From 5cd2ee59555851d60e3b201de2ddf4dc6916702e Mon Sep 17 00:00:00 2001
From: lijianguo <lijianguo@zhumengyuan.com>
Date: Wed, 18 Aug 2021 10:09:27 +0800
Subject: [PATCH] chore(oauth): user oauth passport

---
 charts/monitor/templates/_helpers.tmpl        | 63 +++++++++++++++++++
 .../templates/monitor-grafana-deployment.yaml | 39 +-----------
 .../rootfs/usr/share/grafana/grafana.ini.tpl  | 19 ++++++
 3 files changed, 83 insertions(+), 38 deletions(-)
 create mode 100644 charts/monitor/templates/_helpers.tmpl

diff --git a/charts/monitor/templates/_helpers.tmpl b/charts/monitor/templates/_helpers.tmpl
new file mode 100644
index 0000000..843384f
--- /dev/null
+++ b/charts/monitor/templates/_helpers.tmpl
@@ -0,0 +1,63 @@
+{{/* Generate monitor grafana envs */}}
+{{- define "grafana.envs" }}
+env:
+{{- if eq .Values.global.influxdb_location "off-cluster" }}
+- name: "INFLUXDB_URL"
+  valueFrom:
+    secretKeyRef:
+      name: influxdb-creds
+      key: url
+{{- else }}
+- name: "INFLUXDB_URL"
+  value: http://$(DRYCC_INFLUXDB_SERVICE_HOST):$(DRYCC_INFLUXDB_SERVICE_PORT_TRANSPORT)
+{{- end }}
+- name: "INFLUXDB_BUCKET"
+  valueFrom:
+    secretKeyRef:
+      name: influxdb-creds
+      key: bucket
+- name: "INFLUXDB_ORG"
+  valueFrom:
+    secretKeyRef:
+      name: influxdb-creds
+      key: org
+- name: "INFLUXDB_TOKEN"
+  valueFrom:
+    secretKeyRef:
+      name: influxdb-creds
+      key: token
+- name: "BIND_PORT"
+  value: "3000"
+- name: "DEFAULT_USER"
+  value: {{.Values.grafana.user}}
+- name: "DEFAULT_USER_PASSWORD"
+  value: {{.Values.grafana.password}}
+- name: "KUBERNETES_CLUSTER_DOMAIN"
+  value: {{.Values.global.cluster_domain}}
+{{- range $key, $value := .Values.grafana.environment }}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{- end }}
+- name: "DRYCC_GRAFANA_DOMAIN"
+  value: http://drycc-monitor-grafana.{{ .Values.global.platform_domain }}
+- name: "DRYCC_PASSPORT_DOMAIN"
+  value: http://drycc-passport.{{ .Values.global.platform_domain }}
+- name: "SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/authorize/"
+- name: "SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/token/"
+- name: "SOCIAL_AUTH_DRYCC_ACCESS_API_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)"
+- name: "SOCIAL_AUTH_DRYCC_USERINFO_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/userinfo/"
+- name: SOCIAL_AUTH_DRYCC_GRAFANA_KEY
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: social-auth-drycc-grafana-key
+- name: SOCIAL_AUTH_DRYCC_GRAFANA_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: social-auth-drycc-grafana-secret
+{{- end }}
diff --git a/charts/monitor/templates/monitor-grafana-deployment.yaml b/charts/monitor/templates/monitor-grafana-deployment.yaml
index 962d2fa..fc0a804 100644
--- a/charts/monitor/templates/monitor-grafana-deployment.yaml
+++ b/charts/monitor/templates/monitor-grafana-deployment.yaml
@@ -36,47 +36,10 @@ spec:
             memory: {{.Values.grafana.limits_memory}}
 {{- end}}
 {{- end}}
-        env:
-        {{- if eq .Values.global.influxdb_location "off-cluster" }}
-        - name: "INFLUXDB_URL"
-          valueFrom:
-            secretKeyRef:
-              name: influxdb-creds
-              key: url
-        {{- else }}
-        - name: "INFLUXDB_URL"
-          value: http://$(DRYCC_INFLUXDB_SERVICE_HOST):$(DRYCC_INFLUXDB_SERVICE_PORT_TRANSPORT)
-        {{- end }}
-        - name: "INFLUXDB_BUCKET"
-          valueFrom:
-            secretKeyRef:
-              name: influxdb-creds
-              key: bucket
-        - name: "INFLUXDB_ORG"
-          valueFrom:
-            secretKeyRef:
-              name: influxdb-creds
-              key: org
-        - name: "INFLUXDB_TOKEN"
-          valueFrom:
-            secretKeyRef:
-              name: influxdb-creds
-              key: token
-        - name: "BIND_PORT"
-          value: "3000"
-        - name: "DEFAULT_USER"
-          value: {{.Values.grafana.user}}
-        - name: "DEFAULT_USER_PASSWORD"
-          value: {{.Values.grafana.password}}
-        - name: "KUBERNETES_CLUSTER_DOMAIN"
-          value: {{.Values.global.cluster_domain}}
-        {{- range $key, $value := .Values.grafana.environment }}
-        - name: {{ $key }}
-          value: {{ $value | quote }}
-        {{- end }}
         ports:
         - containerPort: 3000
           name: ui
+        {{- include "grafana.envs" . | indent 8 }}
 {{- if .Values.grafana.persistence.enabled }}
         volumeMounts:
         - name: grafana-data
diff --git a/grafana/rootfs/usr/share/grafana/grafana.ini.tpl b/grafana/rootfs/usr/share/grafana/grafana.ini.tpl
index 2db011d..03d6f72 100644
--- a/grafana/rootfs/usr/share/grafana/grafana.ini.tpl
+++ b/grafana/rootfs/usr/share/grafana/grafana.ini.tpl
@@ -226,6 +226,25 @@ enabled = true
 config_file = "/usr/share/grafana/ldap.toml"
 {{ end }}
 
+#################################### Generic Oauth ##########################
+[auth.generic_oauth]
+{{ if .SOCIAL_AUTH_DRYCC_GRAFANA_KEY }}
+name = OAuth
+enabled = true
+client_id = {{ .SOCIAL_AUTH_DRYCC_GRAFANA_KEY }}
+client_secret = {{ .SOCIAL_AUTH_DRYCC_GRAFANA_SECRET }}
+scopes = profile,openid
+auth_url = {{ .SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL }}
+token_url = {{ .SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL }}
+api_url = {{ .SOCIAL_AUTH_DRYCC_USERINFO_URL }}
+allow_sign_up = true
+tls_skip_verify_insecure = true
+
+[server]
+root_url = {{ .DRYCC_GRAFANA_DOMAIN }}
+
+{{ end }}
+
 #################################### SMTP / Emailing ##########################
 [smtp]
 {{ if .SMTP }}