1

I have a Kubernetes cluster with kube-prometheus-stack (which includes Grafana) deployed via Helm. I am trying to set up single sign on (SSO) to Grafana using AzureAD. I've found the Grafana configuration pages (https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-grafana and https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-security/configure-authentication/azuread/) and I think I have an initial idea of what I need to add to my Helm chart's values.yaml file.

There are some details, however, that I am not sure about. If I had access to the "schema" for this configuration, that might help me figure this out. Unfortunately, I have been unable to find anything that defines this. There are examples, but I cannot find anything that describes what the fields mean. Also, keep in mind that everything I have found shows examples for the grafana.ini file. I need to "translate" this to YAML for the values.yaml file used by the Helm chart.

Here is an example:

...
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains =
allowed_groups =
role_attribute_strict = false

I have translated this into the following YAML:

  auth.azuread:
    name: Azure AD
    enabled: true
    allow_sign_up: true
    client_id: APPLICATION_ID
    client_secret: CLIENT_SECRET
    scopes: openid email profile
    auth_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
    token_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
    allowed_domains:
    allowed_groups:
    role_attribute_strict: false

I suspect that scopes expects a list based on its plurality, but how can I be sure? Also, what are the valid values? Apparently openid, email and profile are valid, but what do these values represent and are there others? On a similar note, what do allowed_domains and allowed_groups expect?

I've tried to find a reference for the Grafana configuration data structure and definition, but have not had any luck. Does anyone have an idea where (if) this can be found?

Joseph Gagnon
  • 1,731
  • 3
  • 30
  • 63
  • Could you include more details like what exactly you need? Have you created one Azure AD application? – Sridevi Nov 19 '22 at 12:42
  • I don't know what I need. Having some idea of what how this configuration data structure is defined would help me understand what I need to provide. What is required and what is not? What are the valid values for fields (e.g. `scopes`, etc.)? Right now it's a black box. – Joseph Gagnon Nov 21 '22 at 15:16
  • Actually, you need to register one Azure AD application in which you have to add **API permissions** like [this](https://i.imgur.com/0XQ93gg.png). These are the values of **`scope`** which are required to fetch signed in user's details. – Sridevi Nov 21 '22 at 15:26
  • We do have an AzureAD app set up, although I don't know the details about how it's configured on that end (I don't have access or know what to do). – Joseph Gagnon Nov 21 '22 at 15:56

0 Answers0