|
| 1 | +# Setting up third party OAuth for Grafana |
| 2 | + |
| 3 | +## Contents |
| 4 | + |
| 5 | +- [Introduction](#introduction) |
| 6 | +- [Prerequisites](#prerequisites) |
| 7 | +- [Steps](#steps) |
| 8 | + - [Step 1: Create Github application](#step-1-create-github-application) |
| 9 | + - [Step 2: Add `prometheus-operator` component configuration](#step-2-add-prometheus-operator-component-configuration) |
| 10 | + - [Step 3: Add secret information](#step-3-add-secret-information) |
| 11 | + - [Step 4: Deploy and access the dashboard](#step-4-deploy-and-access-the-dashboard) |
| 12 | +- [Additional resources](#additional-resources) |
| 13 | + |
| 14 | +## Introduction |
| 15 | + |
| 16 | +Grafana is a sub-component deployed as a part of Lokomotive's `prometheus-operator` component. By |
| 17 | +default you can provide an admin user password for Grafana, but what if you want to allow your team |
| 18 | +members to view the dashboards? Sharing a single password in such circumstances is cumbersome and |
| 19 | +insecure. OAuth comes to our rescue and Grafana supports multiple OAuth providers out of the box. |
| 20 | +This document explains how to enable any supported auth provider on Grafana. |
| 21 | + |
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +- A Lokomotive cluster deployed on AWS or Packet. |
| 25 | + |
| 26 | +- [MetalLB](https://metallb.universe.tf/) deployed on the cluster. |
| 27 | + |
| 28 | + **NOTE**: Required only for the Packet provider. |
| 29 | + |
| 30 | + Installation instructions for [MetalLB](./ingress-with-contour-metallb.md) component. |
| 31 | + |
| 32 | +- [Contour](https://projectcontour.io/) deployed on the cluster. |
| 33 | + |
| 34 | + Installation instructions for [Contour](../configuration-reference/components/contour.md) |
| 35 | + component. |
| 36 | + |
| 37 | +- [cert-manager](https://cert-manager.io/docs/) deployed on the cluster. |
| 38 | + |
| 39 | + Installation instructions for |
| 40 | + [cert-manager](../configuration-reference/components/cert-manager.md) Lokomotive component. |
| 41 | + |
| 42 | +- [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) deployed on the cluster. |
| 43 | + |
| 44 | + Installation instructions for [ExternalDNS](../configuration-reference/components/external-dns.md) |
| 45 | + component. |
| 46 | + |
| 47 | +## Steps |
| 48 | + |
| 49 | +> **NOTE**: This guide assumes that the OAuth provider is GitHub. For other OAuth providers, the |
| 50 | +> steps are the same, but the secret environment variables will change, as mentioned in [Step |
| 51 | +> 2](#step-2-add-prometheus-operator-component-configuration). Grafana docs explain how to convert |
| 52 | +> the `ini` config to environment variables |
| 53 | +> [here](https://grafana.com/docs/grafana/latest/administration/configuration/#configure-with-environment-variables). |
| 54 | +
|
| 55 | +### Step 1: Create Github application |
| 56 | + |
| 57 | +- Create a GitHub OAuth application as documented in the [Grafana |
| 58 | + docs](https://grafana.com/docs/grafana/latest/auth/github/). |
| 59 | + |
| 60 | +- Set **Homepage URL** to `https://grafana.<cluster name>.<DNS zone>`. This should be same as the |
| 61 | + `prometheus-operator.grafana.ingress.host` as shown in [Step |
| 62 | + 2](#step-2-add-prometheus-operator-component-configuration). |
| 63 | + |
| 64 | +- Set **Authorization callback URL** to `https://grafana.<cluster name>.<DNS zone>/login/github`. |
| 65 | + |
| 66 | +- Make a note of `Client ID` and `Client Secret`, they will be needed in [Step |
| 67 | + 3](#step-3-add-secret-information). |
| 68 | + |
| 69 | +### Step 2: Add `prometheus-operator` component configuration |
| 70 | + |
| 71 | +Create a file named `prometheus-operator.lokocfg` with the following contents or if you already |
| 72 | +have `prometheus-operator` installed then add the following contents to the existing configuration: |
| 73 | + |
| 74 | +```tf |
| 75 | +variable "gf_auth_github_client_id" {} |
| 76 | +variable "gf_auth_github_client_secret" {} |
| 77 | +variable "gf_auth_github_allowed_orgs" {} |
| 78 | +
|
| 79 | +component "prometheus-operator" { |
| 80 | + grafana { |
| 81 | + secret_env = { |
| 82 | + "GF_AUTH_GITHUB_ENABLED" = "'true'" |
| 83 | + "GF_AUTH_GITHUB_ALLOW_SIGN_UP" = "'true'" |
| 84 | + "GF_AUTH_GITHUB_SCOPES" = "user:email,read:org" |
| 85 | + "GF_AUTH_GITHUB_AUTH_URL" = "https://github.com/login/oauth/authorize" |
| 86 | + "GF_AUTH_GITHUB_TOKEN_URL" = "https://github.com/login/oauth/access_token" |
| 87 | + "GF_AUTH_GITHUB_API_URL" = "https://api.github.com/user" |
| 88 | + "GF_AUTH_GITHUB_CLIENT_ID" = var.gf_auth_github_client_id |
| 89 | + "GF_AUTH_GITHUB_CLIENT_SECRET" = var.gf_auth_github_client_secret |
| 90 | + "GF_AUTH_GITHUB_ALLOWED_ORGANIZATIONS" = var.gf_auth_github_allowed_orgs |
| 91 | + } |
| 92 | +
|
| 93 | + ingress { |
| 94 | + host = "grafana.<cluster name>.<DNS zone>" |
| 95 | + } |
| 96 | + } |
| 97 | +} |
| 98 | +``` |
| 99 | + |
| 100 | +> **NOTE**: On Packet, you either need to create a DNS entry for `grafana.<cluster name>.<DNS zone>` |
| 101 | +> and point it to the Packet external IP for the contour service (see the [Packet ingress guide for |
| 102 | +> more details](./ingress-with-contour-metallb.md)) or use the [External DNS |
| 103 | +> component](../configuration-reference/components/external-dns.md). |
| 104 | +
|
| 105 | +> **NOTE**: In the above configuration, boolean values are set to `"'true'"` instead of bare |
| 106 | +> `"true"` because Kubernetes expects the key-value pair to be of type `map[string]string` and not |
| 107 | +> `map[string]bool`. |
| 108 | +
|
| 109 | +### Step 3: Add secret information |
| 110 | + |
| 111 | +Create a `lokofg.vars` file or add the following to an existing file, setting the values of this |
| 112 | +secret as needed: |
| 113 | + |
| 114 | +```tf |
| 115 | +gf_auth_github_client_id = "YOUR_GITHUB_APP_CLIENT_ID" |
| 116 | +gf_auth_github_client_secret = "YOUR_GITHUB_APP_CLIENT_SECRET" |
| 117 | +gf_auth_github_allowed_orgs = "YOUR_GITHUB_ALLOWED_ORGANIZATIONS" |
| 118 | +``` |
| 119 | + |
| 120 | +Replace `YOUR_GITHUB_APP_CLIENT_ID` with `Client ID` and `YOUR_GITHUB_APP_CLIENT_SECRET` with |
| 121 | +`Client Secret` collected in [Step 1](#step-1-create-github-application). And replace |
| 122 | +`YOUR_GITHUB_ALLOWED_ORGANIZATIONS` with the Github organization that your users belong to. |
| 123 | + |
| 124 | +### Step 4: Deploy and access the dashboard |
| 125 | + |
| 126 | +Deploy the `prometheus-operator` component using the following command: |
| 127 | + |
| 128 | +```bash |
| 129 | +lokoctl component apply prometheus-operator |
| 130 | +``` |
| 131 | + |
| 132 | +Go to `https://grafana.<cluster name>.<DNS zone>` and use the **Sign in with GitHub** button, to |
| 133 | +sign in with Github. |
| 134 | + |
| 135 | +## Additional resources |
| 136 | + |
| 137 | +- Other auth providers for Grafana: |
| 138 | + https://grafana.com/docs/grafana/latest/auth/overview/#user-authentication-overview |
| 139 | + |
| 140 | +- Component `prometheus-operator`'s configuration reference can be found |
| 141 | + [here](../configuration-reference/components/prometheus-operator.md). |
| 142 | + |
| 143 | +- Find details on how to setup monitoring with the `prometheus-operator` component |
| 144 | + [here](./monitoring-with-prometheus-operator.md). |
0 commit comments