Set IRIS IAM login for Grafana and ArgoCD #440
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anish-mudaraddi
force-pushed
the
use-iris-iam-grafana
branch
from
1f5e49f to
81e92de
Compare
khalford
reviewed
Nov 5, 2025
Comment on lines
+69
to
+67
| grafana.ini: | ||
| server: | ||
| root_url: https://grafana.staging-worker.nubes.stfc.ac.uk |
Member
There was a problem hiding this comment.
Suggested change
| grafana.ini: | |
| server: | |
| root_url: https://grafana.staging-worker.nubes.stfc.ac.uk | |
| grafana.ini: | |
| server: | |
| root_url: https://grafana.staging-worker.nubes.stfc.ac.uk | |
| auth.generic_oauth: | |
| role_attribute_path: contains(groups[*], 'stfc-cloud/admins') && 'Admin' || contains(groups[*], 'stfc-cloud/team') && 'Editor' || 'Viewer' |
Collaborator
Author
There was a problem hiding this comment.
what does this do?
Collaborator
Author
There was a problem hiding this comment.
ah rbac - the chart has us do it differently.
I'm assuming you want:
- stfc-cloud/team to have read-only permissions
- stfc-cloud/admins to have read/write permissions
Member
There was a problem hiding this comment.
I was just going from your comment on ArgoCD. That is how you add it to the grafana.ini file
Collaborator
Author
There was a problem hiding this comment.
I'd argue that stfc-cloud/team should have read/write permissions on staging so they can add new dashboards
Member
There was a problem hiding this comment.
Editor is read write for dashboards
https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/#dashboard-permissions
khalford
reviewed
Nov 5, 2025
Member
khalford
left a comment
khalford
left a comment
There was a problem hiding this comment.
We can add rbac for Grafana quite easily
sets up grafana dashboards to use iris iam for login set strong grafana admin passwords
IRIS IAM authentication for IRIS-iAM + setting a permanent password for ArgoCD ArgoCD bootstrap will setup a temporary admin password that will be overwritten once GitOps kicks in set some simple rbac policies: stfc-cloud/team -> readonly stfc-cloud/admin -> admin
anish-mudaraddi
force-pushed
the
use-iris-iam-grafana
branch
from
29ca456 to
0f092ff
Compare
anish-mudaraddi
force-pushed
the
use-iris-iam-grafana
branch
from
0f092ff to
4f27ea3
Compare
azahmd
approved these changes
Nov 7, 2025
khalford
approved these changes
Nov 7, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
you can now:
login via iris iam into argocd and grafana as long as you belong to stfc-cloud/admins or stfc-cloud/team groups
For ArgoCD:
stfc-cloud/team group has read-only permissions
stfc-cloud/admins group has admin permissions
For Grafana:
both have admin permissions (TODO rbac rules later if needed)
Admin local username/passwords preserved and set in sops