Introduction
In this post, we will see:
- use Grafana Community Edition (Free version)
- Configure oAuth Okta to login as the only way to login
- Use official docker image of Grafana - 5.4.3
- Make a user as admin from configurations
- Disable login form and signups
- Load Dashboard from json from the docker image itself
- Run Grafana on HTTPS/SSL using Nginx
- Run on HTTPS/SSL without Nginx
Grafana is an excellent tool to visualize your data. Although SAML consumption is not supported by free version of Grafana. But, we can use Okta oAuth configuration.
Pre-requisite
You have to configure your app in Okta and take the credentials like secret key, client id.
Https/SSL without Nginx
Goto: https://hub.docker.com/r/grafana/grafana/, to check official images of Grafana.
In this configuration, we are going to expose grafana on 8080 internally. And, we have a pre-built dashboard json. We will directly import from the Dockerfile itself.
Grafana has support for running on Https/SSL. You need to take a certificate, and configure grafana.
You need to either copy the certificates in the image, or mount the certificate while running this docker image. In this example, I’m copying the ssl certificate in the image.
Lets look at complete Dockerfile:
FROM grafana/grafana:5.4.3
ENV GF_SERVER_HTTP_PORT=443
# ENV GF_PATHS_PROVISIONING=/etc/grafana/provisioning
ENV GF_AUTH_ANONYMOUS_ENABLED=false
ENV GF_SERVER_ROOT_URL=https://<your hostname>
ENV GF_AUTH_GENERIC_OAUTH_NAME=Okta
ENV GF_AUTH_GENERIC_OAUTH_ENABLED=true
ENV GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
ENV GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<xyz>.okta.com/oauth2/v1/authorize
ENV GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<xyz>.okta.com/oauth2/v1/token
ENV GF_AUTH_GENERIC_OAUTH_API_URL=https://<xyz>.okta.com/oauth2/v1/userinfo
ENV GF_USERS_ALLOW_SIGN_UP=false
ENV GF_AUTH_DISABLE_LOGIN_FORM=true
ENV GF_AUTH_OAUTH_AUTO_LOGIN=true
ENV GF_SERVER_PROTOCOL=https
ENV GF_SERVER_CERT_FILE=/etc/grafana/cert/cert.cert
ENV GF_SERVER_CERT_KEY=/etc/grafana/cert/cert.key
USER root
RUN mkdir -p /var/lib/grafana/dashboards
ADD grafana_dashboards/belts-dashboard.json /var/lib/grafana/dashboards/belts-dashboard.json
ADD grafana_dashboards/dashboards.yaml /etc/grafana/provisioning/dashboards/dashboards.yaml
ADD grafana_dashboards/elastic_datasource.yaml /etc/grafana/provisioning/datasources/elastic_datasource.yaml
EXPOSE 443If you see this file, we have now exposed port 443, and setup the certificates. Now, when you run it. You will be able to access it on https.
docker run -it
-e GF_AUTH_GENERIC_OAUTH_CLIENT_ID=<your client id>
-e GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=<your secret>
-v $PWD/certificate/cert.key /etc/grafana/cert/cert.key
-V $PWD/certificate/cert.cert /etc/grafana/cert/cert.cert
-p 443:443 -d my_dashboardPlease make sure to replace everything in brackets: <> above. In above file, we have used an official image of Grafana 5.4.3, and setup various configurations. We have also saved our dashbaord json, and copying that straight to image. This will save us to create or load dashboards manually each time.
Note: For simplicity, I have mentioned all environment variables in Dockerfile. You should put these in some environment file, and provide that file at runtime.
When you run it. Your grafana is live on host: https://
Configure SSL with Nginx
You can run the Grafana on some port like 8080, without certificate, and can run nginx which is excellent in handling proxy requests.
Lets build Nginx image
Have a folder: conf.d/app.conf
app.conf
gzip on;
gzip_proxied any;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
}
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
server {
listen 80;
keepalive_timeout 70;
listen 443 ssl;
ssl_certificate /etc/nginx/cert/cert.cert;
ssl_certificate_key /etc/nginx/cert/cert.key;
location / {
# where your grafana is running
proxy_pass http://<your hostname>:8080;
}
}Dockerfile for nginx
FROM nginx:mainline-alpine
COPY ./conf.d /etc/nginx/conf.d
COPY ./certificate/cert.key /etc/nginx/cert/cert.key
COPY ./certificate/cert.cert /etc/nginx/cert/cert.cert
EXPOSE 443Now build this image. And following is Dockerfile for Grafana:
FROM grafana/grafana:5.4.3
ENV GF_SERVER_HTTP_PORT=8080
# ENV GF_PATHS_PROVISIONING=/etc/grafana/provisioning
ENV GF_AUTH_ANONYMOUS_ENABLED=false
ENV GF_SERVER_ROOT_URL=https://<your server name>
ENV GF_AUTH_GENERIC_OAUTH_NAME=Okta
ENV GF_AUTH_GENERIC_OAUTH_ENABLED=true
ENV GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
ENV GF_AUTH_GENERIC_OAUTH_CLIENT_ID=<id>
ENV GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=<secret>
ENV GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<xyz>.okta.com/oauth2/v1/authorize
ENV GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<xyz>.okta.com/oauth2/v1/token
ENV GF_AUTH_GENERIC_OAUTH_API_URL=https://<xyz>.okta.com/oauth2/v1/userinfo
ENV GF_USERS_ALLOW_SIGN_UP=false
ENV GF_AUTH_DISABLE_LOGIN_FORM=true
ENV GF_AUTH_OAUTH_AUTO_LOGIN=true
USER root
RUN mkdir -p /var/lib/grafana/dashboards
ADD grafana_dashboards/belts-dashboard.json /var/lib/grafana/dashboards/belts-dashboard.json
ADD grafana_dashboards/dashboards.yaml /etc/grafana/provisioning/dashboards/dashboards.yaml
ADD grafana_dashboards/elastic_datasource.yaml /etc/grafana/provisioning/datasources/elastic_datasource.yaml
EXPOSE 8080Note that grafana is running on http://
Make the dashboard as Home Page for self only
First login to your grafana app. Assumming you have imported or created the dashboard. You need to star it. i.e. there is a star icon on front of it. Or, when you open the dashboard. On right top, there is an option to star it.
Now,
- Click on your username on left bottom.
- Click on Preferences
- Click on drop down saying: Home
- Select your dashboard, and save it.
Make the dashboard as Home for global site
You need to be admin to do this. Assumming you have imported or created the dashboard. You need to star it. i.e. there is a star icon on front of it. Or, when you open the dashboard. On right top, there is an option to star it.
Now,
- Click on Admin -> Preferences OR Settings -> Preferences, on Mid-left
- Click on Home drop down
- Select the dashboard, and save it.
I’ve also written a post about running Grafana dashboard on Kubernetes.
Hope it is useful to you.
