Setting up Grafana OAuth2 (in Kubernetes)

in grafana •  5 years ago 

In this guide we are setting up Grafana in a Kubernetes cluster to use OAuth2 based authorization. First of all you need to have a running Kubernetes cluster and helm installed and configured. If you do not know how to set it up click [here] to get to my Helm installation guide. I’ve been using AKS, but it will probably work on your environment too.

Setting up your IdP

First of all you need to create a new application in your identity provider. I have been using Okta, but every other IdP which supports openID should work as well.
In Okta you have to select Web as Applicaton type and enable Refresh Tokens. For your redirect URL you need to set it to https://example.com/generic_oauth

image

Configure Installation

Create a new file, which will be used to configure the installation. Name the file values.yaml. Insert the following content:
[https://pastebin.com/raw/HVkXjxfQ ]

Now we need to change some stuff in that file:
Change the root_url to https://your.domain.com so that your IdP can redirect you after logging in successfully.

If you already know what your datasource is, you can fill it in. If you don’t want to use that feature just replace the section with a {}.

First of all you need to fill in your client id and client secret. Also do not forget to change the IdP URLs. Now you need to edit the hosts in the ingress controller so that it can be created automatically.

Install Grafana

After all the configuration is done you can finally deploy Grafana using this command (Feel free to change name and namespace to your liking):
helm install --name grafana --namespace monitoring stable/grafana -f values.yaml

Setup Grafana

Login at the Grafana Dashboard and change the default admin password. Now you can setup your datasources and dashboards.

After all that login with the IdP to register your user to Grafana. Then log back in with you admin account and assign administrator privileges to your IdP user.

Disable Basic Auth

If you want to, you can disable basic authentication to only allow users to log on using OAuth. Now we can change some stuff to disable the basic authentication and fully go to IdP login. For this create and open the file patch_values.yaml.

grafana.ini:
  auth.basic:
    enabled: false
  auth:
    oauth_auto_login: true
    disable_login_form: true

Now we can change the config file in the cluster with:
helm upgrade --reuse-values -f patch_values.yml grafana stable/grafana

grafana oauth2 kubernetes idp identity
5 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    3 votes
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!