Integrating Grafana with GCP SSO Using Helm Values

Grafana with Single Sign-On (SSO) using Google Cloud Platform (GCP) APIs and services. By integrating SSO with GCP, users can securely access Grafana using their GCP credentials, streamlining authentication and improving overall security.

Helm Charts:
Prometheus and Grafana stack: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack

Prerequisites

• Kubernetes 1.19+
• Helm 3+

Clone repo to your local:

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update

Create Google OAuth keys

First, you need to create a Google OAuth Client:

1. Go to https://console.developers.google.com/apis/credentials.
2. Click Create Credentials, then click OAuth Client ID in the drop-down menu
3. Enter the following:

• Application Type: Web Application
• Name: Grafana
• Authorized JavaScript Origins: https://grafana.mycompany.com
• Authorized Redirect URLs: https://grafana.mycompany.com/login/google
• Replace https://grafana.mycompany.com with the URL of your Grafana instance.

4. Click Create

5. Copy the Client ID and Client Secret from the ‘OAuth Client’ modal

Customize Helm Values:

Update your Helm values.yaml file with the following changes:

grafana:
  enabled: true
  grafana.ini:
    users:
      viewers_can_edit: "True"
    server:
      root_url: https://grafana.yourdomain.com/
    auth.google:
      enabled: true
      allow_sign_up: true
      auto_login: false
      client_id: CLIENT-ID
      client_secret: CLIENT-SECRET
      scopes: openid email profile
      auth_url: https://accounts.google.com/o/oauth2/v2/auth
      token_url: https://oauth2.googleapis.com/token
      api_url: https://openidconnect.googleapis.com/v1/userinfo
      allowed_domains: yourdomain.com
      hosted_domain: yourdomain.com.
      use_pkce: true

Deploy Prometheus and Grafana with Helm:

• Run the following Helm command to deploy Grafana with the customized values:

helm install [RELEASE_NAME] prometheus-community/kube-prometheus-stack -f values.yaml

• Replace [RELEASE_NAME] with your desired release name.
• Ensure the values.yaml file is in the same directory from which you're executing the Helm command.
• Port-forward to Grafana service to verify the SSO feature enabled

kubectl port-forward svc/grafana 3000:3000

• Try logging in with your domain email ID.

Note: SSO enables only View access. You can Configure role mapping for admino or editor level access.

To grant admin or Editor-level access to users, configure role mappings.

role_attribute_path = email=='admin@company.com' && 'Admin' || 'Viewer'
skip_org_role_sync = false

In the above example, the user with email admin@company.com has been granted the Admin role. All other users are granted the Viewer role.