chore(passport): create grafana oauth app

Author: lijianguo

charts/passport/templates/_helpers.tpl

@@ -38,6 +38,22 @@ env:
   value: {{ .Values.admin_password | default "admin" | quote }}
 - name: ADMIN_EMAIL
   value: {{ .Values.admin_email | default "admin@email.com" | quote }}
+{{- if eq .Values.global.grafana_location "on-cluster" }}
+- name: "DRYCC_MONITOR_GRAFANA_DOMAIN"
+  value: http://drycc-monitor-grafana.{{ .Values.global.platform_domain }}
+- name: GRAFANA_ON_CLUSTER
+  value: "true"
+- name: SOCIAL_AUTH_DRYCC_GRAFANA_KEY
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: social-auth-drycc-grafana-key
+- name: SOCIAL_AUTH_DRYCC_GRAFANA_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: social-auth-drycc-grafana-secret
+{{- end }}
 {{- if (.Values.database_url) }}
 - name: DRYCC_DATABASE_URL
   valueFrom:

charts/passport/templates/passport-secret-creds.yaml

@@ -14,5 +14,9 @@ data:
   django-secret-key: {{ randAscii 64 | b64enc }}
   social-auth-drycc-controller-key: {{ randAlphaNum 40 | b64enc }}
   social-auth-drycc-controller-secret: {{ randAlphaNum 64 | b64enc }}
+  {{- if eq .Values.global.grafana_location "on-cluster" }}
+  social-auth-drycc-grafana-key: {{ randAlphaNum 40 | b64enc }}
+  social-auth-drycc-grafana-secret: {{ randAlphaNum 64 | b64enc }}
+  {{- end }}
   oidc-rsa-private-key: "{{genPrivateKey "rsa" | b64enc}}"
 {{- end }}

charts/passport/values.yaml

@@ -44,6 +44,13 @@ admin_password: "admin"
 admin_email: "admin@email.com"
 
 global:
+  # Set the location of Workflow's grafana instance
+  #
+  # Valid values are:
+  # - on-cluster: Run Grafana within the Kubernetes cluster
+  # - off-cluster: Grafana is running outside of the cluster
+  grafana_location: "on-cluster"
+
   # Admin email, used for each component to send email to administrator
   email: "drycc@drycc.cc"
   # Set the location of Workflow's PostgreSQL database

rootfs/api/management/commands/create_oauth2_application.py

@@ -8,32 +8,42 @@ class Command(BaseCommand):
     """Management command for create Oauth2 application"""
 
     def handle(self, *args, **options):
-        client_id = os.environ.get(
-            'SOCIAL_AUTH_DRYCC_CONTROLLER_KEY') if os.environ.get(
-            'SOCIAL_AUTH_DRYCC_CONTROLLER_KEY') else None
-        client_secret = os.environ.get(
-            'SOCIAL_AUTH_DRYCC_CONTROLLER_SECRET') if os.environ.get(
-            'SOCIAL_AUTH_DRYCC_CONTROLLER_SECRET') else None
-        controller_domain = os.environ.get('DRYCC_CONTROLLER_DOMAIN')
-        if not all([client_id, client_secret, controller_domain]):
-            self.stdout.write('client_id or client_secret non-existent')
-            return
-        user = User.objects.filter(is_superuser=True).first()
-        if not user:
-            self.stdout.write("Cannot create because there is no superuser")
-        application, updated = Application.objects.update_or_create(
-            name='Drycc Controller',
-            defaults={
-                'client_id': client_id,
-                'client_secret': client_secret,
-                'user': user,
-                'redirect_uris': f'{controller_domain}/v2/complete/drycc/',
-                'authorization_grant_type': 'authorization-code',
-                'client_type': 'Public',
-                'algorithm': 'RS256'
-            }
-        )
-        if updated:
-            self.stdout.write('Drycc controller app created')
-        else:
-            self.stdout.write("Drycc controller app updated")
+        app_list = [{
+            "name": "CONTROLLER",
+            "redirect_uri": f"{os.environ.get('DRYCC_CONTROLLER_DOMAIN')}/v2/complete/drycc/"  # noqa
+        }]
+        if os.environ.get('GRAFANA_ON_CLUSTER') == "true":
+            app_list.append({
+                "name": "GRAFANA",
+                 "redirect_uri": f"{os.environ.get('DRYCC_MONITOR_GRAFANA_DOMAIN')}/login/generic_oauth"  # noqa
+            })
+
+        for app in app_list:
+            client_id = os.environ.get(
+                f'SOCIAL_AUTH_DRYCC_{app["name"]}_KEY') if os.environ.get(
+                f'SOCIAL_AUTH_DRYCC_{app["name"]}_KEY') else None
+            client_secret = os.environ.get(
+                f'SOCIAL_AUTH_DRYCC_{app["name"]}_SECRET') if os.environ.get(
+                f'SOCIAL_AUTH_DRYCC_{app["name"]}_SECRET') else None
+            if not all([client_id, client_secret]):
+                self.stdout.write('client_id or client_secret non-existent')
+                return
+            user = User.objects.filter(is_superuser=True).first()
+            if not user:
+                self.stdout.write("Cannot create because there is no superuser")
+            application, updated = Application.objects.update_or_create(
+                name='Drycc ' + app["name"].title(),
+                defaults={
+                    'client_id': client_id,
+                    'client_secret': client_secret,
+                    'user': user,
+                    'redirect_uris': app["redirect_uri"],
+                    'authorization_grant_type': 'authorization-code',
+                    'client_type': 'Public',
+                    'algorithm': 'RS256'
+                }
+            )
+            if updated:
+                self.stdout.write(f'Drycc {app["name"]} app created')
+            else:
+                self.stdout.write(f'Drycc {app["name"]} app updated')