About Google SSO Login Issues

[tsaomichael]

Description

"I am currently encountering the following result: 'Error 400: redirect_uri_mismatch,' along with the request details indicating 'redirect_uri=https://localhost/graph/login/generic_oauth.' I am requesting assistance."

Expected Results

Login Success

Actual Results

Error 400: redirect_uri_mismatch

Version

PMM SERVER V23.9.0, Helm Chart: 1.2.5

Steps to reproduce

No response

Relevant logs

No response

Code of Conduct

• I agree to follow Percona Community Code of Conduct

[BupycHuk]

Hello @tsaomichael, could you please provide more details on how you configured it?

[tsaomichael]

PMM Values.yml

## @section Percona Monitoring and Management (PMM) parameters
## Default values for PMM.
## This is a YAML-formatted file.
## Declare variables to be passed into your templates.

## PMM image version
## ref: https://hub.docker.com/r/percona/pmm-server/tags
## @param image.repository PMM image repository
## @param image.pullPolicy PMM image pull policy
## @param image.tag PMM image tag (immutable tags are recommended)
## @param image.imagePullSecrets Global Docker registry secret names as an array
##
image:
  repository: percona/pmm-server
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: "2.39.0"
  imagePullSecrets: []

## PMM environment variables
## ref: https://docs.percona.com/percona-monitoring-and-management/setting-up/server/docker.html#environment-variables
##
pmmEnv:
  ## @param pmmEnv.DISABLE_UPDATES Disables a periodic check for new PMM versions as well as ability to apply upgrades using the UI (need to be disabled in k8s environment as updates rolled with helm/container update)
  ##
  DISABLE_UPDATES: "1"
#  ENABLE_DBAAS: "1"
#  optional variables to integrate Grafana with internal iDP, see also secret part
  GF_AUTH_GENERIC_OAUTH_NAME: 'Google Login'
  GF_AUTH_GENERIC_OAUTH_ENABLED: 'true'
  GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'true'
  GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN: 'false'
  GF_AUTH_GENERIC_OAUTH_SCOPES: 'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'
  GF_AUTH_GENERIC_OAUTH_AUTH_URL: 'https://accounts.google.com/o/oauth2/auth'
  GF_AUTH_GENERIC_OAUTH_TOKEN_URL: 'https://accounts.google.com/o/oauth2/token'
  GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: 'xxx.com.tw'
  GF_AUTH_GENERIC_OAUTH_HOSTED_DOMAIN: 'xxxx.com'
  GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "xxx.apps.googleusercontent.com"
  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: xxx
  GF_SERVER_ROOT_URL: 'https://pmm.xxx.com'
  GF_SERVE_FROM_SUB_PATH: 'true'
  
## @param pmmResources optional [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) requested for [PMM container](https://docs.percona.com/percona-monitoring-and-management/setting-up/server/index.html#set-up-pmm-server)
    ##  pmmResources:
    ##    requests:
    ##      memory: "32Gi"
    ##      cpu: "8"
    ##    limits:
    ##      memory: "64Gi"
    ##      cpu: "32"
pmmResources: {}

## Readiness probe Config
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
## @param readyProbeConf.initialDelaySeconds  Number of seconds after the container has started before readiness probes is initiated
## @param readyProbeConf.periodSeconds How often (in seconds) to perform the probe
## @param readyProbeConf.failureThreshold When a probe fails, Kubernetes will try failureThreshold times before giving up
##
readyProbeConf:
  initialDelaySeconds: 1
  periodSeconds: 5
  failureThreshold: 6

## @section PMM secrets
##
secret:
  ## @param secret.name Defines the name of the k8s secret that holds passwords and other secrets
  ##
  name: pmm-secret
  ## @param secret.create If true then secret will be generated by Helm chart. Otherwise it is expected to be created by user.
  ##
  create: true
  ## @param secret.pmm_password Initial PMM password - it changes only on the first deployment, ignored if PMM was already provisioned and just restarted. If PMM admin password is not set, it will be generated.
  ## E.g.
  ## pmm_password: admin
  ##
  ## To get password execute `kubectl get secret pmm-secret -o jsonpath='{.data.PMM_ADMIN_PASSWORD}' | base64 --decode`
  ##
  pmm_password: "xxx"
  ## 
  # GF_AUTH_GENERIC_OAUTH_CLIENT_ID optional client ID to integrate Grafana with internal iDP, requires other env defined as well under pmmEnv
  # GF_AUTH_GENERIC_OAUTH_CLIENT_ID:
  # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET optional secret to integrate Grafana with internal iDP, requires other env defined as well under pmmEnv
  # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:

## @param certs Optional certificates, if not provided PMM would use generated self-signed certificates,
##   please provide your own signed ssl certificates like this:
## certs:
  ## name: pmm-certs
  ## files:
  ##  certificate.crt:
  ##  certificate.key:
  ##  ca-certs.pem:
  ##  dhparam.pem:
certs: {}

## @section PMM network configuration
## Service configuration
##
service:
  ## @param service.name Service name that is dns name monitoring services would send data to. `monitoring-service` used by default by pmm-client in Percona operators.
  ##
  name: monitoring-service
  ## @param service.type Kubernetes Service type
  ##
  type: NodePort

  ## Ports 443 and/or 80
  ##
  ports:
    ## @param service.ports[0].port https port number
    - port: 443
      ## @param service.ports[0].targetPort target port to map for statefulset and ingress
      targetPort: https
      ## @param service.ports[0].protocol protocol for https
      protocol: TCP
      ## @param service.ports[0].name port name
      name: https
    ## @param service.ports[1].port http port number
    - port: 80
      ## @param service.ports[1].targetPort target port to map for statefulset and ingress
      targetPort: http
      ## @param service.ports[1].protocol protocol for http
      protocol: TCP
      ## @param service.ports[1].name port name
      name: http

## Ingress controller configuration
##
ingress:
  ## @param ingress.enabled -- Enable ingress controller resource
  enabled: true
  ## @param ingress.nginxInc -- Using ingress controller from NGINX Inc
  nginxInc: false
  ## @param ingress.annotations -- Ingress annotations configuration
  annotations: {}
    ## kubernetes.io/ingress.class: nginx
    ## kubernetes.io/tls-acme: "true"
    ###  nginx proxy to https
    ## nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  ## @param ingress.community.annotations -- Ingress annotations configuration for community managed ingress (nginxInc = false)
  community:
    annotations: {}
      ## kubernetes.io/ingress.class: nginx
      ## kubernetes.io/tls-acme: "true"
  ## @param ingress.ingressClassName -- Sets the ingress controller class name to use.
  ingressClassName: "nginx-internal"

  ## Ingress resource hostnames and path mappings
  hosts:
    ## @param ingress.hosts[0].host hostname
    - host: pmm.xxx.com
    ## @param ingress.hosts[0].paths path mapping
      paths: ["/"]

  ## @param ingress.pathType -- How ingress paths should be treated.
  pathType: Prefix

  ## @param ingress.tls -- Ingress TLS configuration
  tls: []
  ##  - secretName: chart-example-tls
  ##    hosts:
  ##      - chart-example.local

## @section PMM storage configuration
## Claiming storage for PMM using Persistent Volume Claims (PVC)
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
##
storage:
  ## @param storage.name name of PVC
  name: pmm-storage
  ## @param storage.storageClassName optional PMM data Persistent Volume Storage Class
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  ##
  storageClassName: "gp2"
  ##
  ## @param storage.size size of storage [depends](https://docs.percona.com/percona-monitoring-and-management/setting-up/server/index.html#set-up-pmm-server) on number of monitored services and data retention
  ##
  size: 10Gi
  ##
  ## @param storage.dataSource VolumeSnapshot to start from
  ##
  dataSource: {}
    ## name: before-vX.Y.Z-upgrade
    ## kind: VolumeSnapshot
    ## apiGroup: snapshot.storage.k8s.io
  ##
  ## @param storage.selector select existing PersistentVolume
  ##
  selector: {}
  ##   matchLabels:
  ##     release: "stable"
  ##   matchExpressions:
  ##     - key: environment
  ##       operator: In
  ##       values:
  ##         - dev

## @section PMM kubernetes configurations
## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name)
##
nameOverride: ""

## @param extraLabels Labels to add to all deployed objects
##
extraLabels: {}

## Pods Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
##
serviceAccount:
  create: true
  annotations: {}
  name: "pmm-service-account"

## @param podAnnotations Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}

## @param podSecurityContext Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## E.g
## podSecurityContext:
  ## fsGroup: 2000
##
podSecurityContext: {}

## @param securityContext Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## securityContext.capabilities The capabilities to add/drop when running containers
## securityContext.runAsUser Set pmm containers' Security Context runAsUser
## securityContext.runAsNonRoot Set pmm container's Security Context runAsNonRoot
## E.g.
## securityContext:
  ## capabilities:
  ##   drop:
  ##   - ALL
  ## readOnlyRootFilesystem: true
  ## runAsNonRoot: true
  ## runAsUser: 1000
securityContext: {}


## @param nodeSelector Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector:
  kubernetes.io/os: xxx

## @param tolerations Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []

## @param affinity Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}

[tu-doan]

Your auth generic config is fine. However, for the server config, it should be:

  GF_SERVER_ROOT_URL: 'https://pmm.xxxx.com/graph/'
  GF_SERVER_SERVE_FROM_SUB_PATH: 'true'
  GF_SERVER_DOMAIN: pmm.xxxx.com

You are:

• missing path /graph/ in root url
• mistaking var GF_SERVER_SERVE_FROM_SUB_PATH instead of GF_SERVE_FROM_SUB_PATH
• and missing var GF_SERVER_DOMAIN

Hope this help!