How to configure Grafana (Free version) with oAuth Okta, with SSL on Kubernetes

April 10, 2020

Introduction

In our previous post How to configure Grafana on docker, we saw how we can run grafana docker container with SSL and oauth okta.

In this post, we will see how we can run this docker image on kubernetes cluster.

Note: I’m not going to detail out Kubernetes. I will just focus on Dockerfile and the environment variables for that.

Some Pre-requisites

I’m assumming you have configured Ingress rule, and exposed Kubernetes service for this grafana dashboard. And, the ingress rule should have the mapping from your cluster IP to app name: trainings

We are going to configure name of our app to trainings

kubernetes yaml file for service

Configuring service

apiVersion: v1
kind: Service
metadata:
  name: trainings
spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: trainings

kubernetes file for ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: trainings
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: "<your host name>"
    http:
      paths:
      - backend:
          serviceName: trainings
          servicePort: 80
  tls:
    - hosts:
        - <your hostname>
      secretName: trainings-secret

Note: you also have to configure SSL certificate to your cluster.

Actual Dockerfile

FROM grafana/grafana:6.3.6

ENV GF_SERVER_HTTP_PORT=443

ENV GF_AUTH_ANONYMOUS_ENABLED=false
ENV GF_AUTH_GENERIC_OAUTH_NAME=Okta
ENV GF_AUTH_GENERIC_OAUTH_ENABLED=true
ENV GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
ENV GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<XYZ>.okta.com/oauth2/v1/authorize
ENV GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<XYZ>.okta.com/oauth2/v1/token
ENV GF_AUTH_GENERIC_OAUTH_API_URL=https://<XYZ>.okta.com/oauth2/v1/userinfo
ENV GF_USERS_ALLOW_SIGN_UP=false
ENV GF_AUTH_DISABLE_LOGIN_FORM=true
ENV GF_AUTH_OAUTH_AUTO_LOGIN=true
ENV GF_SECURITY_ADMIN_USER=<your email>
ENV GF_SECURITY_COOKIE_SAMESITE=lax
ENV GF_SECURITY_COOKIE_SECURE=true

USER root

RUN mkdir -p /var/lib/grafana/dashboards
ADD grafana_dashboards/belts-dashboard.json /var/lib/grafana/dashboards/belts-dashboard.json
ADD grafana_dashboards/dashboards.yaml /etc/grafana/provisioning/dashboards/dashboards.yaml
ADD grafana_dashboards/elastic_datasource.yaml /etc/grafana/provisioning/datasources/elastic_datasource.yaml

EXPOSE 8080

Kubernetes configuration yaml

Lets take a look at the Kubernetes configmap yaml file:

apiVersion: v1
kind: ConfigMap
metadata:
  name: trainings
data:
  GF_SERVER_PROTOCOL: "http"
  GF_SERVER_ROOT_URL: "https://<your host name>"
  GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "<client id>"
  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "<secret>"
  GF_SERVER_HTTP_PORT: "8080"

Kubernetes deployment file

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: trainings
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: trainings
    spec:
      containers:
      - name: trainings
        image: <your artificatory path to grafana image>:<version>
        resources:
          limits:
            cpu: 1
            memory: 1024Mi
          requests:
            cpu: 1
            memory: 1024Mi
        envFrom:
          - configMapRef:
              name: trainings
      imagePullSecrets:
      - name: <your secret name>

Applying configurations

Apply config file

kubectl apply -f config/config.yml

Apply deployment file

kubectl apply -f deployments/deployment.yml

Hit your hostname, and it should redirect you to okta and then to your grafana dashboard.

grafanadockernginxkubernetes

Similar Posts

Latest Posts