Merge "feat(ldap): adds ldap support for Grafana"

2021-01-25 18:28:35 +00:00 · 2021-01-25 18:28:35 +00:00 · 72d0f3fab4
commit 72d0f3fab4
parent f119c923fa 406c024b59
13 changed files with 697 additions and 353 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,6 @@ doc/source/_build
 .idea/
 tools/deployment/vagrant/.vagrant
 # Helm dependencies lock file
 Chart.lock
--- a/charts/loki/.helmignore
+++ b/charts/loki/.helmignore
@ -0,0 +1 @@
 values_overrides
--- a/charts/loki/Chart.yaml
+++ b/charts/loki/Chart.yaml
@ -0,0 +1,10 @@
 apiVersion: v2
 name: loki
 description: Loki
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
  - name: loki-stack
    version: "2.3.1"
    repository: "https://grafana.github.io/helm-charts"
--- a/charts/loki/bin/grafana-ldap-test.sh
+++ b/charts/loki/bin/grafana-ldap-test.sh
@ -0,0 +1,21 @@
 #!/bin/sh
 set -xe
 test_status() {
  curl --head --show-error --silent --fail --location --insecure --request GET \
    --netrc-file $1 \
    -H "accept: application/json" \
    -H "content-type: application/json" \
    ${GRAFANA_URI}/api/org | head -n 1 | awk '{print $2}'
 }
 if [ "$(test_status /etc/loki/good_ldap.rc)" -ne "200" ]; then
  echo "expected 200"
  exit 1
 fi
 if [ "$(test_status /etc/loki/bad_ldap.rc)" -ne "401" ]; then
  echo "expected 401"
  exit 1
 fi
--- a/charts/loki/templates/configmap-loki_ldap.yaml
+++ b/charts/loki/templates/configmap-loki_ldap.yaml
@ -0,0 +1,12 @@
 {{- define "configmap-loki_ldap" -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: loki-ldap-bin
 data:
  grafana-ldap-test.sh: |
    {{- tpl (.Files.Get "bin/grafana-ldap-test.sh") . | nindent 4 }}
 {{- end -}}
 {{- if (index $.Values "loki-stack" "grafana" "ldap" "enabled") }}
 {{- include "helpers.template.overlay" (dict "Global" $ "template_definition" "configmap-loki_ldap") }}
 {{- end }}
--- a/charts/loki/templates/helpers/_label.tpl
+++ b/charts/loki/templates/helpers/_label.tpl
@ -0,0 +1,65 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "helpers.labels.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "helpers.labels.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "helpers.labels.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Labels to use on {deploy|sts}.spec.selector.matchLabels and svc.spec.selector
 */}}
 {{- define "helpers.labels.matchLabels" -}}
 {{- $Global := index . "Global" -}}
 {{- $Component := index . "Component" -}}
 app.kubernetes.io/name: {{ include "helpers.labels.name" $Global }}
 app.kubernetes.io/instance: {{ $Global.Values.release_group | default $Global.Release.Name }}
 {{- if $Component }}
 app.kubernetes.io/component: {{ $Component }}
 {{- end }}
 {{- end -}}
 {{/*
 Common labels
 */}}
 {{- define "helpers.labels.labels" -}}
 {{- $Global := index . "Global" -}}
 {{- $PartOf := index . "PartOf" -}}
 {{- $Component := index . "Component" -}}
 {{- $Version := index . "Version" -}}
 {{ include "helpers.labels.matchLabels" (dict "Global" $Global )}}
 app.kubernetes.io/managed-by: {{ $Global.Release.Service }}
 {{- if $PartOf }}
 app.kubernetes.io/part-of: {{ $PartOf }}
 {{- end }}
 {{- if $Component }}
 app.kubernetes.io/component: {{ $Component }}
 {{- end }}
 {{- if $Version }}
 app.kubernetes.io/version: {{ $Version }}
 {{- end }}
 helm.sh/chart: {{ include "helpers.labels.chart" $Global }}
 {{- end -}}
--- a/charts/loki/templates/helpers/_pod.tpl
+++ b/charts/loki/templates/helpers/_pod.tpl
@ -0,0 +1,21 @@
 {{- define "helpers.pod.container.image" -}}
  {{- $Global := index . "Global" -}}
  {{- $Application := index . "Application" -}}
  {{- with index $.Global.Values.images.applications $Application -}}
    {{- printf "%s/%s:%s" .repo .name ( .tag | toString ) | quote -}}
  {{- end -}}
 {{- end -}}
 {{- define "helpers.pod.node_selector" -}}
  {{- $Global := index . "Global" -}}
  {{- $Application := index . "Application" -}}
  {{- with index $.Global.Values.node_labels $Application -}}
    {{- if kindIs "slice" . -}}
      {{- range $k, $item := . }}
 {{ $item.key }}: {{ $item.value | quote }}
      {{- end }}
    {{- else -}}
 {{ .key }}: {{ .value | quote }}
    {{- end }}
  {{- end -}}
 {{- end -}}
--- a/charts/loki/templates/helpers/_template.tpl
+++ b/charts/loki/templates/helpers/_template.tpl
@ -0,0 +1,107 @@
 {{- define "helpers.template.overlay" -}}
  {{- $local := dict -}}
  {{/*
  By default we merge lists with a 'name' key's values
  */}}
  {{- $_ := set $local "merge_same_named" true -}}
  {{- if kindIs "map" $ -}}
    {{- if hasKey $ "merge_same_named" -}}
      {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
    {{- end -}}
  {{- end -}}
  {{- $_ := set $local "input" ( fromYaml ( toString ( include $.template_definition $.Global ) ) )  -}}
  {{- $target := dict -}}
  {{- $overlay_keys := regexSplit "-+" ( trimSuffix ".yaml" ( lower ( base $.Global.Template.Name ) ) ) 2 }}
  {{- $_ := set $local "overlay" dict -}}
  {{- if hasKey $.Global.Values.over_rides ( index $overlay_keys 0 ) -}}
    {{- if hasKey ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ) ( index $overlay_keys 1 ) -}}
      {{- $_ := set $local "overlay" ( index $.Global.Values.over_rides ( index $overlay_keys 0 ) ( index $overlay_keys 1 ) )  -}}
    {{- end }}
  {{- end }}
  {{- range $item := tuple $local.input $local.overlay -}}
    {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
    {{- $_ := include "helpers._merge" $call -}}
    {{- $_ := set $local "result" $call.result -}}
  {{- end -}}
  {{- if kindIs "map" $ -}}
    {{- $_ := set $ "result" $local.result -}}
  {{- end -}}
  {{ $target | toYaml }}
 {{- end -}}
 {{- define "helpers._merge" -}}
  {{- $local := dict -}}
  {{- $_ := set $ "result" $.source -}}
  {{/*
  TODO: Should we `fail` when trying to merge a collection (map or slice) with
  either a different kind of collection or a scalar?
  */}}
  {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
    {{- range $key, $sourceValue := $.source -}}
      {{- if not (hasKey $.target $key) -}}
        {{- $_ := set $local "newTargetValue" $sourceValue -}}
        {{- if kindIs "map" $sourceValue -}}
          {{- $copy := dict -}}
          {{- $call := dict "target" $copy "source" $sourceValue -}}
          {{- $_ := include "helpers._merge.shallow" $call -}}
          {{- $_ := set $local "newTargetValue" $copy -}}
        {{- end -}}
      {{- else -}}
        {{- $targetValue := index $.target $key -}}
        {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
        {{- $_ := include "helpers._merge" $call -}}
        {{- $_ := set $local "newTargetValue" $call.result -}}
      {{- end -}}
      {{- $_ := set $.target $key $local.newTargetValue -}}
    {{- end -}}
    {{- $_ := set $ "result" $.target -}}
  {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
    {{- $call := dict "target" $.target "source" $.source -}}
    {{- $_ := include "helpers._merge.append_slice" $call -}}
    {{- if $.merge_same_named -}}
      {{- $_ := set $local "result" list -}}
      {{- $_ := set $local "named_items" dict -}}
      {{- range $item := $call.result -}}
      {{- $_ := set $local "has_name_key" false -}}
        {{- if kindIs "map" $item -}}
          {{- if hasKey $item "name" -}}
            {{- $_ := set $local "has_name_key" true -}}
          {{- end -}}
        {{- end -}}
        {{- if $local.has_name_key -}}
          {{- if hasKey $local.named_items $item.name -}}
            {{- $named_item := index $local.named_items $item.name -}}
            {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
            {{- $_ := include "helpers._merge" $call -}}
          {{- else -}}
            {{- $copy := dict -}}
            {{- $copy_call := dict "target" $copy "source" $item -}}
            {{- $_ := include "helpers._merge.shallow" $copy_call -}}
            {{- $_ := set $local.named_items $item.name $copy -}}
            {{- $_ := set $local "result" (append $local.result $copy) -}}
          {{- end -}}
        {{- else -}}
          {{- $_ := set $local "result" (append $local.result $item) -}}
        {{- end -}}
      {{- end -}}
    {{- else -}}
      {{- $_ := set $local "result" $call.result -}}
    {{- end -}}
    {{- $_ := set $ "result" (uniq $local.result) -}}
  {{- end -}}
 {{- end -}}
 {{- define "helpers._merge.shallow" -}}
  {{- range $key, $value := $.source -}}
    {{- $_ := set $.target $key $value -}}
  {{- end -}}
 {{- end -}}
 {{- define "helpers._merge.append_slice" -}}
  {{- $local := dict -}}
  {{- $_ := set $local "result" $.target -}}
  {{- range $value := $.source -}}
    {{- $_ := set $local "result" (append $local.result $value) -}}
  {{- end -}}
  {{- $_ := set $ "result" $local.result -}}
 {{- end -}}
--- a/charts/loki/templates/secret-netrc.yaml
+++ b/charts/loki/templates/secret-netrc.yaml
@ -0,0 +1,14 @@
 {{- define "secret-netrc" -}}
 {{- $p := urlParse $.Values.config.test.grafana_uri -}}
 apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
  name: loki-netrc
 data:
  good_ldap.rc: {{ b64enc ( printf "machine %s login %s password %s" $p.host $.Values.config.test.ldap_username $.Values.config.test.ldap_password ) }}
  bad_ldap.rc: {{ b64enc ( printf "machine %s login %s password %s" $p.host $.Values.config.test.ldap_username ( randAlphaNum 10 ) ) }}
 {{- end -}}
 {{- if (index $.Values "loki-stack" "grafana" "ldap" "enabled") }}
 {{- include "helpers.template.overlay" (dict "Global" $ "template_definition" "secret-netrc") }}
 {{- end }}
--- a/charts/loki/templates/tests/test-grafana_ldap.yaml
+++ b/charts/loki/templates/tests/test-grafana_ldap.yaml
@ -0,0 +1,43 @@
 {{- define "test-grafana_ldap" -}}
 apiVersion: v1
 kind: Pod
 metadata:
  name: grafana-ldap-test
  labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "grafana" ) | nindent 4 }}
  annotations:
    "helm.sh/hook": test
 spec:
  restartPolicy: Never
  containers:
    - name: grafana-ldap-test
      image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "grafana_ldap_test" ) }}
      imagePullPolicy: {{ $.Values.images.pull.policy | quote }}
      env:
        - name: GRAFANA_URI
          value: {{ $.Values.config.test.grafana_uri | quote }}
      command:
        - /tmp/grafana-ldap-test.sh
      volumeMounts:
        - name: pod-tmp
          mountPath: /tmp
        - name: loki-bin
          mountPath: /tmp/grafana-ldap-test.sh
          subPath: grafana-ldap-test.sh
          readOnly: true
        - name: netrc
          mountPath: /etc/loki
          readOnly: true
  volumes:
    - name: pod-tmp
      emptyDir: {}
    - name: netrc
      secret:
        secretName: loki-netrc
    - name: loki-bin
      configMap:
        name: loki-ldap-bin
        defaultMode: 0555
 {{- end -}}
 {{- if (index $.Values "loki-stack" "grafana" "ldap" "enabled") }}
 {{- include "helpers.template.overlay" (dict "Global" $ "template_definition" "test-grafana_ldap") }}
 {{- end }}
--- a/charts/loki/values.yaml
+++ b/charts/loki/values.yaml
@ -0,0 +1,18 @@
 config:
  test:
    ldap_username: jarvis
    ldap_password: password
    grafana_uri: http://loki-grafana.loki.svc.cluster.local
 params: {}
 images:
  applications:
    grafana_ldap_test:
      name: curl
      repo: quay.io/stannum
      tag: 7.74.0
  pull:
    policy: IfNotPresent
 over_rides: {}
--- a/charts/loki/values_overrides/default.yaml
+++ b/charts/loki/values_overrides/default.yaml
@ -1,4 +1,5 @@
-loki:
+loki-stack:
  loki:
    enabled: true
    persistence:
      enabled: true
@ -14,10 +15,10 @@ loki:
          hosts:
            - loki.jarvis.local
-promtail:
+  promtail:
    enabled: true
-grafana:
+  grafana:
    adminPassword: password
    enabled: true
    persistence:
@ -27,6 +28,30 @@ grafana:
        enabled: true
        org_name: Main Org.
        org_role: Viewer
      auth.ldap:
        enabled: true
    ldap:
      enabled: true
      config: |-
        [[servers]]
        host = "ldap-openldap.ldap.svc.cluster.local"
        port = 389
        use_ssl = false
        start_tls = false
        ssl_skip_verify = false
        bind_dn = "cn=readonly,dc=jarvis,dc=local"
        bind_password = "readonly"
        search_base_dns = ["dc=jarvis,dc=local"]
        search_filter = "(uid=%s)"
        [[servers.group_mappings]]
        group_dn = "cn=jarvis-admins,ou=Groups,dc=jarvis,dc=local"
        org_role = "Admin"
        grafana_admin = true
        [[servers.group_mappings]]
        group_dn = "*"
        org_role = "Viewer"
        [servers.attributes]
        email = "mail"
    ingress:
      enabled: true
      path: /
--- a/tools/gate/jarvis/300-deploy-loki.sh
+++ b/tools/gate/jarvis/300-deploy-loki.sh
@ -1,7 +1,9 @@
 #!/bin/bash
 set -ex
-helm repo add grafana https://grafana.github.io/helm-charts
+cd ./charts/loki
 helm dep up
 cd -
 # shellcheck disable=SC2046
 helm upgrade \
@ -9,7 +11,9 @@ helm upgrade \
    --install \
    --namespace=loki \
    loki \
-    grafana/loki-stack \
+    ./charts/loki \
    $(./tools/deployment/common/get-values-overrides.sh loki)
 ./tools/deployment/common/wait-for-pods.sh loki
 helm -n loki test loki --logs