Enable GitHub Organisation authentication for Grafana#
We can enable GitHub Organisation authentication against a Grafana instance in order to allow access to the dashboards for the whole 2i2c GitHub organisation, or a community’s GitHub organisation.
This is the default authentication method for 2i2c staff wanting to visualise the
dashboards on The 2i2c Central Grafana. However, we can also offer this
method of authentication to communities on their cluster-specific Grafana instance
only if they want to give
Viewer access to a whole GitHub organisation and
they are on a dedicated cluster. Otherwise, the default method to provide access
to a community representative is to generate an invite link.
To enable logging into Grafana using GitHub Organisations, follow these steps:
Create a GitHub OAuth application following Grafana’s documentation.
Create a new app inside the
When naming the application, please follow the convention
<cluster_name>-grafanafor consistency, e.g.
2i2c-grafanais the OAuth app for the Grafana running in the 2i2c cluster
The Homepage URL should match that in the
grafana.ingress.hostsfield of the appropriate cluster
support.values.yamlfile in the
infrastructurerepo. For example,
The authorisation callback URL is the homepage url appended with
/login/github. For example,
Once you have created the OAuth app, create a new client ID, generate a client secret and then hold on to these values for a future step
enc-support.secret.values.yamlfile in the chosen cluster directory and add the credentials created in step one:
grafana: grafana.ini: auth.github: client_id: <client-id> client_secret: <client-secret>
support.values.yamlfile in your chosen cluster directory and add the Grafana GitHub auth config, allowing the specific GitHub organization you wish to allow login.
grafana: grafana.ini: server: # root_url should point to the domain we redirect to if we have multiple # domain names configured and redirects from one to another # # FIXME: root_url is also required to be the same as the # grafana.ingress.hosts config specifically until # https://github.com/2i2c-org/infrastructure/issues/2533 is # resolved. # root_url: https://<grafana.ingress.hosts>/ auth.github: enabled: true # allowed_organizations should be a space separated list allowed_organizations: 2i2c-org
Checkout the Grafana documentation for more info about authorizing users using other types of membership than GitHub organizations.