diff --git a/monitoring/README.md b/monitoring/README.md index 770a74f..b9a0631 100644 --- a/monitoring/README.md +++ b/monitoring/README.md @@ -8,7 +8,13 @@ ``` printf $(pass show hosts/swarm.autonomic.zone/minio/secret_key) | docker secret create gp_monitoring_loki_aws_secret_access_key_v1 - printf password | docker secret create gp_monitoring_grafana_admin_password_v1 - +printf <...> | docker secret create gp_monitoring_grafana_oauth_client_secret_v1 - + +pwgen -s 64 1; ./scripts/genpw.py # input password & get hashed output for secret +printf <...> | docker secret create gp_monitoring_prometheus_admin_password_v1 - + set -a && source env && set +a docker context use monitor.autonomic.zone + docker stack deploy -c compose.yml gp_monitoring ``` diff --git a/monitoring/compose.yml b/monitoring/compose.yml index 86f7776..540e83c 100644 --- a/monitoring/compose.yml +++ b/monitoring/compose.yml @@ -8,6 +8,7 @@ services: - grafana-data:/var/lib/grafana:rw secrets: - grafana_admin_password + - grafana_oauth_client_secret configs: - source: grafana_datasources_yml target: /etc/grafana/provisioning/datasources/datasources.yml @@ -19,6 +20,8 @@ services: target: /var/lib/grafana/dashboards/docker-swarm-stacks.json - source: grafana_traefik_dashboard_json target: /var/lib/grafana/dashboards/traefik.json + - source: grafana_custom_ini + target: /etc/grafana/grafana.ini networks: - proxy - internal @@ -31,6 +34,9 @@ services: - GF_INSTALL_PLUGINS=grafana-piechart-panel - GF_SERVER_ROOT_URL=https://${GRAFANA_DOMAIN} - GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password + - KEYCLOAK_API_URL + - KEYCLOAK_AUTH_URL + - KEYCLOAK_TOKEN_URL deploy: labels: - "traefik.enable=true" @@ -48,11 +54,22 @@ services: prometheus: image: prom/prometheus:v2.34.0 + secrets: + - prometheus_admin_password volumes: - prometheus-data:/prometheus:rw configs: - source: prometheus_yml target: /etc/prometheus/prometheus.yml + - source: prometheus_web_yml + target: /etc/prometheus/prometheus_web.yml + command: + # https://github.com/prometheus/prometheus/blob/main/Dockerfile + - "--config.file=/etc/prometheus/prometheus.yml" + - "--web.config.file=/etc/prometheus/prometheus_web.yml" + - "--storage.tsdb.path=/prometheus" + - "--web.console.libraries=/usr/share/prometheus/console_libraries" + - "--web.console.templates=/usr/share/prometheus/consoles" networks: - proxy - internal @@ -99,10 +116,18 @@ services: - LOKI_BUCKET_NAMES configs: + grafana_custom_ini: + template_driver: golang + name: ${STACK_NAME}_grafana_custom_ini_${GRAFANA_CUSTOM_INI_VERSION} + file: grafana_custom.ini prometheus_yml: template_driver: golang name: ${STACK_NAME}_prometheus_yml_${PROMETHEUS_YML_VERSION} file: prometheus.yml.tmpl + prometheus_web_yml: + template_driver: golang + name: ${STACK_NAME}_prometheus_web_yml_${PROMETHEUS_WEB_YML_VERSION} + file: prometheus_web.yml.tmpl loki_yml: template_driver: golang name: ${STACK_NAME}_loki_yml_${LOKI_YML_VERSION} @@ -140,3 +165,9 @@ secrets: grafana_admin_password: external: true name: ${STACK_NAME}_grafana_admin_password_${SECRET_GRAFANA_ADMIN_PASSWORD_VERSION} + grafana_oauth_client_secret: + external: true + name: ${STACK_NAME}_grafana_oauth_client_secret_${SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION} + prometheus_admin_password: + external: true + name: ${STACK_NAME}_prometheus_admin_password_${SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION} diff --git a/monitoring/env b/monitoring/env index 6e16112..3360c27 100644 --- a/monitoring/env +++ b/monitoring/env @@ -39,6 +39,14 @@ GRAFANA_DASHBOARDS_YML_VERSION=v1 GRAFANA_SWARM_DASHBOARD_JSON_VERSION=v1 GRAFANA_STACKS_DASHBOARD_JSON_VERSION=v1 GRAFANA_TRAEFIK_DASHBOARD_JSON_VERSION=v1 +GRAFANA_CUSTOM_INI_VERSION=v1 +PROMETHEUS_WEB_YML_VERSION=v1 + +KEYCLOAK_AUTH_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/auth" +KEYCLOAK_API_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/userinfo" +KEYCLOAK_TOKEN_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/token" SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1 SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1 +SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION=v1 +SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION=v1 diff --git a/monitoring/grafana_custom.ini b/monitoring/grafana_custom.ini new file mode 100644 index 0000000..4d06313 --- /dev/null +++ b/monitoring/grafana_custom.ini @@ -0,0 +1,27 @@ +[analytics] +reporting_enabled = false + +[snapshots] +external_enabled = false + +[users] +auto_assign_org_role = Admin + +[auth] +disable_login_form = true + +[auth.generic_oauth] +enabled = true +scopes = openid email profile +name = id.autonomic.zone +icon = signin +tls_skip_verify_insecure = false +allow_sign_up = true +client_id = grafana +client_secret = {{ secret "grafana_oauth_client_secret" }} +auth_url = {{ env "KEYCLOAK_AUTH_URL" }} +token_url = {{ env "KEYCLOAK_TOKEN_URL" }} +api_url = {{ env "KEYCLOAK_API_URL" }} + +[auth.basic] +enabled = false diff --git a/monitoring/prometheus_web.yml.tmpl b/monitoring/prometheus_web.yml.tmpl new file mode 100644 index 0000000..193205f --- /dev/null +++ b/monitoring/prometheus_web.yml.tmpl @@ -0,0 +1,2 @@ +basic_auth_users: + admin: {{ secret "prometheus_admin_password" }} diff --git a/monitoring/scripts/genpw.py b/monitoring/scripts/genpw.py new file mode 100755 index 0000000..5bb4379 --- /dev/null +++ b/monitoring/scripts/genpw.py @@ -0,0 +1,12 @@ +#!/usr/bin/env python3 + +# https://prometheus.io/docs/guides/basic-auth/ +# maya need to `apt install python3-bcrypt` + +import getpass + +import bcrypt + +password = getpass.getpass("password: ") +hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()) +print(hashed_password.decode())