Skip to content

Grafana with OAuth Proxy

Build

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
apiVersion: v1
kind: ImageStream
metadata:
  labels:
    app: grafana
  name: grafana
---
apiVersion: v1
kind: BuildConfig
metadata:
  labels:
    app: grafana
  name: grafana
spec:
  failedBuildsHistoryLimit: 5
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: grafana:latest
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    git:
      ref: master
      uri: https://github.com/rbo/grafana-docker.git
    type: Git
  strategy:
    dockerStrategy: {}
    type: Docker
  successfulBuildsHistoryLimit: 5
  triggers:
  - type: ConfigChange

Deployment

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
kind: List
apiVersion: v1
items:
# Create a proxy service account and ensure it will use the route "proxy"
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: grafana
    annotations:
      serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana"}}'
# Create a secure connection to the proxy via a route
- apiVersion: route.openshift.io/v1
  kind: Route
  metadata:
    name: grafana
  spec:
    to:
      name: grafana
    tls:
      termination: Reencrypt
- apiVersion: v1
  kind: Service
  metadata:
    name: grafana
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: grafana-tls
  spec:
    ports:
    - name: grafana
      port: 443
      targetPort: 8443
    selector:
      app: grafana
- apiVersion: v1
  kind: DeploymentConfig
  metadata:
    labels:
      app: grafana
    name: grafana
  spec:
    replicas: 1
    revisionHistoryLimit: 10
    selector:
      deploymentConfig: grafana
    strategy:
      activeDeadlineSeconds: 21600
      recreateParams:
        timeoutSeconds: 600
      resources: {}
      type: Recreate
    template:
      metadata:
        labels:
          app: grafana
          deploymentConfig: grafana
        name: grafana
      spec:
        serviceAccountName: grafana
        containers:
        - name: oauth-proxy
          image: openshift/oauth-proxy:v1.0.0
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 8443
            name: public
          args:
          - --https-address=:8443
          - --provider=openshift
          - --openshift-service-account=grafana
          - --upstream=http://localhost:3000
          - --tls-cert=/etc/tls/private/tls.crt
          - --tls-key=/etc/tls/private/tls.key
          - --cookie-secret=SECRET
          - --pass-basic-auth=false
          volumeMounts:
          - mountPath: /etc/tls/private
            name: grafana-tls
        - image: grafana:latest
          imagePullPolicy: Always
          name: grafana
          env:
          - name: GF_AUTH_BASIC_ENABLED
            value: 'true'
          - name: GF_AUTH_PROXY_ENABLED
            value: 'true'
          - name: GF_AUTH_PROXY_HEADER_NAME
            value: 'X-Forwarded-User'
          - name: GF_AUTH_PROXY_HEADER_PROPERTY
            value: 'username'
          - name: GF_AUTH_PROXY_AUTO_SIGN_UP
            value: 'true'
          - name: GF_AUTH_DISABLE_LOGIN_FORM
            value: 'true'
          - name: GF_USERS_ALLOW_SIGN_UP
            value: 'false'

          ports:
          - containerPort: 3000
            name: http
            protocol: TCP
          resources: {}
          securityContext: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
        volumes:
          - name: grafana-tls
            secret:
              secretName: grafana-tls
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: {}
        terminationGracePeriodSeconds: 60
    test: false
    triggers:
    - imageChangeParams:
        automatic: true
        containerNames:
        - grafana
        from:
          kind: ImageStreamTag
          name: grafana:latest
      type: ImageChange
    - type: ConfigChange

Last update: April 12, 2020