feat(grafana): add oauth2 proxy

Author: duanhongyi

Makefile

@@ -2,7 +2,7 @@ SHELL := /bin/bash
 
 # grafana share/use the following targets/exports
 SHORT_NAME ?= grafana
-SHELL_SCRIPTS = rootfs/usr/bin/start-grafana
+SHELL_SCRIPTS = rootfs/usr/share/grafana/oauth2
 
 BUILD_TAG ?= git-$(shell git rev-parse --short HEAD)
 DRYCC_REGISTRY ?= ${DEV_REGISTRY}
@@ -12,7 +12,7 @@ PLATFORM ?= linux/amd64,linux/arm64
 include includes.mk
 include versioning.mk
 
-TEST_ENV_PREFIX := podman run --rm -v ${CURDIR}:/bash -w /bash ${DEV_REGISTRY}/drycc/go-dev
+TEST_ENV_PREFIX := podman run --rm -v ${CURDIR}:/bash -w /bash ${DEV_REGISTRY}/drycc/python-dev
 
 build: podman-build
 push: podman-push
@@ -31,7 +31,7 @@ clean: check-podman
 test: test-style
 
 test-style:
-	${TEST_ENV_PREFIX} shellcheck $(SHELL_SCRIPTS)
+	${TEST_ENV_PREFIX} flake8 --show-source --max-line-length=100 $(SHELL_SCRIPTS)
 
 .PHONY: build push podman-build clean upgrade deploy test test-style
 

charts/grafana/templates/_helpers.tmpl

@@ -9,31 +9,60 @@ env:
   valueFrom:
     fieldRef:
       fieldPath: metadata.namespace
-{{- if .Values.prometheusUrl }}
-- name: "PROMETHEUS_URL"
-  value: "{{ .Values.prometheusUrl }}"
-{{- else if .Values.prometheus.enabled }}
-- name: "PROMETHEUS_URL"
-  value: "http://$(DRYCC_CONTROLLER_API_SERVICE_HOST):$(DRYCC_CONTROLLER_API_SERVICE_PORT)/v2/prometheus"
+{{- if (.Values.valkeyUrl) }}
+- name: DRYCC_VALKEY_URL
+  value: "{{ .Values.valkeyUrl }}"
+{{- else if .Values.valkey.enabled }}
+- name: DRYCC_VALKEY_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: valkey-creds
+      key: password
+- name: DRYCC_VALKEY_URL
+  value: "redis://:$(DRYCC_VALKEY_PASSWORD)@drycc-valkey.{{.Release.Namespace}}.svc.{{.Values.global.clusterDomain}}:16379/0"
 {{- end }}
-- name: "VALKEY_LOCATION"
-  value: {{ ternary "on-cluster" "off-cluster" .Values.valkey.enabled }}
-- name: "STORAGE_LOCATION"
-  value: {{ ternary "on-cluster" "off-cluster" .Values.storage.enabled }}
-- name: "DATABASE_LOCATION"
-  value: {{ ternary "on-cluster" "off-cluster" .Values.database.enabled }}
-- name: "PASSPORT_LOCATION"
-  value: {{ ternary "on-cluster" "off-cluster" .Values.passport.enabled }}
-- name: "REGISTRY_LOCATION"
-  value: {{ ternary "on-cluster" "off-cluster" .Values.registry.enabled }}
-- name: "PROMETHEUS_LOCATION"
-  value: {{ ternary "on-cluster" "off-cluster" .Values.prometheus.enabled }}
-- name: "DRYCC_GATEWAY_SCHEME"
+{{- if .Values.victoriametricsUrl }}
+- name: "DRYCC_VICTORIAMETRICS_URL"
+  value: "{{ .Values.victoriametricsUrl }}"
+{{- else if .Values.victoriametrics.enabled }}
+- name: "DRYCC_VICTORIAMETRICS_USERNAME"
+  valueFrom:
+    secretKeyRef:
+      name: victoriametrics-vmauth-creds
+      key: username
+- name: "DRYCC_VICTORIAMETRICS_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: victoriametrics-vmauth-creds
+      key: password
+- name: "DRYCC_VICTORIAMETRICS_URL"
+  value: "http://$(DRYCC_VICTORIAMETRICS_USERNAME):$(DRYCC_VICTORIAMETRICS_PASSWORD)@drycc-victoriametrics-vmauth.{{$.Release.Namespace}}.svc.{{$.Values.global.clusterDomain}}:8427/select/0/prometheus"
+{{- end }}
+{{- if .Values.passport.enabled}}
+- name: "DRYCC_PASSPORT_URL"
 {{- if .Values.global.certManagerEnabled }}
-  value: https
+  value: https://drycc-passport.{{ .Values.global.platformDomain }}
 {{- else }}
-  value: http
-{{- end}}
+  value: http://drycc-passport.{{ .Values.global.platformDomain }}
+{{- end }}
+- name: DRYCC_PASSPORT_KEY
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: drycc-passport-grafana-key
+- name: DRYCC_PASSPORT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: drycc-passport-grafana-secret
+{{- else }}
+- name: DRYCC_PASSPORT_URL
+  value: "{{ .Values.passportUrl }}"
+- name: DRYCC_PASSPORT_KEY
+  value: "{{ .Values.passportKey }}"
+- name: DRYCC_PASSPORT_SECRET
+  value: "{{ .Values.passportSecret }}"
+{{- end }}
 - name: GF_DATABASE_TYPE
   value: postgres
 {{- if (.Values.databaseUrl) }}
@@ -53,49 +82,22 @@ env:
 - name: GF_DATABASE_URL
   value: "postgres://$(GF_DATABASE_USER):$(GF_DATABASE_PASSWORD)@drycc-database.{{.Release.Namespace}}.svc.{{.Values.global.clusterDomain}}:5432/grafana"
 {{- end }}
-{{- if not (.Values.environment.GF_SECURITY_ADMIN_USER) }}
 - name: "GF_SECURITY_ADMIN_USER"
-  value: {{ randAlphaNum 32 }}
-{{- end}}
-{{- if not (.Values.environment.GF_SECURITY_ADMIN_PASSWORD) }}
-- name: "GF_SECURITY_ADMIN_PASSWORD"
-  value: {{ randAlphaNum 32 }}
-{{- end}}
-{{- if not (.Values.environment.GF_SECURITY_SECRET_KEY) }}
-- name: "GF_SECURITY_SECRET_KEY"
-  value: {{ randAlphaNum 32 }}
-{{- end}}
-- name: "GF_SERVER_ROOT_URL"
-  value: $(DRYCC_GATEWAY_SCHEME)://drycc-grafana.{{ .Values.global.platformDomain }}
-{{- if .Values.passport.enabled}}
-- name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
-  value: $(DRYCC_GATEWAY_SCHEME)://drycc-passport.{{ .Values.global.platformDomain }}/oauth/authorize/
-- name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
-  value: $(DRYCC_GATEWAY_SCHEME)://drycc-passport.{{ .Values.global.platformDomain }}/oauth/token/
-- name: GF_AUTH_GENERIC_OAUTH_API_URL
-  value: $(DRYCC_GATEWAY_SCHEME)://drycc-passport.{{ .Values.global.platformDomain }}/oauth/userinfo/
-- name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
   valueFrom:
     secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-grafana-key
-- name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      name: grafana-creds
+      key: admin-username
+- name: "GF_SECURITY_ADMIN_PASSWORD"
   valueFrom:
     secretKeyRef:
-      name: passport-creds
-      key: drycc-passport-grafana-secret
+      name: grafana-creds
+      key: admin-password
+- name: "GF_SERVER_ROOT_URL"
+{{- if .Values.global.certManagerEnabled }}
+  value: https://drycc-grafana.{{ .Values.global.platformDomain }}
 {{- else }}
-- name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
-  value: {{ .Values.passportUrl }}/oauth/authorize/
-- name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
-  value: {{ .Values.passportUrl }}/oauth/token/
-- name: GF_AUTH_GENERIC_OAUTH_API_URL
-  value: {{ .Values.passportUrl }}/oauth/userinfo/
-- name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
-  value: "{{ .Values.passportKey }}"
-- name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
-  value: "{{ .Values.passportSecret }}"
-{{- end }}
+  value: http://drycc-grafana.{{ .Values.global.platformDomain }}
+{{- end}}
 - name: GF_UNIFIED_ALERTING_HA_PEERS
   value: "drycc-grafana.{{.Release.Namespace}}.svc.{{.Values.global.clusterDomain}}:9094"
 - name: GF_UNIFIED_ALERTING_HA_ADVERTISE_ADDRESS

charts/grafana/templates/grafana-configmap.yaml

@@ -6,15 +6,42 @@ metadata:
   labels:
     heritage: drycc
 data:
+  Caddyfile: |
+    {
+      order reverse_proxy before encode
+      auto_https off
+      log {
+        output stdout
+      }
+    }
+    :5000 {
+      handle /oauth2/* {
+        reverse_proxy 127.0.0.1:4000
+      }
+
+      handle {
+        forward_auth 127.0.0.1:4000 {
+          uri /oauth2/userinfo
+          copy_headers Remote-User Remote-Name Remote-Email
+          header_up -Connection
+          header_up X-Real-IP {remote_host}
+          @error status 401
+          handle_response @error {
+            redir * /oauth2/sign_in?redirect={scheme}://{host}{uri}
+          }
+        }
+        reverse_proxy 127.0.0.1:3000
+      }
+    }
   grafana.ini: |
     app_mode = production
 
     [paths]
     data = /var/lib/grafana
     home = /usr/share/grafana
     logs = /var/log/grafana
-    plugins = /var/lib/grafana/plugins
-    provisioning = /opt/drycc/grafana/conf/provisioning
+    plugins = /usr/share/grafana/plugins
+    provisioning = /usr/share/grafana/provisioning
 
     [server]
     http_port = 3000
@@ -26,9 +53,8 @@ data:
     reporting_enabled = false
 
     [security]
-    admin_user = drycc
-    admin_password = drycc
     admin_email = admin@drycc.cc
+    secret_key = KSJRZP0RIhO7P14e1TykTEzWuJhBobAj
     login_remember_days = 7
     cookie_username = grafana_user
     cookie_remember_name = grafana_remember
@@ -37,31 +63,31 @@ data:
     [users]
     allow_sign_up = false
     allow_org_create = false
-    auto_assign_org = true
-    auto_assign_org_id = 1
+    auto_assign_org = false
     login_hint = email or username
 
     [auth]
     disable_login_form = true
-
-    [auth.anonymous]
-    enabled = false
-    org_name = Main Org.
+    disable_signout_menu = false
 
     [auth.basic]
     enabled = true
 
-    [auth.generic_oauth]
+    [auth.proxy]
     enabled = true
-    name = Drycc OAuth
-    auto_login = true
-    scopes = email,profile,openid
-    allow_sign_up = true
-    tls_skip_verify_insecure = true
-    org_attribute_path = roles
-    org_mapping = admin:*:Admin staff:*:Editor users:2:Viewer
-    role_attribute_path = (is_active && ((is_superuser && 'GrafanaAdmin') || (is_staff && 'Editor'))) || 'None'
-    allow_assign_grafana_admin = true
+    header_name = Remote-User
+    header_property = username
+    auto_sign_up = true
+    sync_ttl = 15
+    headers = Name:Remote-Name Email:Remote-Email
+    enable_login_token = false
+
+    [live]
+    max_connections = 100
+    message_size_limit = 65536
+    allowed_origins = *
+    ha_engine = redis
+    ha_prefix = "grafana:live"
 
     [emails]
     welcome_email_on_sign_up = false
@@ -74,13 +100,25 @@ data:
     [log.console]
     level = info
 
+    [quota]
+    enabled = true
+    org_user = 2
+    org_dashboard = 20
+    org_data_source = 5
+    org_api_key = 2
+    org_alert_rule = 20
+    user_org = 2
+    alerting_rule_group_rules = 20
+    alerting_rule_evaluation_results = 20
+
     [unified_alerting]
     enabled = true
-    disabled_orgs = 2
     ha_peer_timeout = 15s
     ha_reconnect_timeout = 2m
     ha_listen_address = 0.0.0.0:9094
+    evaluation_timeout = 3s
+    max_attempts = 3
+    min_interval = 1m
 
-    [dashboards.json]
-    enabled = true
-    path = /usr/share/grafana/dashboards
+    [plugins]
+    plugin_admin_enabled = false