Configuring GitHub SSO for the Grafana monitoring service¶
The Grafana instance (https://monitoring.roundtable.lsst.codes) is accessible through a GitHub OAuth single sign on (SSO). This page is an overview of how the GitHub SSO is configured and is intended for Roundtable operators.
GitHub OAuth app and grafana.ini configuration¶
The GitHub OAuth app is called LSST Roundtable Monitor and is owned by the lsst-sqre GitHub organization organization.
GitHub SSO is primarily configured through the values.yaml file. The Grafana Helm chart translates YAML into the standard grafana.ini configuration file. See the Grafana documentation on GitHub OAuth2 Authentication, specifically.
The only part of the configuration not included in the values.yaml file is the GitHub OAuth client secret.
This value is obtained from an environment variable override mounted from the grafana-env secret resource (see the envFromSecret field in the values.yaml file).
The secret configuration:
apiVersion: v1
kind: Secret
metadata:
name: grafana-env
type: Opaque
stringData:
GF_AUTH_GITHUB_CLIENT_SECRET: "<client-secret>"
Deploy this secret into the prometheus namespace.
Organization and team-based access¶
Only GitHub users belonging to certain GitHub organizations, and teams within organizations, can authenticate.
Important
GitHub organization and team membership does not automatically translate into specific roles within Grafana. See Assigning users to Organizations and Roles, below.
Initially, only members of the lsst-sqre GitHub organization and its roundtable-ops team can authenticate. This will be expanded later to allow application developers who are not part of the ops team to monitor their applications.
To identify the team ID for the team_ids configuration field, use this HTTP call (using httpie):
http get https://api.github.com/orgs/<org>/teams Authorization:"token <token>"
Replace <token> with a GitHub personal access token.
Replace <org> with the slug of a GitHub organization (for example lsst-sqre).
Assigning users to Organizations and Roles¶
By default, authenticated users get “Viewer” privileges. At the moment, members need to be manually by an admin user to have admin or editor privileges.
The credentials for the default admin user are in SQuaRE’s 1Password account, see Roundtable Grafana.