Add LDAP to Alertmanager

This change adds an apache sidecar to the Alertmanager statefulset in order to facillitate authentication to the service. Change-Id: I6e3cfb582251ecd280644439bfbd432a1f86ede3
2020-10-06 11:16:52 +00:00 · 2020-10-06 11:16:52 +00:00 · 72f42ba091
commit 72f42ba091
parent 1884f2c957
9 changed files with 255 additions and 13 deletions
--- a/prometheus-alertmanager/Chart.yaml
+++ b/prometheus-alertmanager/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.20.0
 description: OpenStack-Helm Alertmanager for Prometheus
 name: prometheus-alertmanager
-version: 0.1.2
+version: 0.1.3
 home: https://prometheus.io/docs/alerting/alertmanager/
 sources:
  - https://github.com/prometheus/alertmanager
--- a/prometheus-alertmanager/templates/bin/_apache.sh.tpl
+++ b/prometheus-alertmanager/templates/bin/_apache.sh.tpl
@ -0,0 +1,44 @@
 #!/bin/bash
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 set -exv
 COMMAND="${@:-start}"
 function start () {
  if [ -f /etc/apache2/envvars ]; then
     # Loading Apache2 ENV variables
     source /etc/httpd/apache2/envvars
  fi
  # Apache gets grumpy about PID files pre-existing
  rm -f /etc/httpd/logs/httpd.pid
  if [ -f /usr/local/apache2/conf/.htpasswd ]; then
    htpasswd -b /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
  else
    htpasswd -cb /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
  fi
  #Launch Apache on Foreground
  exec httpd -DFOREGROUND
 }
 function stop () {
  apachectl -k graceful-stop
 }
 $COMMAND
--- a/prometheus-alertmanager/templates/configmap-bin.yaml
+++ b/prometheus-alertmanager/templates/configmap-bin.yaml
@ -18,8 +18,10 @@ limitations under the License.
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: alertmanager-bin
+  name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
 data:
  apache.sh: |
 {{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  alertmanager.sh: |
 {{ tuple "bin/_alertmanager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  image-repo-sync.sh: |
--- a/prometheus-alertmanager/templates/configmap-etc.yaml
+++ b/prometheus-alertmanager/templates/configmap-etc.yaml
@ -16,13 +16,13 @@ limitations under the License.
 {{- $envAll := . }}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: alertmanager-etc
+  name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
 data:
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml" "format" "Secret") | indent 2 }}
  alert-templates.tmpl: |
 {{- if .Values.conf.alert_templates }}
-{{ .Values.conf.alert_templates | indent 4 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alert_templates "key" "alert-templates.tmpl" "format" "Secret") | indent 2 }}
 {{- end }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
 {{- end }}
--- a/prometheus-alertmanager/templates/ingress-alertmanager.yaml
+++ b/prometheus-alertmanager/templates/ingress-alertmanager.yaml
@ -13,6 +13,6 @@ limitations under the License.
 */}}
 {{- if and .Values.manifests.ingress .Values.network.alertmanager.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "alerts-api" -}}
+{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "http" -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
--- a/prometheus-alertmanager/templates/secret-admin-user.yaml
+++ b/prometheus-alertmanager/templates/secret-admin-user.yaml
@ -0,0 +1,26 @@
 {{/*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{- if .Values.manifests.secret_admin_user }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
 type: Opaque
 data:
  ALERTMANAGER_USERNAME: {{ .Values.endpoints.alertmanager.auth.admin.username | b64enc }}
  ALERTMANAGER_PASSWORD: {{ .Values.endpoints.alertmanager.auth.admin.password | b64enc }}
 {{- end }}
--- a/prometheus-alertmanager/templates/service.yaml
+++ b/prometheus-alertmanager/templates/service.yaml
@ -21,11 +21,11 @@ metadata:
  name: {{ tuple "alertmanager" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
  ports:
-  - name: alerts-api
+  - name: http
    port: {{ tuple "alertmanager" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
    {{ if .Values.network.alertmanager.node_port.enabled }}
    nodePort: {{ .Values.network.alertmanager.node_port.port }}
    {{ end }}
    port: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
  selector:
 {{ tuple $envAll "prometheus-alertmanager" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  {{ if .Values.network.alertmanager.node_port.enabled }}
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@ -70,6 +70,40 @@ spec:
            - name: alertmanager-data
              mountPath: /var/lib/alertmanager/data
      containers:
        - name: apache-proxy
 {{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "server" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/apache.sh
            - start
          ports:
            - name: http
              containerPort: 80
          env:
            - name: ALERTMANAGER_PORT
              value: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
            - name: ALERTMANAGER_USERNAME
              valueFrom:
                secretKeyRef:
                  name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
                  key: ALERTMANAGER_USERNAME
            - name: ALERTMANAGER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
                  key: ALERTMANAGER_PASSWORD
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
            - name: alertmanager-bin
              mountPath: /tmp/apache.sh
              subPath: apache.sh
              readOnly: true
            - name: alertmanager-etc
              mountPath: /usr/local/apache2/conf/httpd.conf
              subPath: httpd.conf
              readOnly: true
        - name: prometheus-alertmanager
 {{ tuple $envAll "prometheus-alertmanager" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.alertmanager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -104,10 +138,12 @@ spec:
              mountPath: /tmp
            - name: etc-alertmanager
              mountPath: /etc/config
            {{- if .Values.conf.alert_templates }}
            - name: alertmanager-etc
              mountPath: /etc/alertmanager/template/alert-templates.tmpl
              subPath: alert-templates.tmpl
              readOnly: true
            {{- end }}
            - name: alertmanager-etc
              mountPath: /etc/alertmanager/config.yml
              subPath: config.yml
@ -125,11 +161,12 @@ spec:
        - name: etc-alertmanager
          emptyDir: {}
        - name: alertmanager-etc
-          configMap:
+          secret:
-            name: alertmanager-etc
+            secretName: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
            defaultMode: 0444
        - name: alertmanager-bin
          configMap:
-            name: alertmanager-bin
+            name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
            defaultMode: 0555
 {{ if $mounts_alertmanager.volumes }}{{ toYaml $mounts_alertmanager.volumes | indent 8 }}{{ end }}
 {{- if not .Values.storage.alertmanager.enabled }}
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@ -18,6 +18,7 @@
 ---
 images:
  tags:
    apache_proxy: docker.io/httpd:2.4
    prometheus-alertmanager: docker.io/prom/alertmanager:v0.20.0
    snmpnotifier: docker.io/maxwo/snmp-notifier:v1.0.0
    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
@ -49,6 +50,9 @@ pod:
        prometheus_alertmanager_perms:
          runAsUser: 0
          readOnlyRootFilesystem: true
        apache_proxy:
          runAsUser: 0
          readOnlyRootFilesystem: false
        prometheus_alertmanager:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
@ -83,6 +87,13 @@ pod:
        timeout: 30
  resources:
    enabled: false
    apache_proxy:
      limits:
        memory: "1024Mi"
        cpu: "2000m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    alertmanager:
      limits:
        memory: "1024Mi"
@ -123,6 +134,10 @@ endpoints:
  alertmanager:
    name: prometheus-alertmanager
    namespace: null
    auth:
      admin:
        username: admin
        password: changeme
    hosts:
      default: alerts-engine
      public: prometheus-alertmanager
@ -146,6 +161,24 @@ endpoints:
        public: 80
      mesh:
        default: 9094
      http:
        default: 80
  ldap:
    hosts:
      default: ldap
    auth:
      admin:
        bind: "cn=admin,dc=cluster,dc=local"
        password: password
    host_fqdn_override:
      default: null
    path:
      default: "/ou=People,dc=cluster,dc=local"
    scheme:
      default: ldap
    port:
      ldap:
        default: 389
  snmpnotifier:
    name: snmpnotifier
    namespace: null
@ -231,6 +264,7 @@ manifests:
  ingress: true
  job_image_repo_sync: true
  network_policy: false
  secret_admin_user: true
  secret_ingress_tls: true
  service: true
  service_discovery: true
@ -248,6 +282,105 @@ network_policy:
      - {}
 conf:
  httpd: |
    ServerRoot "/usr/local/apache2"
    Listen 80
    LoadModule mpm_event_module modules/mod_mpm_event.so
    LoadModule authn_file_module modules/mod_authn_file.so
    LoadModule authn_core_module modules/mod_authn_core.so
    LoadModule authz_host_module modules/mod_authz_host.so
    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
    LoadModule authz_user_module modules/mod_authz_user.so
    LoadModule authz_core_module modules/mod_authz_core.so
    LoadModule access_compat_module modules/mod_access_compat.so
    LoadModule auth_basic_module modules/mod_auth_basic.so
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    LoadModule reqtimeout_module modules/mod_reqtimeout.so
    LoadModule filter_module modules/mod_filter.so
    LoadModule proxy_html_module modules/mod_proxy_html.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule env_module modules/mod_env.so
    LoadModule headers_module modules/mod_headers.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule version_module modules/mod_version.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    LoadModule remoteip_module modules/mod_remoteip.so
    LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
    LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
    LoadModule unixd_module modules/mod_unixd.so
    LoadModule status_module modules/mod_status.so
    LoadModule autoindex_module modules/mod_autoindex.so
    <IfModule unixd_module>
    User daemon
    Group daemon
    </IfModule>
    <Directory />
        AllowOverride none
        Require all denied
    </Directory>
    <Files ".ht*">
        Require all denied
    </Files>
    ErrorLog /dev/stderr
    LogLevel warn
    <IfModule log_config_module>
        LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        <IfModule logio_module>
          LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
        </IfModule>
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog /dev/stdout common
        CustomLog /dev/stdout combined
        CustomLog /dev/stdout proxy env=forwarded
    </IfModule>
    <Directory "/usr/local/apache2/cgi-bin">
        AllowOverride None
        Options None
        Require all granted
    </Directory>
    <IfModule headers_module>
        RequestHeader unset Proxy early
    </IfModule>
    <IfModule proxy_html_module>
    Include conf/extra/proxy-html.conf
    </IfModule>
    <VirtualHost *:80>
      RemoteIPHeader X-Original-Forwarded-For
      <Location />
          ProxyPass http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
          ProxyPassReverse http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
      </Location>
      <Proxy *>
          AuthName "Alertmanager"
          AuthType Basic
          AuthBasicProvider file ldap
          AuthUserFile /usr/local/apache2/conf/.htpasswd
          AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
          AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
          AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
          Require valid-user
      </Proxy>
    </VirtualHost>
  command_flags:
    alertmanager:
      storage.path: /var/lib/alertmanager/data