How to configure Grafana (Free version) with oAuth Okta, with SSL on Docker,Nginx and Load dashboard from json

October 09, 2019

Introduction

In this post, we will see:

  1. use Grafana Community Edition (Free version)
  2. Configure oAuth Okta to login as the only way to login
  3. Use official docker image of Grafana - 5.4.3
  4. Make a user as admin from configurations
  5. Disable login form and signups
  6. Load Dashboard from json from the docker image itself
  7. Run Grafana on HTTPS/SSL using Nginx
  8. Run on HTTPS/SSL without Nginx

Grafana is an excellent tool to visualize your data. Although SAML consumption is not supported by free version of Grafana. But, we can use Okta oAuth configuration.

Pre-requisite

You have to configure your app in Okta and take the credentials like secret key, client id.

Https/SSL without Nginx

Goto: https://hub.docker.com/r/grafana/grafana/, to check official images of Grafana.

In this configuration, we are going to expose grafana on 8080 internally. And, we have a pre-built dashboard json. We will directly import from the Dockerfile itself.

Grafana has support for running on Https/SSL. You need to take a certificate, and configure grafana.

You need to either copy the certificates in the image, or mount the certificate while running this docker image. In this example, I’m copying the ssl certificate in the image.

Lets look at complete Dockerfile:

FROM grafana/grafana:5.4.3

ENV GF_SERVER_HTTP_PORT=443

# ENV GF_PATHS_PROVISIONING=/etc/grafana/provisioning
ENV GF_AUTH_ANONYMOUS_ENABLED=false
ENV GF_SERVER_ROOT_URL=https://<your hostname>
ENV GF_AUTH_GENERIC_OAUTH_NAME=Okta
ENV GF_AUTH_GENERIC_OAUTH_ENABLED=true
ENV GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
ENV GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<xyz>.okta.com/oauth2/v1/authorize
ENV GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<xyz>.okta.com/oauth2/v1/token
ENV GF_AUTH_GENERIC_OAUTH_API_URL=https://<xyz>.okta.com/oauth2/v1/userinfo
ENV GF_USERS_ALLOW_SIGN_UP=false
ENV GF_AUTH_DISABLE_LOGIN_FORM=true
ENV GF_AUTH_OAUTH_AUTO_LOGIN=true

ENV GF_SERVER_PROTOCOL=https
ENV GF_SERVER_CERT_FILE=/etc/grafana/cert/cert.cert
ENV GF_SERVER_CERT_KEY=/etc/grafana/cert/cert.key

USER root

RUN mkdir -p /var/lib/grafana/dashboards
ADD grafana_dashboards/belts-dashboard.json /var/lib/grafana/dashboards/belts-dashboard.json
ADD grafana_dashboards/dashboards.yaml /etc/grafana/provisioning/dashboards/dashboards.yaml
ADD grafana_dashboards/elastic_datasource.yaml /etc/grafana/provisioning/datasources/elastic_datasource.yaml

EXPOSE 443

If you see this file, we have now exposed port 443, and setup the certificates. Now, when you run it. You will be able to access it on https.

docker run -it 
    -e GF_AUTH_GENERIC_OAUTH_CLIENT_ID=<your client id> 
    -e GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=<your secret> 
    -v $PWD/certificate/cert.key /etc/grafana/cert/cert.key
    -V $PWD/certificate/cert.cert /etc/grafana/cert/cert.cert
    -p 443:443 -d my_dashboard

Please make sure to replace everything in brackets: <> above. In above file, we have used an official image of Grafana 5.4.3, and setup various configurations. We have also saved our dashbaord json, and copying that straight to image. This will save us to create or load dashboards manually each time.

Note: For simplicity, I have mentioned all environment variables in Dockerfile. You should put these in some environment file, and provide that file at runtime.

When you run it. Your grafana is live on host: https://

Configure SSL with Nginx

You can run the Grafana on some port like 8080, without certificate, and can run nginx which is excellent in handling proxy requests.

Lets build Nginx image

Have a folder: conf.d/app.conf

app.conf

gzip on;
gzip_proxied any;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";

# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
}


proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

server {
    listen 80;
    keepalive_timeout   70;

    listen 443 ssl;
    ssl_certificate /etc/nginx/cert/cert.cert;
    ssl_certificate_key /etc/nginx/cert/cert.key;

    location / {
        # where your grafana is running
        proxy_pass http://<your hostname>:8080;
    }
}

Dockerfile for nginx

FROM nginx:mainline-alpine
COPY ./conf.d /etc/nginx/conf.d
COPY ./certificate/cert.key /etc/nginx/cert/cert.key
COPY ./certificate/cert.cert /etc/nginx/cert/cert.cert
EXPOSE 443

Now build this image. And following is Dockerfile for Grafana:

FROM grafana/grafana:5.4.3

ENV GF_SERVER_HTTP_PORT=8080

# ENV GF_PATHS_PROVISIONING=/etc/grafana/provisioning
ENV GF_AUTH_ANONYMOUS_ENABLED=false
ENV GF_SERVER_ROOT_URL=https://<your server name>
ENV GF_AUTH_GENERIC_OAUTH_NAME=Okta
ENV GF_AUTH_GENERIC_OAUTH_ENABLED=true
ENV GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
ENV GF_AUTH_GENERIC_OAUTH_CLIENT_ID=<id>
ENV GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=<secret>
ENV GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<xyz>.okta.com/oauth2/v1/authorize
ENV GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<xyz>.okta.com/oauth2/v1/token
ENV GF_AUTH_GENERIC_OAUTH_API_URL=https://<xyz>.okta.com/oauth2/v1/userinfo
ENV GF_USERS_ALLOW_SIGN_UP=false
ENV GF_AUTH_DISABLE_LOGIN_FORM=true
ENV GF_AUTH_OAUTH_AUTO_LOGIN=true

USER root

RUN mkdir -p /var/lib/grafana/dashboards
ADD grafana_dashboards/belts-dashboard.json /var/lib/grafana/dashboards/belts-dashboard.json
ADD grafana_dashboards/dashboards.yaml /etc/grafana/provisioning/dashboards/dashboards.yaml
ADD grafana_dashboards/elastic_datasource.yaml /etc/grafana/provisioning/datasources/elastic_datasource.yaml

EXPOSE 8080

Note that grafana is running on http://:8080, and you have configured a nginx proxy server to run on 443, and proxy calls to grafana running on 8080.

Make the dashboard as Home Page for self only

First login to your grafana app. Assumming you have imported or created the dashboard. You need to star it. i.e. there is a star icon on front of it. Or, when you open the dashboard. On right top, there is an option to star it.

Now,

  • Click on your username on left bottom.
  • Click on Preferences
  • Click on drop down saying: Home
  • Select your dashboard, and save it.

Make the dashboard as Home for global site

You need to be admin to do this. Assumming you have imported or created the dashboard. You need to star it. i.e. there is a star icon on front of it. Or, when you open the dashboard. On right top, there is an option to star it.

Now,

  • Click on Admin -> Preferences OR Settings -> Preferences, on Mid-left
  • Click on Home drop down
  • Select the dashboard, and save it.

I’ve also written a post about running Grafana dashboard on Kubernetes.

Hope it is useful to you.


Similar Posts

Latest Posts