Enable GitHub authentication for Grafana#

We can enable GitHub authentication against a Grafana instance in order to allow access to the dashboards for hub administrators as well as 2i2c engineers.

To enable logging into Grafana using GitHub, follow these steps:

  1. Create a GitHub OAuth application following Grafana’s documentation.

    • Create a new app inside the 2i2c-org.

    • When naming the application, please follow the convention <cluster_name>-grafana for consistency, e.g. 2i2c-grafana is the OAuth app for the Grafana running in the 2i2c cluster

    • The Homepage URL should match that in the grafana.ingress.hosts field of the appropriate cluster support.values.yaml file in the infrastructure repo. For example, ghttps://grafana.pilot.2i2c.cloud

    • The authorisation callback URL is the homepage url appended with /login/github. For example, https://grafana.pilot.2i2c.cloud/login/github.

    • Once you have created the OAuth app, create a new client ID, generate a client secret and then hold on to these values for a future step

  2. Edit using sops the encrypted enc-support.secret.values.yaml file in the chosen cluster directory and add the credentials created in step one:

    grafana:
      grafana.ini:
        auth.github:
          client_id: <client-id>
          client_secret: <client-secret>
    
  3. Edit the support.values.yaml file in your chosen cluster directory and add the Grafana GitHub auth config, allowing the specific GitHub organization you wish to allow login.

grafana:
  grafana.ini:
    server:
      root_url: https://<grafana.ingress.hosts[0]>
    auth.github:
      enabled: true
      allow_sign_up: false
      scopes: user:email,read:org
      auth_url: https://github.com/login/oauth/authorize
      token_url: https://github.com/login/oauth/access_token
      api_url: https://api.github.com/user
      allowed_organizations: 2i2c-org

Note

Checkout the Grafana documentation for more info about authorizing users using other types of membership than GitHub organizations.