Access and Expose Grafana and Jaeger
NOTE: Kyma has deprecated the following components and plans to remove them. You can replace them with a custom stack:
- To replace deprecated Jaeger, take a look at Install custom Jaeger in Kyma.
- To replace deprecated Prometheus and Grafana, take a look at Install a custom kube-prometheus-stack in Kyma.
By default, Kyma does not expose Grafana and Jaeger. However, you can still access them using port forwarding. If you want to expose Grafana and Jaeger securely, use an identity provider of your choice.
Prerequisites
- You have defined the kubeconfig file for your cluster as default (see Kubernetes: Organizing Cluster Access Using kubeconfig Files).
- To expose the services securely with OAuth, you must have a registered OAuth application with one of the supported providers.
Access Grafana and Jaeger
Steps
- To forward a local port to a port on the service's Pod, run the following command:
- Grafana
- Jaeger
NOTE:
kubectl port-forward
does not return. To stop port forwarding, cancel it withCtrl
+C
.
- To access the respective service's UI, open
http://localhost:3000
(for Grafana) orhttp://localhost:16686
(for Jaeger) in your browser.
Expose Grafana and Jaeger securely
Kyma manages an OAuth2 Proxy instance to secure access to Grafana and Jaeger. To make the services accessible, configure OAuth2 Proxy by creating a Kubernetes Secret with your identity provider credentials.
Steps
The following example shows how to use an OpenID Connect (OIDC) compliant identity provider for Grafana and Jaeger.
NOTE: The OAuth2 Proxy supports a wide range of other well-known authentication services or OpenID Connect for custom solutions. To find instructions for other authentication services, see the list of supported providers.
Create a new OpenID Connect application for your identity provider and set the callback URL to the
/oauth2/callback
path of your service.For example, if your Kyma cluster is reachable under
kyma.example.com
, usehttps://grafana.kyma.example.com/oauth2/callback
for Grafana.TIP: The subdomain is already exposed by default. Simply change the root domain to your cluster domain.
Your identity provider will return a client ID, a client secret, and a token issuer URL.
Create a Secret for the OAuth2 Proxy configuration environment variables.
For an OpenID Connect compliant provider, adapt the client ID, secret and token issuer to the values that were provided while creating the application.
To limit access to specific user groups, configure this with the
OAUTH2_PROXY_ALLOWED_GROUPS
variable and ensure thatOAUTH2_PROXY_OIDC_GROUPS_CLAIM
points to the groups attribute name that is used by your authentication service (groups
is the default). To get the configuration flags required for other identity provider types, see OAuth2 Proxy docs.The following code works on Linux and macOS. If you are using Windows, replace the
\
character by`
(PowerShell) or^
(CMD) for multi-line commands.
- Grafana
- Jaeger
NOTE: By default, you are redirected to the documentation. To go to the service's UI instead, disable the OAuth2 Proxy provider button by setting
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
.
- Restart the OAuth2 Proxy pod:
- Grafana
- Jaeger