Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apps: Grafana- add config option for using external dex with user grafana #2406

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

apps: Grafana- add config option for using external dex with user grafana #2406

wants to merge 1 commit into from

Conversation

lucianvlad
Copy link
Contributor

Warning

This is a public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request, nor
  • business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • [kind/adr](set-me)

What does this PR do / why do we need this PR?

In this PR we add a config option in user grafana to use external dex

  • Fixes #

Information to reviewers

Checklist

  • Proper commit message prefix on all commits
  • Change checks:
    • The change is transparent
    • The change is disruptive
    • The change requires no migration steps
    • The change requires migration steps
    • The change updates CRDs
    • The change updates the config and the schema
  • Documentation checks:
  • Metrics checks:
    • The metrics are still exposed and present in Grafana after the change
    • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
    • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
  • Logs checks:
    • The logs do not show any errors after the change
  • PodSecurityPolicy checks:
    • Any changed Pod is covered by Kubernetes Pod Security Standards
    • Any changed Pod is covered by Gatekeeper Pod Security Policies
    • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
  • NetworkPolicy checks:
    • Any changed Pod is covered by Network Policies
    • The change does not cause any dropped packets in the NetworkPolicy Dashboard
  • Audit checks:
    • The change does not cause any unnecessary Kubernetes audit events
    • The change requires changes to Kubernetes audit policy
  • Falco checks:
    • The change does not cause any alerts to be generated by Falco
  • Bug checks:
    • The bug fix is covered by regression tests

@lucianvlad lucianvlad requested a review from a team as a code owner January 22, 2025 07:15
@lucianvlad lucianvlad self-assigned this Jan 22, 2025
linus-astrom
linus-astrom reviewed Jan 23, 2025
View reviewed changes
helmfile.d/values/grafana/grafana-user.yaml.gotmpl
auth_url: https://{{ .Values.grafana.user.oidc.externalDexDomain }}{{ $trailingDot }}/auth
token_url: https://{{ .Values.grafana.user.oidc.externalDexDomain }}{{ $trailingDot }}/token
api_url: https://{{ .Values.grafana.user.oidc.externalDexDomain }}{{ $trailingDot }}/api
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should you add these settings to the grafana-ops.yaml.gotmpl aswell?
As otherwise i'm wondering why the keys aren't just added to the grafana.user section as they do nothing for the ops grafana version currently.

Zash
Zash requested changes Jan 23, 2025
View reviewed changes
Copy link
Contributor

@Zash Zash left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs at least schema for the new options.

config/sc-config.yaml
Comment on lines +150 to +151
useInternalDex: true
externalDexDomain: set-me
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can get a starting point for schema by:

yq4 -i '.properties.grafana.properties.ops.properties.oidc.properties.useInternalDex.type="boolean"' config/schemas/config.yaml
yq4 -i '.properties.grafana.properties.ops.properties.oidc.properties.externalDexDomain.type="string"' config/schemas/config.yaml

helmfile.d/values/grafana/grafana-user.yaml.gotmpl
@@ -112,9 +112,15 @@ grafana.ini:
client_secret: $__env{clientSecret}
use_pkce: true
scopes: {{ .Values.grafana.user.oidc.scopes }}
{{- if .Values.grafana.user.oidc.useInternalDex }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be simpler if this was conditional on externalDexDomain being set instead of having two settings?

@Zash
Copy link
Contributor

Zash commented Jan 23, 2025

What is the reason for pointing Grafana at a custom dex instead of pointing Dex at another OIDC instance?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linus-astrom linus-astrom linus-astrom left review comments

@Zash Zash Zash requested changes

@Pavan-Gunda Pavan-Gunda Pavan-Gunda approved these changes

@Xartos Xartos Awaiting requested review from Xartos

@davidumea davidumea Awaiting requested review from davidumea

Requested changes must be addressed to merge this pull request.

Assignees

@lucianvlad lucianvlad

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lucianvlad @Zash @Pavan-Gunda @linus-astrom