Adding Grafana authentication information (#863)

Specifying the details needed for customers to secure their Grafana
container.

<!-- Explain the changes introduced in your PR -->

## Pull Request approval

You will need to get your PR approved by at least one member of the
Sourcegraph team. For reviews of docs formatting, styles, and component
usage, please tag the docs team via the #docs Slack channel.

Author: marcleblanc2

docs/admin/observability/metrics.mdx

@@ -82,8 +82,36 @@ sshuttle -r user@host 0/0
 
 Grafana will be available at http://host:3370/-/debug/grafana.
 
-> WARNING: Our Grafana instance runs in anonymous mode with all authentication turned off, since we rely on Sourcegraph's built-in authentication.
-> Please be careful when exposing it directly to external traffic.
+### Grafana Security
+
+<Callout type="warning">
+WARNING: By default, our Grafana container runs in anonymous mode with authentication disabled, relying on Sourcegraph's authentication and authorization when accessed through your Sourcegraph instance.
+
+We recommend you use your network security controls to prevent access to Grafana's listening ports, or enable Grafana's builtin authentication.
+</Callout>
+
+To enable Grafana's builtin authentication, configure the `GF_AUTH_ANONYMOUS_ENABLED` environment variable to `false` in the Grafana container's environment variables in your deployment override file.
+
+We also recommend that you customize the default admin username and password by configuring the `GF_SECURITY_ADMIN_USER` and `GF_SECURITY_ADMIN_PASSWORD` environment variables, using your secrets management tool in your deployment pipeline.
+
+```yaml
+# Helm override
+grafana:
+  env:
+    GF_AUTH_ANONYMOUS_ENABLED:
+      value: "false"
+    GF_SECURITY_ADMIN_USER:
+      value: "custom-admin-username"
+    GF_SECURITY_ADMIN_PASSWORD:
+      value: "custom-admin-password"
+
+# Docker Compose override
+  grafana:
+    environment:
+      - 'GF_SECURITY_ADMIN_USER=custom-admin-username'
+      - 'GF_SECURITY_ADMIN_PASSWORD=custom-admin-password'
+      - 'GF_AUTH_ANONYMOUS_ENABLED=false'
+```
 
 ## Prometheus