From 25930cba97e8c2edfc32f87d39a4ed3d04411b1d Mon Sep 17 00:00:00 2001
From: shodan <thrawn235@gmail.com>
Date: Sun, 29 Mar 2026 17:10:26 +0000
Subject: [PATCH] authentik group mapping

---
 grafana/grafana.yaml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/grafana/grafana.yaml b/grafana/grafana.yaml
index b063faf..305940f 100644
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@@ -1,5 +1,3 @@
-
----
 apiVersion: grafana.integreatly.org/v1beta1
 kind: Grafana
 metadata:
@@ -8,8 +6,6 @@ metadata:
   labels:
     dashboards: "grafana"
 spec:
-  #disableDefaultAdminSecret: true
-
   config:
     log:
       mode: "console"
@@ -24,13 +20,14 @@ spec:
       allow_sign_up: "true"
       client_id: "${AUTH_CLIENT_ID}"
       client_secret: "${AUTH_CLIENT_SECRET}"
-      scopes: "openid profile email"
+      scopes: "openid profile email groups"
       auth_url: "https://auth.apps.undercloud.dev/application/o/authorize/"
       token_url: "https://auth.apps.undercloud.dev/application/o/token/"
       api_url: "https://auth.apps.undercloud.dev/application/o/userinfo/"
       email_attribute_path: "email"
       login_attribute_path: "preferred_username"
       name_attribute_path: "name"
+      role_attribute_path: "contains(groups[*], 'undercloud-administrators') && 'Admin' || 'Viewer'"
 
   persistentVolumeClaim:
     spec: