Setting up Grafana OAuth2 running in a Kubernetes cluster

In this guide we are setting up Grafana in a Kubernetes cluster to use OAuth2 based authorization. First of all you need to have a running Kubernetes cluster and helm installed and configured. If you do not know how to set it up click here to get to my Helm installation guide. I’ve been using AKS, but it will probably work on your environment too.

Setting up your IdP

First of all you need to create a new application in your identity provider. I have been using Okta, but every other IdP which supports openID should work as well. In Okta you have to select Web as Applicaton type and enable Refresh Tokens. For your redirect URL you need to set it to https://example.com/generic_oauth

Configure Installation

Create a new file, which will be used to configure the installation. Name the file values.yaml. Insert the following content: https://pastebin.com/raw/HVkXjxfQ 

Now we need to change some stuff in that file: Change the root_url to https://your.domain.com so that your IdP can redirect you after logging in successfully.

If you already know what your datasource is, you can fill it in. If you don’t want to use that feature just replace the section with a {}.

First of all you need to fill in your client id and client secret. Also do not forget to change the IdP URLs. Now you need to edit the hosts in the ingress controller so that it can be created automatically.

Install Grafana

After all the configuration is done you can finally deploy Grafana using this command (Feel free to change name and namespace to your liking):

helm install --name grafana --namespace monitoring stable/grafana -f values.yaml

Setup Grafana

Login at the Grafana Dashboard and change the default admin password. Now you can setup your datasources and dashboards.

After all that login with the IdP to register your user to Grafana. Then log back in with you admin account and assign administrator privileges to your IdP user.

Disable Basic Auth

If you want to, you can disable basic authentication to only allow users to log on using OAuth. Now we can change some stuff to disable the basic authentication and fully go to IdP login. For this create and open the file patch_values.yaml.

grafana.ini:
  auth.basic:
    enabled: false
  auth:
    oauth_auto_login: true
    disable_login_form: true

Now we can change the config file in the cluster with:

helm upgrade --reuse-values -f patch_values.yml grafana stable/grafana
comments powered by Disqus