Dex is an open-source software for Federated OpenID Connect Provider. What this means is if your company does not want to use/buy OpenID service from providers, you can deploy Dex in house and use it to authenticate and authorize.
Prometheus is an observibility and monitoring tool for your cloud infrastructure. Grafana is a front-end dashboard for Prometheus. One can use these tools to observe what is happening in your devices and servers.
In this article, you will learn how to integrate these two systems using Gitlab and Github as the identity management system.
Helm charts:
Dex helm chart
Grafana helm chart
Setting up Gitlab as identity-access-management system (IAM)
First thing you need to do is create a Gitlab group where you are member of.
The members of this group will be able to authenticate into Dex.
Then you need to add a new a OAuth application into this group by going to Settings -> Applications
Press on add new application. The name of this application can be anything for the sake of this example, I will name it "dex-example". Then you need to provide a redirect URL. This redirect URL is Dex's redirect URL. As I am deploying this example on my laptop, I will give my localhost URL. If you're deploying this in your in-house infrastructure, you need to change this to the correct Domain Name.
I will give the URL: http://localhost:32000/dex/callback
The port number 32000 is the K8s NodePort of the dex service.
We will tick these boxes under the scopes section: OpenID,Profile,and Email. The Email is optional.
Dex installation and integration with Gitlab
To integrate the DEX with Gitlab we need to modify the values.yaml of the Dex helm chart.
Change the Service type clusterIP to NodePort
This is needed for being able to access the DEX service from outside. As it's documented in the Github of Dex helm chart repo. You need to modify these parameters to accomplish it.
service.port.type: NodePort
service.ports.http.nodePort: 32000
Connecting Dex with Prometheus
This part resides in "config" parameter of the values.yaml
First you need to set the static client of DEX where it has dummy client ID and secret that can connect to the Prometheus through:
staticClients:
- id: prometheus
redirectURIs:
- http://localhost:32001/login/generic_oauth
secret: ZGV4LWV4YW1wbGUK
name: 'prometheus'
Connecting Dex with Gitlab
connectors:
- type: gitlab
# Required field for connector id.
id: gitlab
# Required field for connector name.
name: GitLab
config:
# optional, default = https://gitlab.com
baseURL: https://gitlab.com
# Credentials can be string literals or pulled from the environment.
clientID:
clientSecret:
redirectURI: http://localhost:32000/dex/callback
# Optional groups whitelist, communicated through the "groups" scope.
# If `groups` is omitted, all of the user's GitLab groups are returned when the groups scope is present.
# If `groups` is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured `groups` below will go into the groups claim. Conversely, if the user is not in any of the configured `groups`, the user will not be authenticated.
groups:
- example-dex
# flag which will switch from using the internal GitLab id to the users handle (@mention) as the user id.
# It is possible for a user to change their own user name but it is very rare for them to do so
useLoginAsID: false
Here in this part of the code you need to give the clientID and clientSecret you received from the Gitlab. The redirectURI should point to the DEX's callback which we gave to the Gitlab Application callback URI in the beginning of this post. (remember 32000 is the nodePort of the Dex service)
Then in the groups you should give the name of the group you have created in the gitlab in the beginning of the post.
This essentially means the users who belong to the group "example-dex" can be authenticated to DEX.
Connecting Grafana with DEX
Now we need to connect Grafana with DEX.
grafana.ini:
server:
protocol: http
root_url: http://localhost:32001
auth.generic_oauth:
enabled: true
name: OAuth
tls_skip_verify_insecure: true
client_id: prometheus
client_secret: ZGV4LWV4YW1wbGUK
scopes: "openid profile email groups"
auth_url: http://localhost:32000/dex/auth
token_url: http://dex:5556/dex/token
api_url: http://localhost:32000/dex/userinfo
service:
enabled: true
type: NodePort
nodePort: 32001
To do this we need to modify the grafana.ini paremeter in values.yaml
auth.generic_oath contains the generic iDP system integration configuration. To allow the exchange between grafana and dex you have to give the clientID and clientSecret you gave in the Dex values.yaml.
Then in the auth_url you need to give the nodePort address of DEX because the communication happens through your browser. The token exchange happens inside the kubernetes network therefore we give the DNS of DEX and clusterIP service port.
Deploying the configurations
Prerequisite:
Helm chart repositories (dex and grafana) must be added to be able to run the commands below successfully!
Commands:
First you need to deploy the dex through the command line:
helm install dex dex/dex --version 0.15.3 -f values-dex.yaml
Secondly you deploy the grafana through the command line:
helm install grafana grafana/grafana -f values-grafana.yaml
These two files can be found in the Repository that I mentioned in the beginning of the post.
Result
If you goo to the http://localhost:32001 (where grafana is located), you will notice that a new button is added in the login page (Sign in with Oauth)
Now if you press on it, it will forward you to gitlab
And when you authorize it, it will forward back to you to DEX:
And at last, if you grant access, you can login into the grafana
Comments
Post a Comment