Skip to content

Commit

Permalink
Adding Grafana authentication information (#863)
Browse files Browse the repository at this point in the history 
Specifying the details needed for customers to secure their Grafana
container.

<!-- Explain the changes introduced in your PR -->

## Pull Request approval

You will need to get your PR approved by at least one member of the
Sourcegraph team. For reviews of docs formatting, styles, and component
usage, please tag the docs team via the #docs Slack channel.
  • Loading branch information
@marcleblanc2
marcleblanc2 authored Dec 19, 2024
1 parent 894245e commit df78be9
Showing 1 changed file with 30 additions and 2 deletions.
32 changes: 30 additions & 2 deletions docs/admin/observability/metrics.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,36 @@ sshuttle -r user@host 0/0

Grafana will be available at http://host:3370/-/debug/grafana.

> WARNING: Our Grafana instance runs in anonymous mode with all authentication turned off, since we rely on Sourcegraph's built-in authentication.
> Please be careful when exposing it directly to external traffic.
### Grafana Security

<Callout type="warning">
WARNING: By default, our Grafana container runs in anonymous mode with authentication disabled, relying on Sourcegraph's authentication and authorization when accessed through your Sourcegraph instance.

We recommend you use your network security controls to prevent access to Grafana's listening ports, or enable Grafana's builtin authentication.
</Callout>

To enable Grafana's builtin authentication, configure the `GF_AUTH_ANONYMOUS_ENABLED` environment variable to `false` in the Grafana container's environment variables in your deployment override file.

We also recommend that you customize the default admin username and password by configuring the `GF_SECURITY_ADMIN_USER` and `GF_SECURITY_ADMIN_PASSWORD` environment variables, using your secrets management tool in your deployment pipeline.

```yaml
# Helm override
grafana:
env:
GF_AUTH_ANONYMOUS_ENABLED:
value: "false"
GF_SECURITY_ADMIN_USER:
value: "custom-admin-username"
GF_SECURITY_ADMIN_PASSWORD:
value: "custom-admin-password"

# Docker Compose override
grafana:
environment:
- 'GF_SECURITY_ADMIN_USER=custom-admin-username'
- 'GF_SECURITY_ADMIN_PASSWORD=custom-admin-password'
- 'GF_AUTH_ANONYMOUS_ENABLED=false'
```
## Prometheus
Expand Down

0 comments on commit df78be9

Please sign in to comment.