feat(oauth): use oauth to unify service-to-service authentication.

Author: duanhongyi

.gitignore

@@ -2,3 +2,5 @@
 *.swp
 *.swo
 .DS_Store
+.sisyphus
+__pycache__

charts/grafana/templates/_helpers.tmpl

@@ -21,11 +21,6 @@ env:
 - name: DRYCC_VALKEY_URL
   value: "redis://:$(DRYCC_VALKEY_PASSWORD)@drycc-valkey:16379/2"
 {{- end }}
-- name: DRYCC_SERVICE_KEY
-  valueFrom:
-    secretKeyRef:
-      name: controller-creds
-      key: service-key
 - name: "DRYCC_CONTROLLER_URL"
   value: http://drycc-controller-api
 - name: "DRYCC_QUICKWIT_URL"

charts/grafana/templates/grafana-cronjob-daily.yaml

@@ -0,0 +1,45 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: grafana-oauth2-token-refresher
+  labels:
+    app: grafana
+    component: token-refresher
+    heritage: drycc
+spec:
+  # Run daily at 2 AM (avoid peak business hours)
+  schedule: "0 2 * * *"
+  timeZone: "Asia/Shanghai"
+  
+  # Prevent concurrent executions (ensure a single instance)
+  concurrencyPolicy: Forbid
+  
+  # Keep the latest 3 successful and failed job records
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  
+  jobTemplate:
+    spec:
+      # Retry the job up to 3 times
+      backoffLimit: 3
+      
+      template:
+        metadata:
+          labels:
+            app: grafana
+            component: token-refresher
+        spec:
+          restartPolicy: OnFailure
+          containers:
+          - name: token-refresher
+            image: {{ .Values.imageRegistry }}/{{ .Values.imageOrg }}/grafana:{{ .Values.imageTag }}
+            imagePullPolicy: {{ .Values.imagePullPolicy }}
+            command: ["/usr/bin/env", "python3", "/usr/share/grafana/oauth2/token.py"]
+            {{- include "grafana.envs" . | indent 12 }}
+            resources:
+              requests:
+                memory: "64Mi"
+                cpu: "100m"
+              limits:
+                memory: "128Mi"
+                cpu: "200m"

charts/grafana/templates/grafana-statefulset.yaml

@@ -51,6 +51,11 @@ spec:
           GF_LIVE_HA_ENGINE_ADDRESS=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.address')
           GF_LIVE_HA_ENGINE_PASSWORD=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.password')
           export GF_LIVE_HA_ENGINE_ADDRESS GF_LIVE_HA_ENGINE_PASSWORD
+          DRYCC_PASSPORT_TOKEN=$(curl -s -X POST \
+            -H "Content-Type: application/x-www-form-urlencoded" \
+            -d "grant_type=client_credentials&client_id=$DRYCC_PASSPORT_KEY&client_secret=$DRYCC_PASSPORT_SECRET" \
+            $DRYCC_PASSPORT_URL/o/token/ | jq -r .access_token)
+          export DRYCC_PASSPORT_TOKEN
           grafana server --config /usr/share/grafana/grafana.ini --homepath /opt/drycc/grafana &
           GRAFANA_PID=$!
           echo "Waiting for Grafana to come up..."
@@ -89,6 +94,11 @@ spec:
           GF_LIVE_HA_ENGINE_ADDRESS=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.address')
           GF_LIVE_HA_ENGINE_PASSWORD=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.password')
           export GF_LIVE_HA_ENGINE_ADDRESS GF_LIVE_HA_ENGINE_PASSWORD
+          DRYCC_PASSPORT_TOKEN=$(curl -s -X POST \
+            -H "Content-Type: application/x-www-form-urlencoded" \
+            -d "grant_type=client_credentials&client_id=$DRYCC_PASSPORT_KEY&client_secret=$DRYCC_PASSPORT_SECRET" \
+            $DRYCC_PASSPORT_URL/o/token/ | jq -r .access_token)
+          export DRYCC_PASSPORT_TOKEN
           exec grafana server --config /usr/share/grafana/grafana.ini --homepath /opt/drycc/grafana
         {{- end }}
         {{- with index .Values "resources" }}

rootfs/usr/share/grafana/oauth2/datasources/prometheus.json

@@ -2,16 +2,12 @@
     "name": "Prometheus on Drycc",
     "type": "prometheus",
     "uid": "prometheus_on_drycc",
-    "url": "${controller_url}/v2/prometheus/${workspace}",
+    "url": "http://localhost:4000/proxy/prometheus/${workspace}",
     "access": "proxy",
     "isDefault": true,
     "basicAuth": false,
     "jsonData": {
-        "httpHeaderName1": "Authorization",
         "httpMethod": "POST",
         "timeInterval": "${time_interval}"
-    },
-    "secureJsonData": {
-        "httpHeaderValue1": "Token ${token}"
     }
-}
+}

rootfs/usr/share/grafana/oauth2/datasources/quickwit.json

@@ -2,15 +2,11 @@
     "name": "Application Logs",
     "type": "quickwit-quickwit-datasource",
     "uid": "application_logs",
-    "url": "${controller_url}/v2/quickwit/${workspace}",
+    "url": "http://localhost:4000/proxy/quickwit/${workspace}",
     "access": "proxy",
     "basicAuth": false,
     "jsonData": {
-        "httpHeaderName1": "Authorization",
         "index": "logs-*",
         "logMessageField": "log"
-    },
-    "secureJsonData": {
-        "httpHeaderValue1": "Token ${token}"
     }
 }

rootfs/usr/share/grafana/oauth2/hook/grafana.py

@@ -1,17 +1,16 @@
 import logging
-import os
 import time
 import json
 import httpx
+from pathlib import Path
 from string import Template
 from psycopg import AsyncConnection
+from ..settings import settings
 
 logger = logging.getLogger(__name__)
 
 DEFAULT_HEADERS = {"Content-Type": "application/json"}
-DRYCC_CONTROLLER_URL = os.environ.get('DRYCC_CONTROLLER_URL')
-DRYCC_GRAFANA_REFRESH = os.environ.get('DRYCC_GRAFANA_REFRESH', '60s')
-DRYCC_GRAFANA_DASHBOARD = os.path.join(os.path.dirname(os.path.abspath(__file__)), "../")
+DRYCC_GRAFANA_DASHBOARD = Path(__file__).resolve().parent.parent
 
 # Drycc Workspace role to Grafana role mapping
 DRYCC_WORKSPACE_ROLE_MAPPING = {"admin": "Editor", "member": "Editor", "viewer": "Viewer"}
@@ -107,15 +106,15 @@ async def sync_alerting(context: dict, token: dict, userinfo: dict):
     The alerts field only controls notification channels (handled in sync_default).
     """
     workspace_orgs = context.get("workspace_orgs", {})
-    alerting_path = os.path.join(os.path.dirname(__file__), "..", "alerting")
+    alerting_path = Path(__file__).resolve().parent.parent / "alerting"
 
     for ws_name, ws_info in workspace_orgs.items():
         org_id = ws_info["org_id"]
         ctx = {**context, "org_id": org_id}
 
         async with httpx.AsyncClient() as client:
-            for filename in os.listdir(alerting_path):
-                with open(os.path.join(alerting_path, filename)) as f:
+            for filepath in alerting_path.glob("*.json"):
+                with filepath.open() as f:
                     rule = json.load(f)
                 # Use PUT for idempotent upsert (POST would create duplicates)
                 resp = await client.put(
@@ -135,23 +134,20 @@ async def sync_alerting(context: dict, token: dict, userinfo: dict):
 async def sync_datasources(context: dict, token: dict, userinfo: dict):
     """Create datasources for each workspace org with workspace-specific URLs."""
     workspace_orgs = context.get("workspace_orgs", {})
-    datasources_path = os.path.join(os.path.dirname(__file__), "..", "datasources")
-    drycc_token = context.get("drycc_token")
+    datasources_path = Path(__file__).resolve().parent.parent / "datasources"
 
     for ws_name, ws_info in workspace_orgs.items():
         org_id = ws_info["org_id"]
         ctx = {**context, "org_id": org_id}
         headers = _api_headers(ctx, userinfo)
 
         async with httpx.AsyncClient() as client:
-            for filename in os.listdir(datasources_path):
-                with open(os.path.join(datasources_path, filename)) as f:
+            for filepath in datasources_path.glob("*.json"):
+                with filepath.open() as f:
                     template = Template(f.read())
                     datasource = json.loads(template.substitute(
-                        controller_url=DRYCC_CONTROLLER_URL,
-                        workspace=ws_name,
-                        time_interval=DRYCC_GRAFANA_REFRESH,
-                        token=drycc_token
+                        controller_url=settings.drycc_controller_url,
+                        time_interval=settings.drycc_grafana_refresh
                     ))
                     resp = await client.get(
                         _api_url(f"/api/datasources/name/{datasource['name']}"), headers=headers)
@@ -174,17 +170,17 @@ async def sync_datasources(context: dict, token: dict, userinfo: dict):
 async def sync_dashboards(context: dict, token: dict, userinfo: dict):
     """Create dashboards for each workspace org."""
     workspace_orgs = context.get("workspace_orgs", {})
-    dashboards_path = os.path.join(os.path.dirname(__file__), "..", "dashboards")
+    dashboards_path = Path(__file__).resolve().parent.parent / "dashboards"
 
     for ws_name, ws_info in workspace_orgs.items():
         org_id = ws_info["org_id"]
         ctx = {**context, "org_id": org_id}
 
         async with httpx.AsyncClient() as client:
-            for filename in os.listdir(dashboards_path):
-                with open(os.path.join(dashboards_path, filename)) as f:
+            for filepath in dashboards_path.glob("*.json"):
+                with filepath.open() as f:
                     dashboard = json.load(f)
-                    dashboard.update({"id": None, "refresh": DRYCC_GRAFANA_REFRESH})
+                    dashboard.update({"id": None, "refresh": settings.drycc_grafana_refresh})
                     await client.post(
                         _api_url("/api/dashboards/db"),
                         headers=_api_headers(ctx, userinfo),
@@ -202,12 +198,12 @@ async def sync_dashboards(context: dict, token: dict, userinfo: dict):
 def _api_url(url_path, is_admin=False):
     if is_admin:
         return "http://{}:{}@localhost:{}{}".format(
-            os.environ.get('GF_SECURITY_ADMIN_USER'),
-            os.environ.get('GF_SECURITY_ADMIN_PASSWORD'),
-            os.environ.get('GF_SERVER_HTTP_PORT', 3000),
-            url_path,
+            settings.gf_security_admin_user,
+            settings.gf_security_admin_password,
+            settings.gf_server_http_port,
+            url_path
         )
-    return "http://localhost:{}{}".format(os.environ.get('GF_SERVER_HTTP_PORT', 3000), url_path)
+    return "http://localhost:{}{}".format(settings.gf_server_http_port, url_path)
 
 
 def _api_headers(context: dict, userinfo):
@@ -233,7 +229,7 @@ async def _get_workspaces(drycc_token: str) -> list:
     headers = {"Authorization": f"Token {drycc_token}"}
     async with httpx.AsyncClient() as client:
         resp = await client.get(
-            f"{DRYCC_CONTROLLER_URL}/v2/workspaces", headers=headers)
+            f"{settings.drycc_controller_url}/v2/workspaces", headers=headers)
         resp.raise_for_status()
         return resp.json().get("results", [])
 
@@ -243,7 +239,7 @@ async def _get_workspace_members(workspace_name: str, drycc_token: str) -> list:
     headers = {"Authorization": f"Token {drycc_token}"}
     async with httpx.AsyncClient() as client:
         resp = await client.get(
-            f"{DRYCC_CONTROLLER_URL}/v2/workspaces/{workspace_name}/members",
+            f"{settings.drycc_controller_url}/v2/workspaces/{workspace_name}/members",
             headers=headers)
         resp.raise_for_status()
         return resp.json().get("results", [])
@@ -420,7 +416,7 @@ def _build_alertmanager_config(alert_addresses: str) -> str:
 
 async def _upsert_alert_configuration(org_id: int, config: str):
     """Insert or update alert configuration for an org using parameterized query."""
-    async with await AsyncConnection.connect(os.environ.get("GF_DATABASE_URL")) as conn:
+    async with await AsyncConnection.connect(settings.gf_database_url) as conn:
         async with conn.cursor() as cursor:
             await cursor.execute(
                 """
@@ -438,37 +434,6 @@ async def _upsert_alert_configuration(org_id: int, config: str):
 
 
 async def _get_or_create_drycc_token(username, token: dict):
-    async def _check_or_create_drycc_token(drycc_token, token):
-        async with httpx.AsyncClient() as client:
-            created = False if drycc_token else True
-            if drycc_token:
-                headers = {"Authorization": f"Token {drycc_token}"}
-                resp = await client.get(
-                    f"{DRYCC_CONTROLLER_URL}/v2/auth/whoami", headers=headers)
-                if resp.status_code in [401, 403]:
-                    created = True
-            if created:
-                headers = {"Authorization": f"Bearer {token['access_token']}"}
-                data = (await client.post(
-                    f"{DRYCC_CONTROLLER_URL}/v2/auth/token/?alias=grafana-datasource",
-                    headers=headers, json=token)).json()
-                drycc_token = data["token"]
-            return created, drycc_token
-
-    async with await AsyncConnection.connect(os.environ.get("GF_DATABASE_URL")) as conn:
-        async with conn.cursor() as cursor:
-            await cursor.execute(
-                "SELECT o_auth_id_token FROM user_auth WHERE auth_module=%s AND auth_id=%s",
-                ("authproxy", username)
-            )
-            row = await cursor.fetchone()
-            drycc_token = row[0] if row else None
-        created, drycc_token = await _check_or_create_drycc_token(drycc_token, token)
-        if created:
-            async with conn.cursor() as cursor:
-                await cursor.execute(
-                    "UPDATE user_auth SET o_auth_id_token=%s WHERE auth_module=%s AND auth_id=%s",
-                    (drycc_token, "authproxy", username)
-                )
-                await conn.commit()
-        return created, drycc_token
+    # Pass through the Passport access_token directly, no need for DRF token conversion
+    drycc_token = token.get("access_token")
+    return True, drycc_token