Authentication between GitLab and Grafana to enable sharing of metric charts
We want to enable users to embed Grafana metrics in GitLab issues so that they can share findings during the fire-fight. Grafana is a popular data visualization platform that is commonly paired with Prometheus time series data but can ingest data from a number of other tools. The Monitot stage relies on Prometheus for the APM offering and there is an increasing number of customers using Grafana. Integrating more tightly with Grafana will allow us to provide better embedding of charts, making them interactive and static, as well as provide more granular control over user permissions between Grafana and GitLab.
This work contributes to the Incident Management Vision
Authentication: We're using API tokens! OAuth won't do what we want it to, and we should not ask users for their Grafana credentials.
- A Grafana admin will generate & save the API Token to GitLab, along with the domain of their Grafana instance.
- There can be an unlimited number of Grafana instances, but only one API Token per instance per project/group/instance/etc.
- The API Token is user agnostic, but can have its permissions restricted by a Grafana admin.
- When a user pastes a link to a grafana dashboard in GFM, the provided Grafana domain will be used to identify which token to use and which instance to request data from.
- In terms of where the token should be stored, at the project, group, or instance level - we can follow what's been done for Jaeger and Sentry (presuming this is at the project level, but this is something we should confirm).
- We can start with just one Grafana integration for now (multiple Grafana instances configured per-project/group/instance could be a later iteration).
- Configuration could live in Settings > Operations.
- Testing whether the token works will be part of a later iteration.
- [For embedding] GitLab user permissions will determine which users will be allowed to see the embedded metrics.