nearly there with auth

2022-03-17 16:50:34 +01:00 · 2022-03-17 16:50:34 +01:00 · 9612d666aa
commit 9612d666aa
parent ae8aad0b38
6 changed files with 86 additions and 0 deletions
--- a/monitoring/README.md
+++ b/monitoring/README.md
@ -8,7 +8,13 @@
 ```
 printf $(pass show hosts/swarm.autonomic.zone/minio/secret_key) | docker secret create gp_monitoring_loki_aws_secret_access_key_v1 -
 printf password | docker secret create gp_monitoring_grafana_admin_password_v1 -
+printf <...> | docker secret create gp_monitoring_grafana_oauth_client_secret_v1 -
+
+pwgen -s 64 1; ./scripts/genpw.py # input password & get hashed output for secret
+printf <...> | docker secret create gp_monitoring_prometheus_admin_password_v1 -
+
 set -a && source env && set +a
 docker context use monitor.autonomic.zone
+
 docker stack deploy -c compose.yml gp_monitoring
 ```
--- a/monitoring/compose.yml
+++ b/monitoring/compose.yml
@ -8,6 +8,7 @@ services:
      - grafana-data:/var/lib/grafana:rw
    secrets:
      - grafana_admin_password
+      - grafana_oauth_client_secret
    configs:
      - source: grafana_datasources_yml
        target: /etc/grafana/provisioning/datasources/datasources.yml
@ -19,6 +20,8 @@ services:
        target: /var/lib/grafana/dashboards/docker-swarm-stacks.json
      - source: grafana_traefik_dashboard_json
        target: /var/lib/grafana/dashboards/traefik.json
+      - source: grafana_custom_ini
+        target: /etc/grafana/grafana.ini
    networks:
      - proxy
      - internal
@ -31,6 +34,9 @@ services:
      - GF_INSTALL_PLUGINS=grafana-piechart-panel
      - GF_SERVER_ROOT_URL=https://${GRAFANA_DOMAIN}
      - GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password
+      - KEYCLOAK_API_URL
+      - KEYCLOAK_AUTH_URL
+      - KEYCLOAK_TOKEN_URL
    deploy:
      labels:
        - "traefik.enable=true"
@ -48,11 +54,22 @@ services:

  prometheus:
    image: prom/prometheus:v2.34.0
+    secrets:
+      - prometheus_admin_password
    volumes:
      - prometheus-data:/prometheus:rw
    configs:
      - source: prometheus_yml
        target: /etc/prometheus/prometheus.yml
+      - source: prometheus_web_yml
+        target: /etc/prometheus/prometheus_web.yml
+    command:
+      # https://github.com/prometheus/prometheus/blob/main/Dockerfile
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--web.config.file=/etc/prometheus/prometheus_web.yml"
+      - "--storage.tsdb.path=/prometheus"
+      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
+      - "--web.console.templates=/usr/share/prometheus/consoles"
    networks:
      - proxy
      - internal
@ -99,10 +116,18 @@ services:
      - LOKI_BUCKET_NAMES

 configs:
+  grafana_custom_ini:
+    template_driver: golang
+    name: ${STACK_NAME}_grafana_custom_ini_${GRAFANA_CUSTOM_INI_VERSION}
+    file: grafana_custom.ini
  prometheus_yml:
    template_driver: golang
    name: ${STACK_NAME}_prometheus_yml_${PROMETHEUS_YML_VERSION}
    file: prometheus.yml.tmpl
+  prometheus_web_yml:
+    template_driver: golang
+    name: ${STACK_NAME}_prometheus_web_yml_${PROMETHEUS_WEB_YML_VERSION}
+    file: prometheus_web.yml.tmpl
  loki_yml:
    template_driver: golang
    name: ${STACK_NAME}_loki_yml_${LOKI_YML_VERSION}
@ -140,3 +165,9 @@ secrets:
  grafana_admin_password:
    external: true
    name: ${STACK_NAME}_grafana_admin_password_${SECRET_GRAFANA_ADMIN_PASSWORD_VERSION}
+  grafana_oauth_client_secret:
+    external: true
+    name: ${STACK_NAME}_grafana_oauth_client_secret_${SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION}
+  prometheus_admin_password:
+    external: true
+    name: ${STACK_NAME}_prometheus_admin_password_${SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION}
--- a/monitoring/env
+++ b/monitoring/env
@ -39,6 +39,14 @@ GRAFANA_DASHBOARDS_YML_VERSION=v1
 GRAFANA_SWARM_DASHBOARD_JSON_VERSION=v1
 GRAFANA_STACKS_DASHBOARD_JSON_VERSION=v1
 GRAFANA_TRAEFIK_DASHBOARD_JSON_VERSION=v1
+GRAFANA_CUSTOM_INI_VERSION=v1
+PROMETHEUS_WEB_YML_VERSION=v1
+
+KEYCLOAK_AUTH_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/auth"
+KEYCLOAK_API_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/userinfo"
+KEYCLOAK_TOKEN_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/token"

 SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1
 SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1
+SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION=v1
+SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION=v1
--- a/monitoring/grafana_custom.ini
+++ b/monitoring/grafana_custom.ini
@ -0,0 +1,27 @@
+[analytics]
+reporting_enabled = false
+
+[snapshots]
+external_enabled = false
+
+[users]
+auto_assign_org_role = Admin
+
+[auth]
+disable_login_form = true
+
+[auth.generic_oauth]
+enabled = true
+scopes = openid email profile
+name = id.autonomic.zone
+icon = signin
+tls_skip_verify_insecure = false
+allow_sign_up = true
+client_id = grafana
+client_secret = {{ secret "grafana_oauth_client_secret" }}
+auth_url = {{ env "KEYCLOAK_AUTH_URL" }}
+token_url = {{ env "KEYCLOAK_TOKEN_URL" }}
+api_url = {{ env "KEYCLOAK_API_URL" }}
+
+[auth.basic]
+enabled = false
--- a/monitoring/prometheus_web.yml.tmpl
+++ b/monitoring/prometheus_web.yml.tmpl
@ -0,0 +1,2 @@
+basic_auth_users:
+  admin: {{ secret "prometheus_admin_password" }}
--- a/monitoring/scripts/genpw.py
+++ b/monitoring/scripts/genpw.py
@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+
+# https://prometheus.io/docs/guides/basic-auth/
+# maya need to `apt install python3-bcrypt`
+
+import getpass
+
+import bcrypt
+
+password = getpass.getpass("password: ")
+hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
+print(hashed_password.decode())