feat(oauth): use oauth to unify service-to-service authentication.

Author: duanhongyi

.gitignore

@@ -2,3 +2,5 @@
 *.swp
 *.swo
 .DS_Store
+.sisyphus
+__pycache__

charts/grafana/templates/_helpers.tmpl

@@ -21,11 +21,6 @@ env:
 - name: DRYCC_VALKEY_URL
   value: "redis://:$(DRYCC_VALKEY_PASSWORD)@drycc-valkey:16379/2"
 {{- end }}
-- name: DRYCC_SERVICE_KEY
-  valueFrom:
-    secretKeyRef:
-      name: controller-creds
-      key: service-key
 - name: "DRYCC_CONTROLLER_URL"
   value: http://drycc-controller-api
 - name: "DRYCC_QUICKWIT_URL"
@@ -49,13 +44,20 @@ env:
     secretKeyRef:
       name: passport-creds
       key: drycc-passport-grafana-secret
+- name: DRYCC_PASSPORT_SCOPES
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: drycc-passport-grafana-scopes
 {{- else }}
 - name: DRYCC_PASSPORT_URL
   value: "{{ .Values.passportUrl }}"
 - name: DRYCC_PASSPORT_KEY
   value: "{{ .Values.passportKey }}"
 - name: DRYCC_PASSPORT_SECRET
   value: "{{ .Values.passportSecret }}"
+- name: DRYCC_PASSPORT_SCOPES
+  value: "{{ .Values.passportScopes }}"
 {{- end }}
 - name: GF_DATABASE_TYPE
   value: postgres

charts/grafana/templates/grafana-configmap.yaml

@@ -15,6 +15,14 @@ data:
       }
     }
     :80 {
+      # For security reasons, deny external access to internal endpoints.
+      handle /proxy/* {
+        respond "Not Found" 404
+      }
+      handle /alerts/* {
+        respond "Not Found" 404
+      }
+
       handle /oauth2/* {
         reverse_proxy 127.0.0.1:4000
       }

charts/grafana/templates/grafana-cronjob-daily.yaml

@@ -0,0 +1,29 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: grafana-oauth2-token-refresher
+  labels:
+    app: grafana
+    component: token-refresher
+    heritage: drycc
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 3
+      template:
+        metadata:
+          labels:
+            app: grafana
+            component: token-refresher
+        spec:
+          restartPolicy: OnFailure
+          containers:
+          - name: token-refresher
+            image: {{ .Values.imageRegistry }}/{{ .Values.imageOrg }}/grafana:{{ .Values.imageTag }}
+            imagePullPolicy: {{ .Values.imagePullPolicy }}
+            command: ["/usr/bin/env", "python3", "/usr/share/grafana/oauth2/credentials.py"]
+            {{- include "grafana.envs" . | indent 12 }}

charts/grafana/templates/grafana-service.yaml

@@ -25,10 +25,6 @@ spec:
     port: 9094
     targetPort: alerting
     protocol: UDP
-  - name: oauth2-tcp
-    port: 4000
-    targetPort: oauth2
-    protocol: TCP
   - name: proxy-tcp
     port: 80
     targetPort: proxy

charts/grafana/templates/grafana-statefulset.yaml

@@ -158,6 +158,7 @@ spec:
           done
           echo "Grafana is up and running."
           python3 oauth2/main.py \
+            --bind 127.0.0.1 \
             --port 4000 \
             --client-id $(DRYCC_PASSPORT_KEY) \
             --client-secret $(DRYCC_PASSPORT_SECRET) \
@@ -167,32 +168,42 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
         {{- end }}
-        ports:
-        - containerPort: 4000
-          name: oauth2
         {{- include "grafana.envs" . | indent 8 }}
         {{- if not .Values.diagnosticMode.enabled }}
         livenessProbe:
-          tcpSocket:
-            port: oauth2
+          exec:
+            command:
+            - curl
+            - -fsS
+            - -o
+            - /dev/null
+            - http://127.0.0.1:4000/oauth2/healthz
           initialDelaySeconds: 240
           periodSeconds: 10
           timeoutSeconds: 5
           failureThreshold: 6
           successThreshold: 1
         readinessProbe:
-          httpGet:
-            path: /oauth2/healthz
-            port: oauth2
+          exec:
+            command:
+            - curl
+            - -fsS
+            - -o
+            - /dev/null
+            - http://127.0.0.1:4000/oauth2/healthz
           initialDelaySeconds: 30
           periodSeconds: 10
           timeoutSeconds: 5
           failureThreshold: 6
           successThreshold: 1
         startupProbe:
-          httpGet:
-            path: /oauth2/healthz
-            port: oauth2
+          exec:
+            command:
+            - curl
+            - -fsS
+            - -o
+            - /dev/null
+            - http://127.0.0.1:4000/oauth2/healthz
           initialDelaySeconds: 30
           periodSeconds: 10
           timeoutSeconds: 5

charts/grafana/values.yaml

@@ -64,10 +64,11 @@ environment: {}
 valkeyUrl: ""
 ## databaseUrl are will no longer use the built-in database component
 databaseUrl: ""
-# The passportUrl, passportKey and passportSecret are will no longer use the built-in passport component
+# The following parameters are used when passport.enabled is false
 passportUrl: ""
 passportKey: ""
 passportSecret: ""
+passportScopes: ""
 # victoriametricsUrl is will no longer use the built-in victoriametrics component
 victoriametricsUrl: ""
 

rootfs/Dockerfile

@@ -4,7 +4,7 @@ FROM registry.drycc.cc/drycc/base:${CODENAME}
 ARG DRYCC_UID=1001 \
   DRYCC_GID=1001 \
   DRYCC_HOME_DIR=/usr/share/grafana \
-  GRAFANA_VERSION="12.4.2" \
+  GRAFANA_VERSION="13.0.1" \
   JQ_VERSION="1.7.1" \
   CADDY_VERSION="2.11.2" \
   PYTHON_VERSION="3.14"

rootfs/usr/share/grafana/oauth2/alerting/pod_cpu.json

@@ -74,7 +74,7 @@
   },
   "isPaused": false,
   "notification_settings": {
-    "receiver": "grafana-default-email"
+    "receiver": "controller-alerts"
   },
   "folderUID": "drycc"
 }

rootfs/usr/share/grafana/oauth2/alerting/pod_memory.json

@@ -75,7 +75,7 @@
   },
   "isPaused": false,
   "notification_settings": {
-    "receiver": "grafana-default-email"
+    "receiver": "controller-alerts"
   },
   "folderUID": "drycc"
 }