chore(grafana): add ldap support for grafana

Author: duanhongyi

charts/monitor/templates/monitor-grafana-deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     heritage: drycc
   annotations:
-    component.drycc.cc/version: {{ .Values.monitor.grafana.docker_tag }}
+    component.drycc.cc/version: {{ .Values.grafana.docker_tag }}
 spec:
   replicas: 1
   strategy:
@@ -24,16 +24,16 @@ spec:
     spec:
       containers:
       - name: drycc-monitor-grafana
-        image: {{.Values.monitor.grafana.docker_registry}}{{.Values.monitor.grafana.org}}/grafana:{{.Values.monitor.grafana.docker_tag}}
-        imagePullPolicy: {{.Values.monitor.grafana.pull_policy}}
-{{- if or (.Values.monitor.grafana.limits_cpu) (.Values.monitor.grafana.limits_memory)}}
+        image: {{.Values.grafana.docker_registry}}{{.Values.grafana.org}}/grafana:{{.Values.grafana.docker_tag}}
+        imagePullPolicy: {{.Values.grafana.pull_policy}}
+{{- if or (.Values.grafana.limits_cpu) (.Values.grafana.limits_memory)}}
         resources:
           limits:
-{{- if (.Values.monitor.grafana.limits_cpu) }}
-            cpu: {{.Values.monitor.grafana.limits_cpu}}
+{{- if (.Values.grafana.limits_cpu) }}
+            cpu: {{.Values.grafana.limits_cpu}}
 {{- end}}
-{{- if (.Values.monitor.grafana.limits_memory) }}
-            memory: {{.Values.monitor.grafana.limits_memory}}
+{{- if (.Values.grafana.limits_memory) }}
+            memory: {{.Values.grafana.limits_memory}}
 {{- end}}
 {{- end}}
         env:
@@ -65,15 +65,17 @@ spec:
         - name: "BIND_PORT"
           value: "3500"
         - name: "DEFAULT_USER"
-          value: {{.Values.monitor.grafana.user}}
+          value: {{.Values.grafana.user}}
         - name: "DEFAULT_USER_PASSWORD"
-          value: {{.Values.monitor.grafana.password}}
-        - name: "ALLOW_SIGN_UP"
-          value: {{.Values.monitor.grafana.allow_sign_up | quote}}
+          value: {{.Values.grafana.password}}
+        {{- range $key, $value := .Values.grafana.environment }}
+        - name: {{ $key }}
+          value: {{ $value | quote }}
+        {{- end }}
         ports:
         - containerPort: 3500
           name: ui
-{{- if .Values.monitor.grafana.persistence.enabled }}
+{{- if .Values.grafana.persistence.enabled }}
         volumeMounts:
         - name: grafana-data
           mountPath: /var/lib/grafana

charts/monitor/templates/monitor-grafana-pvc.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.monitor.grafana.persistence.enabled }}
+{{- if .Values.grafana.persistence.enabled }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
@@ -7,18 +7,18 @@ metadata:
     heritage: drycc
 spec:
   accessModes:
-    - {{ .Values.monitor.grafana.persistence.accessMode | quote }}
+    - {{ .Values.grafana.persistence.accessMode | quote }}
   resources:
     requests:
-      storage: {{ .Values.monitor.grafana.persistence.size | quote }}
-{{- if .Values.monitor.grafana.persistence.storageClass }}
-{{- if (eq "-" .Values.monitor.grafana.persistence.storageClass) }}
+      storage: {{ .Values.grafana.persistence.size | quote }}
+{{- if .Values.grafana.persistence.storageClass }}
+{{- if (eq "-" .Values.grafana.persistence.storageClass) }}
   storageClassName: ""
 {{- else }}
-  storageClassName: "{{ .Values.monitor.grafana.persistence.storageClass }}"
+  storageClassName: "{{ .Values.grafana.persistence.storageClass }}"
 {{- end }}
 {{- end }}
-{{- if .Values.monitor.grafana.persistence.volumeName }}
-  volumeName: "{{ .Values.monitor.grafana.persistence.volumeName }}"
+{{- if .Values.grafana.persistence.volumeName }}
+  volumeName: "{{ .Values.grafana.persistence.volumeName }}"
 {{- end }}
 {{- end }}

charts/monitor/templates/monitor-influxdb-creds-secret.yaml

@@ -7,8 +7,8 @@ metadata:
     heritage: drycc
 type: Opaque
 data:
-  url: {{ .Values.monitor.influxdb.url | b64enc }}
-  database: {{ .Values.monitor.influxdb.database | b64enc }}
-  user: {{ .Values.monitor.influxdb.user | b64enc }}
-  password: {{ .Values.monitor.influxdb.password | b64enc }}
+  url: {{ .Values.influxdb.url | b64enc }}
+  database: {{ .Values.influxdb.database | b64enc }}
+  user: {{ .Values.influxdb.user | b64enc }}
+  password: {{ .Values.influxdb.password | b64enc }}
 {{- end }}

charts/monitor/templates/monitor-influxdb-deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     heritage: drycc
   annotations:
-    component.drycc.cc/version: {{ .Values.monitor.influxdb.docker_tag }}
+    component.drycc.cc/version: {{ .Values.influxdb.docker_tag }}
 spec:
   replicas: 1
   strategy:
@@ -21,16 +21,16 @@ spec:
     spec:
       containers:
       - name: drycc-monitor-influxdb
-        image: {{.Values.monitor.influxdb.docker_registry}}{{.Values.monitor.influxdb.org}}/influxdb:{{.Values.monitor.influxdb.docker_tag}}
-        imagePullPolicy: {{.Values.monitor.influxdb.pull_policy}}
-{{- if or (.Values.monitor.influxdb.limits_cpu) (.Values.monitor.influxdb.limits_memory)}}
+        image: {{.Values.influxdb.docker_registry}}{{.Values.influxdb.org}}/influxdb:{{.Values.influxdb.docker_tag}}
+        imagePullPolicy: {{.Values.influxdb.pull_policy}}
+{{- if or (.Values.influxdb.limits_cpu) (.Values.influxdb.limits_memory)}}
         resources:
           limits:
-{{- if (.Values.monitor.influxdb.limits_cpu) }}
-            cpu: {{.Values.monitor.influxdb.limits_cpu}}
+{{- if (.Values.influxdb.limits_cpu) }}
+            cpu: {{.Values.influxdb.limits_cpu}}
 {{- end}}
-{{- if (.Values.monitor.influxdb.limits_memory) }}
-            memory: {{.Values.monitor.influxdb.limits_memory}}
+{{- if (.Values.influxdb.limits_memory) }}
+            memory: {{.Values.influxdb.limits_memory}}
 {{- end}}
 {{- end}}
         ports:
@@ -54,7 +54,7 @@ spec:
             port: 8086
           initialDelaySeconds: 1
           timeoutSeconds: 1
-{{- if .Values.monitor.influxdb.persistence.enabled }}
+{{- if .Values.influxdb.persistence.enabled }}
         volumeMounts:
         - name: influxdb-data
           mountPath: /data

charts/monitor/templates/monitor-influxdb-pvc.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.monitor.influxdb.persistence.enabled }}
+{{- if .Values.influxdb.persistence.enabled }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
@@ -7,18 +7,18 @@ metadata:
     heritage: drycc
 spec:
   accessModes:
-    - {{ .Values.monitor.influxdb.persistence.accessMode | quote }}
+    - {{ .Values.influxdb.persistence.accessMode | quote }}
   resources:
     requests:
-      storage: {{ .Values.monitor.influxdb.persistence.size | quote }}
-{{- if .Values.monitor.influxdb.persistence.storageClass }}
-{{- if (eq "-" .Values.monitor.influxdb.persistence.storageClass) }}
+      storage: {{ .Values.influxdb.persistence.size | quote }}
+{{- if .Values.influxdb.persistence.storageClass }}
+{{- if (eq "-" .Values.influxdb.persistence.storageClass) }}
   storageClassName: ""
 {{- else }}
-  storageClassName: "{{ .Values.monitor.influxdb.persistence.storageClass }}"
+  storageClassName: "{{ .Values.influxdb.persistence.storageClass }}"
 {{- end }}
 {{- end }}
-{{- if .Values.monitor.influxdb.persistence.volumeName }}
-  volumeName: "{{ .Values.monitor.influxdb.persistence.volumeName }}"
+{{- if .Values.influxdb.persistence.volumeName }}
+  volumeName: "{{ .Values.influxdb.persistence.volumeName }}"
 {{- end }}
 {{- end }}

charts/monitor/templates/monitor-telegraf-daemon.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     heritage: drycc
   annotations:
-    component.drycc.cc/version: {{ .Values.monitor.telegraf.docker_tag }}
+    component.drycc.cc/version: {{ .Values.telegraf.docker_tag }}
 spec:
   selector:
     matchLabels:
@@ -22,16 +22,16 @@ spec:
       serviceAccount: drycc-monitor-telegraf
       containers:
         - name: drycc-monitor-telegraf
-          image: {{.Values.monitor.telegraf.docker_registry}}{{.Values.monitor.telegraf.org}}/telegraf:{{.Values.monitor.telegraf.docker_tag}}
-          imagePullPolicy: {{.Values.monitor.telegraf.pull_policy}}
-{{- if or (.Values.monitor.telegraf.limits_cpu) (.Values.monitor.telegraf.limits_memory)}}
+          image: {{.Values.telegraf.docker_registry}}{{.Values.telegraf.org}}/telegraf:{{.Values.telegraf.docker_tag}}
+          imagePullPolicy: {{.Values.telegraf.pull_policy}}
+{{- if or (.Values.telegraf.limits_cpu) (.Values.telegraf.limits_memory)}}
           resources:
             limits:
-{{- if (.Values.monitor.telegraf.limits_cpu) }}
-              cpu: {{.Values.monitor.telegraf.limits_cpu}}
+{{- if (.Values.telegraf.limits_cpu) }}
+              cpu: {{.Values.telegraf.limits_cpu}}
 {{- end}}
-{{- if (.Values.monitor.telegraf.limits_memory) }}
-              memory: {{.Values.monitor.telegraf.limits_memory}}
+{{- if (.Values.telegraf.limits_memory) }}
+              memory: {{.Values.telegraf.limits_memory}}
 {{- end}}
 {{- end}}
           env:

charts/monitor/templates/monitor-telegraf-deployment.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     heritage: drycc
   annotations:
-    component.drycc.cc/version: {{ .Values.monitor.telegraf.docker_tag }}
+    component.drycc.cc/version: {{ .Values.telegraf.docker_tag }}
 spec:
   replicas: 1
   selector:
@@ -25,16 +25,16 @@ spec:
       serviceAccount: drycc-monitor-telegraf
       containers:
         - name: drycc-monitor-telegraf
-          image: {{.Values.monitor.telegraf.docker_registry}}{{.Values.monitor.telegraf.org}}/telegraf:{{.Values.monitor.telegraf.docker_tag}}
-          imagePullPolicy: {{.Values.monitor.telegraf.pull_policy}}
-{{- if or (.Values.monitor.telegraf.limits_cpu) (.Values.monitor.telegraf.limits_memory)}}
+          image: {{.Values.telegraf.docker_registry}}{{.Values.telegraf.org}}/telegraf:{{.Values.telegraf.docker_tag}}
+          imagePullPolicy: {{.Values.telegraf.pull_policy}}
+{{- if or (.Values.telegraf.limits_cpu) (.Values.telegraf.limits_memory)}}
           resources:
             limits:
-{{- if (.Values.monitor.telegraf.limits_cpu) }}
-              cpu: {{.Values.monitor.telegraf.limits_cpu}}
+{{- if (.Values.telegraf.limits_cpu) }}
+              cpu: {{.Values.telegraf.limits_cpu}}
 {{- end}}
-{{- if (.Values.monitor.telegraf.limits_memory) }}
-              memory: {{.Values.monitor.telegraf.limits_memory}}
+{{- if (.Values.telegraf.limits_memory) }}
+              memory: {{.Values.telegraf.limits_memory}}
 {{- end}}
 {{- end}}
           env:

charts/monitor/values.yaml

@@ -1,38 +1,41 @@
-monitor:
-  grafana:
-    org: "drycc"
-    pull_policy: "Always"
-    docker_tag: "canary"
-    docker_registry: ""
-    allow_sign_up: "true"
-    # limits_cpu: "100m"
-    # limits_memory: "50Mi"
-    persistence:
-      enabled: false
-      accessMode: ReadWriteOnce
-      size: 5Gi
-  influxdb:
-    org: "drycc"
-    pull_policy: "Always"
-    docker_tag: "canary"
-    docker_registry: ""
-    # limits_cpu: "100m"
-    # limits_memory: "50Mi"
-    url: "my.influx.url"
-    database: "kubernetes"
-    user: "user"
-    password: "password"
-    persistence:
-      enabled: false
-      accessMode: ReadWriteOnce
-      size: 20Gi
-  telegraf:
-    org: "drycc"
-    pull_policy: "Always"
-    docker_tag: "canary"
-    docker_registry: ""
-    # limits_cpu: "100m"
-    # limits_memory: "50Mi"
+grafana:
+  org: "drycc"
+  pull_policy: "Always"
+  docker_tag: "canary"
+  docker_registry: ""
+  # limits_cpu: "100m"
+  # limits_memory: "50Mi"
+  persistence:
+    enabled: false
+    accessMode: ReadWriteOnce
+    size: 5Gi
+  # Any custom grafana environment variables
+  # can be specified as key-value pairs under environment
+  # this is usually a non required setting.
+  environment:
+    ALLOW_SIGN_UP: false
+influxdb:
+  org: "drycc"
+  pull_policy: "Always"
+  docker_tag: "canary"
+  docker_registry: ""
+  # limits_cpu: "100m"
+  # limits_memory: "50Mi"
+  url: "my.influx.url"
+  database: "kubernetes"
+  user: "user"
+  password: "password"
+  persistence:
+    enabled: false
+    accessMode: ReadWriteOnce
+    size: 20Gi
+telegraf:
+  org: "drycc"
+  pull_policy: "Always"
+  docker_tag: "canary"
+  docker_registry: ""
+  # limits_cpu: "100m"
+  # limits_memory: "50Mi"
 
 nsqd:
   replicas: 1

grafana/rootfs/usr/share/grafana/grafana.ini.tpl

@@ -221,9 +221,9 @@ enabled = {{ default "true" .BASIC_AUTH }}
 
 #################################### Auth LDAP ##########################
 [auth.ldap]
-{{ if .LDAP_AUTH }}
-enabled = {{ .LDAP_AUTH }}
-config_file = {{ default "/etc/grafana/ldap.toml" .LDAP_AUTH_CONFIG_FILE }}
+{{ if .LDAP_ENDPOINT }}
+enabled = true
+config_file = "/usr/share/grafana/ldap.toml"
 {{ end }}
 
 #################################### SMTP / Emailing ##########################

grafana/rootfs/usr/share/grafana/ldap.toml.tpl

@@ -0,0 +1,45 @@
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "{{ .LDAP_HOST }}"
+# Default port is 389 or 636 if use_ssl = true
+port = {{ .LDAP_PORT }}
+# Set to true if LDAP server supports TLS
+use_ssl = {{ .LDAP_USE_SSL }}
+# Set to true if connect LDAP server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = true
+# set to true if you want to skip SSL cert validation
+ssl_skip_verify = true
+
+# Search user bind dn
+bind_dn = "{{ .LDAP_BIND_DN }}"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+bind_password = "{{ .LDAP_BIND_PASSWORD }}"
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
+search_filter = "{{ .LDAP_USER_FILTER }}"
+
+# An array of base dns to search through
+search_base_dns = ["{{ .LDAP_USER_BASEDN }}"]
+
+# Specify names of the LDAP attributes your LDAP uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "cn"
+member_of = "memberOf"
+email =  "mail"
+
+[[servers.group_mappings]]
+group_dn = "{{ .LDAP_ADMIN_GROUP }}"
+org_role = "Admin"
+grafana_admin = true # Available in Grafana v5.3 and above
+
+[[servers.group_mappings]]
+group_dn = "{{ .LDAP_EDITOR_GROUP }}"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+group_dn = "{{ .LDAP_VIEWER_GROUP }}"
+org_role = "Viewer"