chore(prometheus): add auth

Author: EamonZhang

addons/postgresql-cluster/15/meta.yaml

@@ -20,7 +20,7 @@ allow_parameters:
 - name: "service.type"
   description: "service type config for values.yaml"
 - name: "metrics.enabled"
-  description: "metrics enable or not config for values.yaml"
+  description: "Whether to enable metrics. default true"
 - name: "walG.enabled"
-  description: "backup enable or not config for values.yaml"
+  description: "Whether to use S3 for backup your data. default true . ps: Make sure there is a available S3 "
 archive: false

addons/prometheus/2/chart/prometheus/templates/_helpers.tpl

@@ -108,6 +108,14 @@ Get the Prometheus configuration configmap key.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Get the Prometheus Alertmanager configuration configmap key.
+*/}}
+{{- define "prometheus.serever.web.configmapKey" -}}
+{{- printf "web-config.yaml" -}}
+{{- end -}}
+
+
 {{/*
 Get the Prometheus Alertmanager configuration configmap key.
 */}}

addons/prometheus/2/chart/prometheus/templates/server/configmap.yaml

@@ -17,7 +17,9 @@ metadata:
   {{- end }}
 data:
   {{ include "prometheus.server.configmapKey" . }}:
-    {{- include "common.tplvalues.render" (dict "value" .Values.server.configuration "context" $) | toYaml | nindent 4 }}
+  {{- include "common.tplvalues.render" (dict "value" .Values.server.configuration "context" $) | toYaml | nindent 4 }}
+  {{ include "prometheus.serever.web.configmapKey" .}}:
+  {{- include "common.tplvalues.render" (dict "value" .Values.server.webconfig "context" $) | toYaml | nindent 4 }}
   rules.yaml:
     {{- include "common.tplvalues.render" (dict "value" .Values.server.alertingRules "context" $) | toYaml | nindent 4 }}
 {{- end }}

addons/prometheus/2/chart/prometheus/templates/server/deployment.yaml

@@ -114,13 +114,13 @@ spec:
           args:
             - "--config.file=/opt/drycc/prometheus/conf/{{ include "prometheus.server.configmapKey" . }}"
             - "--storage.tsdb.path={{ .Values.server.persistence.mountPath }}"
-            - "--storage.tsdb.retention.time={{ .Values.server.retention }}"
             - "--storage.tsdb.retention.size={{ .Values.server.retentionSize }}"
             - "--log.level={{ .Values.server.logLevel }}"
             - "--log.format={{ .Values.server.logFormat }}"
             - "--web.listen-address=:{{ .Values.server.containerPorts.http }}"
             - "--web.console.libraries=/opt/drycc/prometheus/conf/console_libraries"
             - "--web.console.templates=/opt/drycc/prometheus/conf/consoles"
+            - "--web.config.file=/opt/drycc/prometheus/conf/web-config.yaml"
             {{- if .Values.server.enableAdminAPI}}
             - "--web.enable-admin-api"
             {{- end }}
@@ -141,6 +141,11 @@ spec:
             {{- if .Values.server.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.server.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "prometheus.server.fullname" . }}
+                  key: PASSWORD
           envFrom:
             {{- if .Values.server.extraEnvVarsCM }}
             - configMapRef:
@@ -164,6 +169,9 @@ spec:
             httpGet:
               path: /-/healthy
               port: http
+              httpHeaders:
+              - name: Authorization
+                value: Basic {{ printf "%s:%s" .Values.server.username .Values.server.password | b64enc }}
           {{- end }}
           {{- if .Values.server.customReadinessProbe }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customReadinessProbe "context" $) | nindent 12 }}
@@ -172,13 +180,20 @@ spec:
             httpGet:
               path: /-/ready
               port: http
+              httpHeaders:
+              - name: Authorization
+                value: Basic {{ printf "%s:%s" .Values.server.username .Values.server.password | b64enc }}
           {{- end }}
           {{- if .Values.server.customStartupProbe }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.server.customStartupProbe "context" $) | nindent 12 }}
           {{- else if .Values.server.startupProbe.enabled }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.server.startupProbe "enabled") "context" $) | nindent 12 }}
-            tcpSocket:
+            httpGet:
+              path: /-/ready
               port: http
+              httpHeaders:
+              - name: Authorization
+                value: Basic {{ printf "%s:%s" .Values.server.username .Values.server.password | b64enc }}
           {{- end }}
           {{- end }}
           {{- if .Values.server.lifecycleHooks }}

addons/prometheus/2/chart/prometheus/templates/server/sec.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "prometheus.server.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels:
+    application: {{ template "prometheus.server.fullname" . }}
+    chart: {{ template "prometheus.server.fullname" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    cluster-name: {{ template "prometheus.server.fullname" . }}
+type: Opaque
+data:
+  PASSWORD: {{ if .Values.password | default "" | ne "" }} {{ .Values.service.password | b64enc }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}

addons/prometheus/2/chart/prometheus/values.yaml

@@ -80,7 +80,7 @@ ingress:
 ## @param alertmanager.image.pullSecrets Alertmanager image pull secrets
 ##
 alertmanager:
-  enabled: true
+  enabled: false
   image: 
     registry: registry.drycc.cc
     repository: drycc-addons/alertmanager
@@ -577,6 +577,8 @@ alertmanager:
 ## @param server.image.pullSecrets Prometheus image pull secrets
 ##
 server:
+  username: admin
+  password: admin
   image:
     registry: registry.drycc.cc
     repository: drycc-addons/prometheus
@@ -599,6 +601,10 @@ server:
   ## @param server.configuration [string] Promethus configuration. This content will be stored in the the prometheus.yaml file and the content can be a template.
   ## ref: <https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/values.yaml>
   ##
+  webconfig : |
+   basic_auth_users:
+    {{ htpasswd  .Values.server.username   .Values.server.password   | replace ":" ": "}}
+
   configuration: |
     global:
       {{- if .Values.server.scrapeInterval }}
@@ -703,7 +709,7 @@ server:
   ## @param server.startupProbe.successThreshold Success threshold for startupProbe
   ##
   startupProbe:
-    enabled: false
+    enabled: true
     initialDelaySeconds: 2
     periodSeconds: 5
     timeoutSeconds: 2

addons/prometheus/2/meta.yaml

@@ -13,8 +13,12 @@ tags: prometheus
 bindable: true
 instances_retrievable: true
 bindings_retrievable: true
-plan_updateable: true
+plan_updateable: false
 allow_parameters:
 - name: "networkPolicy.allowNamespaces"
   description: "networkPolicy allowNamespaces config for values.yaml"
+- name: "server.username"
+  description: "set username . default amdin"
+- name: "server.username"
+  description: "set passsword . default amdin"
 archive: false

addons/prometheus/2/plans/standard-10/bind.yaml

@@ -1,28 +1,24 @@
 credential:
-  {{- if (eq .Values.server.service.type "LoadBalancer") }}
-  - name: host
+{{- if (eq .Values.server.service.type "LoadBalancer") }}
+  - name: HOST
     valueFrom:
       serviceRef:
-        name: {{ printf "%s" (include "common.names.fullname" .) }}
+        name: {{ include "common.names.fullname" . }}
         jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
-  - name: port
-    valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}
-        jsonpath: '{ .spec.ports.port }' 
-  {{- end }}
-
-alertmanager
-
-  {{- if (eq .Values.alertmanager.service.type "LoadBalancer") }}
-  - name: host
+{{- else if (eq .Values.service.type "ClusterIP") }}
+  - name: HOST
     valueFrom:
       serviceRef:
-        name: {{ printf "%s" (include "common.names.fullname" .) }}
-        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
-  - name: port
+        name: {{ include "common.names.fullname" . }}
+        jsonpath: '{ .spec.clusterIP }'
+{{- end }}
+  - name: PORT
     valueFrom:
-      secretKeyRef:
+      serviceRef:
         name: {{ template "common.names.fullname" . }}
-        jsonpath: '{ .spec.ports.port }' 
-  {{- end }}
+        jsonpath: ' { .spec.ports[?(@.name=="http")].port }' 
+  - name: USER
+    valule: {{ .Values.server.username }} 
+  - name: PASSWORD
+    valule: {{ .Values.server.password }} 
+  {{- end }}

addons/prometheus/2/plans/standard-10/values.yaml

@@ -4,4 +4,5 @@ fullnameOverride: hb-prometheus-standard-10
 
 server:
   persistence:
-    size: 10Gi
+    size: 10Gi
+  retentionSize: 8Gi

addons/prometheus/2/plans/standard-50/bind.yaml

@@ -1,34 +1,24 @@
 credential:
-  {{- if (eq .Values.service.type "LoadBalancer") }}
-  - name: host
+{{- if (eq .Values.server.service.type "LoadBalancer") }}
+  - name: HOST
     valueFrom:
       serviceRef:
-        name: {{ printf "%s" (include "common.names.fullname" .) }}
+        name: {{ include "common.names.fullname" . }}
         jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
-  - name: database
+{{- else if (eq .Values.service.type "ClusterIP") }}
+  - name: HOST
     valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.database }' 
-  - name: password
-    valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.username }' 
-  - name: username
-    valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.username }' 
-  - name: portrw
-    valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.portrw }' 
-  - name: portro
+      serviceRef:
+        name: {{ include "common.names.fullname" . }}
+        jsonpath: '{ .spec.clusterIP }'
+{{- end }}
+  - name: PORT
     valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.portro }' 
+      serviceRef:
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: ' { .spec.ports[?(@.name=="http")].port }' 
+  - name: USER
+    valule: {{ .Values.server.username }} 
+  - name: PASSWORD
+    valule: {{ .Values.server.password }} 
   {{- end }}
-