Enable GitHub Organisation authentication for Grafana#
We can enable GitHub Organisation authentication against a Grafana instance in order to allow access to the dashboards for the whole 2i2c GitHub organisation, or a community’s GitHub organisation.
Note
This is the default authentication method for 2i2c staff wanting to visualise the
dashboards on The 2i2c Central Grafana. However, we can also offer this
method of authentication to communities on their cluster-specific Grafana instance
only if they want to give Viewer
access to a whole GitHub organisation and
they are on a dedicated cluster. Otherwise, the default method to provide access
to a community representative is to generate an invite link.
To enable logging into Grafana using GitHub Organisations, follow these steps:
Create a GitHub OAuth application following Grafana’s documentation.
Create a new app inside the
2i2c-org
.When naming the application, please follow the convention
<cluster_name>-grafana
for consistency, e.g.2i2c-grafana
is the OAuth app for the Grafana running in the 2i2c clusterThe Homepage URL should match that in the
grafana.ingress.hosts
field of the appropriate clustersupport.values.yaml
file in theinfrastructure
repo. For example,https://grafana.pilot.2i2c.cloud
The authorisation callback URL is the homepage url appended with
/login/github
. For example,https://grafana.pilot.2i2c.cloud/login/github
.Once you have created the OAuth app, create a new client ID, generate a client secret and then hold on to these values for a future step
Edit using
sops
the encryptedenc-support.secret.values.yaml
file in the chosen cluster directory and add the credentials created in step one:grafana: grafana.ini: auth.github: client_id: <client-id> client_secret: <client-secret>
Edit the
support.values.yaml
file in your chosen cluster directory and add the Grafana GitHub auth config, allowing the specific GitHub organization you wish to allow login.grafana: grafana.ini: server: # root_url should point to the domain we redirect to if we have multiple # domain names configured and redirects from one to another # # FIXME: root_url is also required to be the same as the # grafana.ingress.hosts[0] config specifically until # https://github.com/2i2c-org/infrastructure/issues/2533 is # resolved. # root_url: https://<grafana.ingress.hosts[0]>/ auth.github: enabled: true # allowed_organizations should be a space separated list allowed_organizations: 2i2c-org
Note
Checkout the Grafana documentation for more info about authorizing users using other types of membership than GitHub organizations.