This repository has been archived by the owner on Jun 29, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 49
docs: How to setup oauth provider Grafana #542
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
144 changes: 144 additions & 0 deletions
144
docs/how-to-guides/setup-thirdparty-auth-for-grafana.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
# Setting up third party OAuth for Grafana | ||
|
||
## Contents | ||
|
||
- [Introduction](#introduction) | ||
- [Prerequisites](#prerequisites) | ||
- [Steps](#steps) | ||
- [Step 1: Create Github application](#step-1-create-github-application) | ||
- [Step 2: Add `prometheus-operator` component configuration](#step-2-add-prometheus-operator-component-configuration) | ||
- [Step 3: Add secret information](#step-3-add-secret-information) | ||
- [Step 4: Deploy and access the dashboard](#step-4-deploy-and-access-the-dashboard) | ||
- [Additional resources](#additional-resources) | ||
|
||
## Introduction | ||
|
||
Grafana is a sub-component deployed as a part of Lokomotive's `prometheus-operator` component. By | ||
default you can provide an admin user password for Grafana, but what if you want to allow your team | ||
members to view the dashboards? Sharing a single password in such circumstances is cumbersome and | ||
insecure. OAuth comes to our rescue and Grafana supports multiple OAuth providers out of the box. | ||
This document explains how to enable any supported auth provider on Grafana. | ||
|
||
## Prerequisites | ||
|
||
- A Lokomotive cluster deployed on AWS or Packet. | ||
|
||
- [MetalLB](https://metallb.universe.tf/) deployed on the cluster. | ||
|
||
**NOTE**: Required only for the Packet provider. | ||
|
||
Installation instructions for [MetalLB](./ingress-with-contour-metallb.md) component. | ||
|
||
- [Contour](https://projectcontour.io/) deployed on the cluster. | ||
|
||
Installation instructions for [Contour](../configuration-reference/components/contour.md) | ||
component. | ||
|
||
- [cert-manager](https://cert-manager.io/docs/) deployed on the cluster. | ||
|
||
Installation instructions for | ||
[cert-manager](../configuration-reference/components/cert-manager.md) Lokomotive component. | ||
|
||
- [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) deployed on the cluster. | ||
|
||
Installation instructions for [ExternalDNS](../configuration-reference/components/external-dns.md) | ||
component. | ||
|
||
## Steps | ||
|
||
> **NOTE**: This guide assumes that the OAuth provider is GitHub. For other OAuth providers, the | ||
> steps are the same, but the secret environment variables will change, as mentioned in [Step | ||
> 2](#step-2-add-prometheus-operator-component-configuration). Grafana docs explain how to convert | ||
> the `ini` config to environment variables | ||
> [here](https://grafana.com/docs/grafana/latest/administration/configuration/#configure-with-environment-variables). | ||
|
||
### Step 1: Create Github application | ||
|
||
- Create a GitHub OAuth application as documented in the [Grafana | ||
docs](https://grafana.com/docs/grafana/latest/auth/github/). | ||
|
||
- Set **Homepage URL** to `https://grafana.<cluster name>.<DNS zone>`. This should be same as the | ||
`prometheus-operator.grafana.ingress.host` as shown in [Step | ||
2](#step-2-add-prometheus-operator-component-configuration). | ||
|
||
- Set **Authorization callback URL** to `https://grafana.<cluster name>.<DNS zone>/login/github`. | ||
|
||
- Make a note of `Client ID` and `Client Secret`, they will be needed in [Step | ||
3](#step-3-add-secret-information). | ||
|
||
### Step 2: Add `prometheus-operator` component configuration | ||
|
||
Create a file named `prometheus-operator.lokocfg` with the following contents or if you already | ||
have `prometheus-operator` installed then add the following contents to the existing configuration: | ||
|
||
```tf | ||
variable "gf_auth_github_client_id" {} | ||
variable "gf_auth_github_client_secret" {} | ||
variable "gf_auth_github_allowed_orgs" {} | ||
|
||
component "prometheus-operator" { | ||
grafana { | ||
secret_env = { | ||
"GF_AUTH_GITHUB_ENABLED" = "'true'" | ||
"GF_AUTH_GITHUB_ALLOW_SIGN_UP" = "'true'" | ||
"GF_AUTH_GITHUB_SCOPES" = "user:email,read:org" | ||
"GF_AUTH_GITHUB_AUTH_URL" = "https://github.com/login/oauth/authorize" | ||
"GF_AUTH_GITHUB_TOKEN_URL" = "https://github.com/login/oauth/access_token" | ||
"GF_AUTH_GITHUB_API_URL" = "https://api.github.com/user" | ||
"GF_AUTH_GITHUB_CLIENT_ID" = var.gf_auth_github_client_id | ||
"GF_AUTH_GITHUB_CLIENT_SECRET" = var.gf_auth_github_client_secret | ||
"GF_AUTH_GITHUB_ALLOWED_ORGANIZATIONS" = var.gf_auth_github_allowed_orgs | ||
} | ||
|
||
ingress { | ||
host = "grafana.<cluster name>.<DNS zone>" | ||
} | ||
} | ||
} | ||
``` | ||
|
||
> **NOTE**: On Packet, you either need to create a DNS entry for `grafana.<cluster name>.<DNS zone>` | ||
> and point it to the Packet external IP for the contour service (see the [Packet ingress guide for | ||
> more details](./ingress-with-contour-metallb.md)) or use the [External DNS | ||
> component](../configuration-reference/components/external-dns.md). | ||
|
||
> **NOTE**: In the above configuration, boolean values are set to `"'true'"` instead of bare | ||
> `"true"` because Kubernetes expects the key-value pair to be of type `map[string]string` and not | ||
> `map[string]bool`. | ||
Comment on lines
+106
to
+107
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mentioning There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah I thought how best to put it but I think as programmers this makes most sense to convey why it does not work. |
||
|
||
### Step 3: Add secret information | ||
|
||
Create a `lokofg.vars` file or add the following to an existing file, setting the values of this | ||
secret as needed: | ||
|
||
```tf | ||
gf_auth_github_client_id = "YOUR_GITHUB_APP_CLIENT_ID" | ||
gf_auth_github_client_secret = "YOUR_GITHUB_APP_CLIENT_SECRET" | ||
gf_auth_github_allowed_orgs = "YOUR_GITHUB_ALLOWED_ORGANIZATIONS" | ||
``` | ||
|
||
Replace `YOUR_GITHUB_APP_CLIENT_ID` with `Client ID` and `YOUR_GITHUB_APP_CLIENT_SECRET` with | ||
`Client Secret` collected in [Step 1](#step-1-create-github-application). And replace | ||
`YOUR_GITHUB_ALLOWED_ORGANIZATIONS` with the Github organization that your users belong to. | ||
|
||
### Step 4: Deploy and access the dashboard | ||
|
||
Deploy the `prometheus-operator` component using the following command: | ||
|
||
```bash | ||
lokoctl component apply prometheus-operator | ||
``` | ||
|
||
Go to `https://grafana.<cluster name>.<DNS zone>` and use the **Sign in with GitHub** button, to | ||
sign in with Github. | ||
|
||
## Additional resources | ||
|
||
- Other auth providers for Grafana: | ||
https://grafana.com/docs/grafana/latest/auth/overview/#user-authentication-overview | ||
|
||
- Component `prometheus-operator`'s configuration reference can be found | ||
[here](../configuration-reference/components/prometheus-operator.md). | ||
|
||
- Find details on how to setup monitoring with the `prometheus-operator` component | ||
[here](./monitoring-with-prometheus-operator.md). |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this still make sense if we ask for the External DNS component in the prerequisites?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to keep it just in case someone is not using external dns and would want to have setup done manually.