nearly there with auth

monitoring/README.md

@@ -8,7 +8,13 @@
 ```
 printf $(pass show hosts/swarm.autonomic.zone/minio/secret_key) | docker secret create gp_monitoring_loki_aws_secret_access_key_v1 -
 printf password | docker secret create gp_monitoring_grafana_admin_password_v1 -
+printf <...> | docker secret create gp_monitoring_grafana_oauth_client_secret_v1 -
+
+pwgen -s 64 1; ./scripts/genpw.py # input password & get hashed output for secret
+printf <...> | docker secret create gp_monitoring_prometheus_admin_password_v1 -
+
 set -a && source env && set +a
 docker context use monitor.autonomic.zone
+
 docker stack deploy -c compose.yml gp_monitoring
 ```

monitoring/compose.yml

@@ -8,6 +8,7 @@ services:
       - grafana-data:/var/lib/grafana:rw
     secrets:
       - grafana_admin_password
+      - grafana_oauth_client_secret
     configs:
       - source: grafana_datasources_yml
         target: /etc/grafana/provisioning/datasources/datasources.yml
@@ -19,6 +20,8 @@ services:
         target: /var/lib/grafana/dashboards/docker-swarm-stacks.json
       - source: grafana_traefik_dashboard_json
         target: /var/lib/grafana/dashboards/traefik.json
+      - source: grafana_custom_ini
+        target: /etc/grafana/grafana.ini
     networks:
       - proxy
       - internal
@@ -31,6 +34,9 @@ services:
       - GF_INSTALL_PLUGINS=grafana-piechart-panel
       - GF_SERVER_ROOT_URL=https://${GRAFANA_DOMAIN}
       - GF_SECURITY_ADMIN_PASSWORD__FILE=/run/secrets/grafana_admin_password
+      - KEYCLOAK_API_URL
+      - KEYCLOAK_AUTH_URL
+      - KEYCLOAK_TOKEN_URL
     deploy:
       labels:
         - "traefik.enable=true"
@@ -48,11 +54,22 @@ services:
 
   prometheus:
     image: prom/prometheus:v2.34.0
+    secrets:
+      - prometheus_admin_password
     volumes:
       - prometheus-data:/prometheus:rw
     configs:
       - source: prometheus_yml
         target: /etc/prometheus/prometheus.yml
+      - source: prometheus_web_yml
+        target: /etc/prometheus/prometheus_web.yml
+    command:
+      # https://github.com/prometheus/prometheus/blob/main/Dockerfile
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--web.config.file=/etc/prometheus/prometheus_web.yml"
+      - "--storage.tsdb.path=/prometheus"
+      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
+      - "--web.console.templates=/usr/share/prometheus/consoles"
     networks:
       - proxy
       - internal
@@ -99,10 +116,18 @@ services:
       - LOKI_BUCKET_NAMES
 
 configs:
+  grafana_custom_ini:
+    template_driver: golang
+    name: ${STACK_NAME}_grafana_custom_ini_${GRAFANA_CUSTOM_INI_VERSION}
+    file: grafana_custom.ini
   prometheus_yml:
     template_driver: golang
     name: ${STACK_NAME}_prometheus_yml_${PROMETHEUS_YML_VERSION}
     file: prometheus.yml.tmpl
+  prometheus_web_yml:
+    template_driver: golang
+    name: ${STACK_NAME}_prometheus_web_yml_${PROMETHEUS_WEB_YML_VERSION}
+    file: prometheus_web.yml.tmpl
   loki_yml:
     template_driver: golang
     name: ${STACK_NAME}_loki_yml_${LOKI_YML_VERSION}
@@ -140,3 +165,9 @@ secrets:
   grafana_admin_password:
     external: true
     name: ${STACK_NAME}_grafana_admin_password_${SECRET_GRAFANA_ADMIN_PASSWORD_VERSION}
+  grafana_oauth_client_secret:
+    external: true
+    name: ${STACK_NAME}_grafana_oauth_client_secret_${SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION}
+  prometheus_admin_password:
+    external: true
+    name: ${STACK_NAME}_prometheus_admin_password_${SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION}

monitoring/env

@@ -39,6 +39,14 @@ GRAFANA_DASHBOARDS_YML_VERSION=v1
 GRAFANA_SWARM_DASHBOARD_JSON_VERSION=v1
 GRAFANA_STACKS_DASHBOARD_JSON_VERSION=v1
 GRAFANA_TRAEFIK_DASHBOARD_JSON_VERSION=v1
+GRAFANA_CUSTOM_INI_VERSION=v1
+PROMETHEUS_WEB_YML_VERSION=v1
+
+KEYCLOAK_AUTH_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/auth"
+KEYCLOAK_API_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/userinfo"
+KEYCLOAK_TOKEN_URL="https://id.autonomic.zone/auth/realms/autonomic/protocol/openid-connect/token"
 
 SECRET_LOKI_AWS_SECRET_ACCESS_KEY_VERSION=v1
 SECRET_GRAFANA_ADMIN_PASSWORD_VERSION=v1
+SECRET_GRAFANA_OAUTH_CLIENT_SECRET_VERSION=v1
+SECRET_PROMETHEUS_ADMIN_PASSWORD_VERSION=v1

monitoring/grafana_custom.ini

@@ -0,0 +1,27 @@
+[analytics]
+reporting_enabled = false
+
+[snapshots]
+external_enabled = false
+
+[users]
+auto_assign_org_role = Admin
+
+[auth]
+disable_login_form = true
+
+[auth.generic_oauth]
+enabled = true
+scopes = openid email profile
+name = id.autonomic.zone
+icon = signin
+tls_skip_verify_insecure = false
+allow_sign_up = true
+client_id = grafana
+client_secret = {{ secret "grafana_oauth_client_secret" }}
+auth_url = {{ env "KEYCLOAK_AUTH_URL" }}
+token_url = {{ env "KEYCLOAK_TOKEN_URL" }}
+api_url = {{ env "KEYCLOAK_API_URL" }}
+
+[auth.basic]
+enabled = false

monitoring/prometheus_web.yml.tmpl

@@ -0,0 +1,2 @@
+basic_auth_users:
+  admin: {{ secret "prometheus_admin_password" }}

monitoring/scripts/genpw.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+
+# https://prometheus.io/docs/guides/basic-auth/
+# maya need to `apt install python3-bcrypt`
+
+import getpass
+
+import bcrypt
+
+password = getpass.getpass("password: ")
+hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
+print(hashed_password.decode())