In this guide we are setting up Grafana in a Kubernetes cluster to use OAuth2 based authorization. First of all you need to have a running Kubernetes cluster and helm installed and configured. If you do not know how to set it up click [here] to get to my Helm installation guide. I’ve been using AKS, but it will probably work on your environment too.
Setting up your IdP
First of all you need to create a new application in your identity provider. I have been using Okta, but every other IdP which supports openID should work as well.
In Okta you have to select Web
as Applicaton type and enable Refresh Tokens
. For your redirect URL you need to set it to https://example.com/generic_oauth
Configure Installation
Create a new file, which will be used to configure the installation. Name the file values.yaml
. Insert the following content:
[https://pastebin.com/raw/HVkXjxfQ ]
Now we need to change some stuff in that file:
Change the root_url
to https://your.domain.com
so that your IdP can redirect you after logging in successfully.
If you already know what your datasource is, you can fill it in. If you don’t want to use that feature just replace the section with a {}
.
First of all you need to fill in your client id and client secret. Also do not forget to change the IdP URLs. Now you need to edit the hosts in the ingress controller so that it can be created automatically.
Install Grafana
After all the configuration is done you can finally deploy Grafana using this command (Feel free to change name and namespace to your liking):
helm install --name grafana --namespace monitoring stable/grafana -f values.yaml
Setup Grafana
Login at the Grafana Dashboard and change the default admin password. Now you can setup your datasources and dashboards.
After all that login with the IdP to register your user to Grafana. Then log back in with you admin account and assign administrator privileges to your IdP user.
Disable Basic Auth
If you want to, you can disable basic authentication to only allow users to log on using OAuth. Now we can change some stuff to disable the basic authentication and fully go to IdP login. For this create and open the file patch_values.yaml
.
grafana.ini:
auth.basic:
enabled: false
auth:
oauth_auto_login: true
disable_login_form: true
Now we can change the config file in the cluster with:
helm upgrade --reuse-values -f patch_values.yml grafana stable/grafana