			}
		}

		transform user {
			match realm sso
			match groups admins
			action add role authp/user
			ui link "Alertmanager" /alertmanager icon "las la-bell"
		}
	}

	authorization policy allow_admins {
		set auth url "/oauth2/sso" # "/sso" is the realm name, adapt when changing the realm name
		crypto key verify "{{ portal_jwt_token_key }}"
		allow groups admins
	}
}

:443 {
	import common_tls

	route {
		authenticate with auth_portal
	}

	route /auth* {
		authenticate with auth_portal
	}

	route /prometheus* {
		reverse_proxy 127.0.0.1:9090
	}

	route /alertmanager* {
		authorize with allow_admins
		reverse_proxy 127.0.0.1:9093
	}
}