Enable GitHub Organisation authentication for Grafana

Enable GitHub Organisation authentication for Grafana#

We can enable GitHub Organisation authentication against a Grafana instance in order to allow access to the dashboards for the whole 2i2c GitHub organisation, or a community’s GitHub organisation.

Note

This is the default authentication method for 2i2c staff wanting to visualise the dashboards on The 2i2c Central Grafana. However, we can also offer this method of authentication to communities on their cluster-specific Grafana instance only if they want to give Viewer access to a whole GitHub organisation and they are on a dedicated cluster. Otherwise, the default method to provide access to a community representative is to generate an invite link.

To enable logging into Grafana using GitHub Organisations, follow these steps:

  1. Create a GitHub OAuth application following Grafana’s documentation.

    • Create a new app inside the 2i2c-org.

    • When naming the application, please follow the convention <cluster_name>-grafana for consistency, e.g. 2i2c-grafana is the OAuth app for the Grafana running in the 2i2c cluster

    • The Homepage URL should match that in the grafana.ingress.hosts field of the appropriate cluster support.values.yaml file in the infrastructure repo. For example, https://grafana.pilot.2i2c.cloud

    • The authorisation callback URL is the homepage url appended with /login/github. For example, https://grafana.pilot.2i2c.cloud/login/github.

    • Once you have created the OAuth app, create a new client ID, generate a client secret and then hold on to these values for a future step

  2. Edit using sops the encrypted enc-support.secret.values.yaml file in the chosen cluster directory and add the credentials created in step one:

    grafana:
      grafana.ini:
        auth.github:
          client_id: <client-id>
          client_secret: <client-secret>
    
  3. Edit the support.values.yaml file in your chosen cluster directory and add the Grafana GitHub auth config, allowing the specific GitHub organization you wish to allow login.

    grafana:
      grafana.ini:
        server:
          # root_url should point to the domain we redirect to if we have multiple
          # domain names configured and redirects from one to another
          #
          # FIXME: root_url is also required to be the same as the
          #        grafana.ingress.hosts[0] config specifically until
          #        https://github.com/2i2c-org/infrastructure/issues/2533 is
          #        resolved.
          #
          root_url: https://<grafana.ingress.hosts[0]>/
        auth.github:
          enabled: true
          # allowed_organizations should be a space separated list
          allowed_organizations: 2i2c-org
    

    Note

    Checkout the Grafana documentation for more info about authorizing users using other types of membership than GitHub organizations.