Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Login for Grafana with Dex(OIDC) #2378

Merged
merged 1 commit into from
Apr 7, 2020
Merged

Enable Login for Grafana with Dex(OIDC) #2378

merged 1 commit into from
Apr 7, 2020

Conversation

Ebaneck
Copy link
Contributor

@Ebaneck Ebaneck commented Apr 7, 2020

Component:

'charts', 'kubernetes', 'oidc', 'authentication'

Context:

Basic authentication was deprecated in 2.5 branch and Dex(OIDC) was introduced. It is only fair that we make use of the Dex user store as a source of truth for Grafana authentication before a 2.5 release.

Why?

  • Users will not lose Grafana username/password customizations when they henceforth upgrade from 2.5 to 2.6
  • We can gracefully update the documentation to reflect a common procedure for changing username and passwords for both Grafana UI and MetalK8s UI instead of using two different documented procedure.

Things to keep:

  • Continue to warn users of the possible loss of Grafana username/password customizations when they upgrade from 2.4 to 2.5 as it is already the case in the documentation

Summary:

This PR adds the following changes:

  • Adds and enable Single Sign-On for Dex-Grafana as the default means of authentication into Grafana

Acceptance criteria:

Closes: #ISSUE_NUMBER

@Ebaneck
charts: enable Single Sign-On (SSO) for Grafana
0d06a59 
This commit enables Single Sign-On for Grafana while making use
of Dex as an OIDC provider.

Initially, we used basic auth for signing into Grafana and with this
approach, user settings such as username and password are lost during
an upgrade/downgrade scenario.

Now, access to grafana is guaranteed by the OIDC user store and as such
persisted throughout.

This chart is re-rendered using:
 ./charts/render.py prometheus-operator --namespace metalk8s-monitoring
charts/prometheus-operator.yaml --service-config grafana metalk8s-grafana-config
--service-config prometheus  metalk8s-prometheus-config --service-config alertmanager
metalk8s-alertmanager-config charts/prometheus-operator/ > salt/metalk8s/addons/prometheus-operator/deployed/chart.sls
@Ebaneck Ebaneck requested a review from a team April 7, 2020 09:42
@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

Hello ebaneck,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Status report is not available.

@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

Integration data created

I have created the integration data for the additional destination branches.

The following branches will NOT be impacted:

  • development/1.0
  • development/1.1
  • development/1.2
  • development/1.3
  • development/2.0
  • development/2.1
  • development/2.2
  • development/2.3
  • development/2.4

You can set option create_pull_requests if you need me to create
integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

@Ebaneck Ebaneck changed the title Enable Single Sign-on for Grafana with Dex(OIDC) Enable Sigiin for Grafana with Dex(OIDC) Apr 7, 2020
@Ebaneck Ebaneck changed the title Enable Sigiin for Grafana with Dex(OIDC) Enable Login for Grafana with Dex(OIDC) Apr 7, 2020
@Ebaneck Ebaneck requested a review from thomasdanan April 7, 2020 10:23
gdemonet
gdemonet suggested changes Apr 7, 2020
View reviewed changes
charts/prometheus-operator.yaml
oauth_auto_login: true
auth.generic_oauth:
enabled: true
tls_skip_verify_insecure: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmmh... Really? Can't we give it the Ingress cert?

@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

The following reviewers are expecting changes from the author, or must review again:

@Ebaneck Ebaneck mentioned this pull request Apr 7, 2020
Open
@Ebaneck
Copy link
Contributor Author

Ebaneck commented Apr 7, 2020

/approve

@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • one peer

Peer approvals must include at least 1 approval from the following list:

The following reviewers are expecting changes from the author, or must review again:

The following options are set: approve

@Ebaneck Ebaneck requested a review from gdemonet April 7, 2020 14:17
@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

  • ✔️ development/2.5

  • ✔️ development/2.6

The following branches will NOT be impacted:

  • development/1.0
  • development/1.1
  • development/1.2
  • development/1.3
  • development/2.0
  • development/2.1
  • development/2.2
  • development/2.3
  • development/2.4

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

  • Any commit you add on the source branch will trigger a new cycle after the
    current queue is merged.
  • Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve

@bert-e
Copy link
Contributor

bert-e commented Apr 7, 2020

I have successfully merged the changeset of this pull request
into targetted development branches:

  • ✔️ development/2.5

  • ✔️ development/2.6

The following branches have NOT changed:

  • development/1.0
  • development/1.1
  • development/1.2
  • development/1.3
  • development/2.0
  • development/2.1
  • development/2.2
  • development/2.3
  • development/2.4

Please check the status of the associated issue None.

Goodbye ebaneck.

@bert-e bert-e merged commit 32bf182 into development/2.5 Apr 7, 2020
@bert-e bert-e deleted the improvement/enable-sso-for-grafana branch April 7, 2020 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gdemonet gdemonet gdemonet approved these changes

@thomasdanan thomasdanan Awaiting requested review from thomasdanan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ebaneck @bert-e @gdemonet