nearly there with auth
This commit is contained in:
decentral1se
parent
ae8aad0b38
commit
9612d666aa
|
|
@ -8,7 +8,13 @@
|
|||
```
|
||||
printf $(pass show hosts/swarm.autonomic.zone/minio/secret_key) | docker secret create gp_monitoring_loki_aws_secret_access_key_v1 -
|
||||
printf password | docker secret create gp_monitoring_grafana_admin_password_v1 -
|
||||
printf <...> | docker secret create gp_monitoring_grafana_oauth_client_secret_v1 -
|
||||
|
||||
pwgen -s 64 1; ./scripts/genpw.py # input password & get hashed output for secret
|
||||
printf <...> | docker secret create gp_monitoring_prometheus_admin_password_v1 -
|
||||
|
||||
set -a && source env && set +a
|
||||
docker context use monitor.autonomic.zone
|
||||
|
||||
docker stack deploy -c compose.yml gp_monitoring
|
||||
```
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ services:
|
|||
- grafana-data:/var/lib/grafana:rw
|
||||
secrets:
|
||||
- grafana_admin_password
|
||||
- grafana_oauth_client_secret
|
||||
configs:
|
||||
- source: grafana_datasources_yml
|
||||
target: /etc/grafana/provisioning/datasources/datasources.yml
|
||||
|
|
@ -19,6 +20,8 @@ services:
|
|||
target: /var/lib/grafana/dashboards/docker-swarm-stacks.json
|
||||
- source: grafana_traefik_dashboard_json
|
||||
target: /var/lib/grafana/dashboards/traefik.json
|
||||
- source: grafana_custom_ini
|
||||
target: /etc/grafana/grafana.ini
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
|
|
@ -31,6 +34,9 @@ services:
|
|||
- GF_INSTALL_PLUGINS=grafana-piechart-panel
|
||||
- GF_SERVER_ROOT_URL=https://${GRAFANA_DOMAIN}
|
||||
- GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password
|
||||
- KEYCLOAK_API_URL
|
||||
- KEYCLOAK_AUTH_URL
|
||||
- KEYCLOAK_TOKEN_URL
|
||||
deploy:
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
|
|
@ -48,11 +54,22 @@ services:
|
|||
|
||||
prometheus:
|
||||
image: prom/prometheus:v2.34.0
|
||||
secrets:
|
||||
- prometheus_admin_password
|
||||
volumes:
|
||||
- prometheus-data:/prometheus:rw
|
||||
configs:
|
||||
- source: prometheus_yml
|
||||
target: /etc/prometheus/prometheus.yml
|
||||
- source: prometheus_web_yml
|
||||
target: /etc/prometheus/prometheus_web.yml
|
||||
command:
|
||||
# https://github.com/prometheus/prometheus/blob/main/Dockerfile
|
||||
- "--config.file=/etc/prometheus/prometheus.yml"
|
||||
- "--web.config.file=/etc/prometheus/prometheus_web.yml"
|
||||
- "--storage.tsdb.path=/prometheus"
|
||||
- "--web.console.libraries=/usr/share/prometheus/console_libraries"
|
||||
- "--web.console.templates=/usr/share/prometheus/consoles"
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
|
|
@ -99,10 +116,18 @@ services:
|
|||
- LOKI_BUCKET_NAMES
|
||||
|
||||
configs:
|
||||
grafana_custom_ini:
|
||||
template_driver: golang
|
||||
name: ${STACK_NAME}_grafana_custom_ini_${GRAFANA_CUSTOM_INI_VERSION}
|
||||
file: grafana_custom.ini
|
||||
prometheus_yml:
|
||||
template_driver: golang
|
||||
name: ${STACK_NAME}_prometheus_yml_${PROMETHEUS_YML_VERSION}
|
||||
file: prometheus.yml.tmpl
|
||||
prometheus_web_yml:
|
||||
template_driver: golang
|
||||
name: ${STACK_NAME}_prometheus_web_yml_${PROMETHEUS_WEB_YML_VERSION}
|
||||
file: prometheus_web.yml.tmpl
|
||||
loki_yml:
|
||||
template_driver: golang
|
||||
name: ${STACK_NAME}_loki_yml_${LOKI_YML_VERSION}
|
||||
|
|
@ -140,3 +165,9 @@ secrets:
|
|||
grafana_admin_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_grafana_admin_password_${SECRET_GRAFANA_ADMIN_PASSWORD_VERSION}
|
||||
grafana_oauth_client_secret:
|
||||
external: true
|
||||
name: ${STACK_NAME}_grafana_oauth_client_secret_${SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION}
|
||||
prometheus_admin_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_prometheus_admin_password_${SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION}
|
||||
|
|
|
|||
|
|
@ -39,6 +39,14 @@ GRAFANA_DASHBOARDS_YML_VERSION=v1
|
|||
GRAFANA_SWARM_DASHBOARD_JSON_VERSION=v1
|
||||
GRAFANA_STACKS_DASHBOARD_JSON_VERSION=v1
|
||||
GRAFANA_TRAEFIK_DASHBOARD_JSON_VERSION=v1
|
||||
GRAFANA_CUSTOM_INI_VERSION=v1
|
||||
PROMETHEUS_WEB_YML_VERSION=v1
|
||||
|
||||
KEYCLOAK_AUTH_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/auth"
|
||||
KEYCLOAK_API_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/userinfo"
|
||||
KEYCLOAK_TOKEN_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/token"
|
||||
|
||||
SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1
|
||||
SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1
|
||||
SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION=v1
|
||||
SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION=v1
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
[analytics]
|
||||
reporting_enabled = false
|
||||
|
||||
[snapshots]
|
||||
external_enabled = false
|
||||
|
||||
[users]
|
||||
auto_assign_org_role = Admin
|
||||
|
||||
[auth]
|
||||
disable_login_form = true
|
||||
|
||||
[auth.generic_oauth]
|
||||
enabled = true
|
||||
scopes = openid email profile
|
||||
name = id.autonomic.zone
|
||||
icon = signin
|
||||
tls_skip_verify_insecure = false
|
||||
allow_sign_up = true
|
||||
client_id = grafana
|
||||
client_secret = {{ secret "grafana_oauth_client_secret" }}
|
||||
auth_url = {{ env "KEYCLOAK_AUTH_URL" }}
|
||||
token_url = {{ env "KEYCLOAK_TOKEN_URL" }}
|
||||
api_url = {{ env "KEYCLOAK_API_URL" }}
|
||||
|
||||
[auth.basic]
|
||||
enabled = false
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
basic_auth_users:
|
||||
admin: {{ secret "prometheus_admin_password" }}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
# https://prometheus.io/docs/guides/basic-auth/
|
||||
# maya need to `apt install python3-bcrypt`
|
||||
|
||||
import getpass
|
||||
|
||||
import bcrypt
|
||||
|
||||
password = getpass.getpass("password: ")
|
||||
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
|
||||
print(hashed_password.decode())
|
||||
Loading…
Reference in New Issue