WIP

Author: duanhongyi

charts/grafana/templates/_helpers.tmpl

@@ -21,11 +21,6 @@ env:
 - name: DRYCC_VALKEY_URL
   value: "redis://:$(DRYCC_VALKEY_PASSWORD)@drycc-valkey:16379/2"
 {{- end }}
-- name: DRYCC_SERVICE_KEY
-  valueFrom:
-    secretKeyRef:
-      name: controller-creds
-      key: service-key
 - name: "DRYCC_CONTROLLER_URL"
   value: http://drycc-controller-api
 - name: "DRYCC_QUICKWIT_URL"

charts/grafana/templates/grafana-statefulset.yaml

@@ -51,6 +51,11 @@ spec:
           GF_LIVE_HA_ENGINE_ADDRESS=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.address')
           GF_LIVE_HA_ENGINE_PASSWORD=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.password')
           export GF_LIVE_HA_ENGINE_ADDRESS GF_LIVE_HA_ENGINE_PASSWORD
+          DRYCC_PASSPORT_TOKEN=$(curl -s -X POST \
+            -H "Content-Type: application/x-www-form-urlencoded" \
+            -d "grant_type=client_credentials&client_id=$DRYCC_PASSPORT_KEY&client_secret=$DRYCC_PASSPORT_SECRET" \
+            $DRYCC_PASSPORT_URL/o/token/ | jq -r .access_token)
+          export DRYCC_PASSPORT_TOKEN
           grafana server --config /usr/share/grafana/grafana.ini --homepath /opt/drycc/grafana &
           GRAFANA_PID=$!
           echo "Waiting for Grafana to come up..."
@@ -89,6 +94,11 @@ spec:
           GF_LIVE_HA_ENGINE_ADDRESS=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.address')
           GF_LIVE_HA_ENGINE_PASSWORD=$(echo "${DRYCC_VALKEY_JSON}" |jq -r '.password')
           export GF_LIVE_HA_ENGINE_ADDRESS GF_LIVE_HA_ENGINE_PASSWORD
+          DRYCC_PASSPORT_TOKEN=$(curl -s -X POST \
+            -H "Content-Type: application/x-www-form-urlencoded" \
+            -d "grant_type=client_credentials&client_id=$DRYCC_PASSPORT_KEY&client_secret=$DRYCC_PASSPORT_SECRET" \
+            $DRYCC_PASSPORT_URL/o/token/ | jq -r .access_token)
+          export DRYCC_PASSPORT_TOKEN
           exec grafana server --config /usr/share/grafana/grafana.ini --homepath /opt/drycc/grafana
         {{- end }}
         {{- with index .Values "resources" }}

rootfs/usr/share/grafana/oauth2/hook/grafana.py

@@ -438,37 +438,6 @@ async def _upsert_alert_configuration(org_id: int, config: str):
 
 
 async def _get_or_create_drycc_token(username, token: dict):
-    async def _check_or_create_drycc_token(drycc_token, token):
-        async with httpx.AsyncClient() as client:
-            created = False if drycc_token else True
-            if drycc_token:
-                headers = {"Authorization": f"Token {drycc_token}"}
-                resp = await client.get(
-                    f"{DRYCC_CONTROLLER_URL}/v2/auth/whoami", headers=headers)
-                if resp.status_code in [401, 403]:
-                    created = True
-            if created:
-                headers = {"Authorization": f"Bearer {token['access_token']}"}
-                data = (await client.post(
-                    f"{DRYCC_CONTROLLER_URL}/v2/auth/token/?alias=grafana-datasource",
-                    headers=headers, json=token)).json()
-                drycc_token = data["token"]
-            return created, drycc_token
-
-    async with await AsyncConnection.connect(os.environ.get("GF_DATABASE_URL")) as conn:
-        async with conn.cursor() as cursor:
-            await cursor.execute(
-                "SELECT o_auth_id_token FROM user_auth WHERE auth_module=%s AND auth_id=%s",
-                ("authproxy", username)
-            )
-            row = await cursor.fetchone()
-            drycc_token = row[0] if row else None
-        created, drycc_token = await _check_or_create_drycc_token(drycc_token, token)
-        if created:
-            async with conn.cursor() as cursor:
-                await cursor.execute(
-                    "UPDATE user_auth SET o_auth_id_token=%s WHERE auth_module=%s AND auth_id=%s",
-                    (drycc_token, "authproxy", username)
-                )
-                await conn.commit()
-        return created, drycc_token
+    # Pass through the Passport access_token directly, no need for DRF token conversion
+    drycc_token = token.get("access_token")
+    return True, drycc_token

rootfs/usr/share/grafana/provisioning/datasources/drycc.yaml

@@ -7,11 +7,11 @@ datasources:
   uid: application_logs
   url: $DRYCC_QUICKWIT_URL
   jsonData:
-    httpHeaderName1: X-Drycc-Service-Key
+    httpHeaderName1: Authorization
     index: logs-*
     logMessageField: log
   secureJsonData:
-    httpHeaderValue1: $DRYCC_SERVICE_KEY
+    httpHeaderValue1: Bearer $DRYCC_PASSPORT_TOKEN
   version: 1
   editable: false
 
@@ -24,8 +24,8 @@ datasources:
   isDefault: true
   jsonData:
     httpMethod: POST
-    httpHeaderName1: X-Drycc-Service-Key
+    httpHeaderName1: Authorization
   secureJsonData:
-    httpHeaderValue1: $DRYCC_SERVICE_KEY
+    httpHeaderValue1: Bearer $DRYCC_PASSPORT_TOKEN
   version: 1
   editable: false