From acf918bfc27c28f73a836f015cd7f69c07d93de2 Mon Sep 17 00:00:00 2001 From: Dreaded_X Date: Mon, 30 Dec 2024 05:54:52 +0100 Subject: [PATCH] Added grafana --- apps/grafana/kustomization.yaml | 16 +++++++ apps/grafana/ldap-toml | 53 ++++++++++++++++++++++ apps/grafana/lldap.yaml | 60 +++++++++++++++++++++++++ apps/grafana/nameReference.yaml | 6 +++ apps/grafana/namespace.yaml | 4 ++ apps/grafana/release.yaml | 37 +++++++++++++++ apps/grafana/repository.yaml | 7 +++ apps/kustomization.yaml | 1 + apps/lldap/bootstrap/bootstrap-job.yaml | 5 +++ apps/lldap/bootstrap/kustomization.yaml | 2 + 10 files changed, 191 insertions(+) create mode 100644 apps/grafana/kustomization.yaml create mode 100644 apps/grafana/ldap-toml create mode 100644 apps/grafana/lldap.yaml create mode 100644 apps/grafana/nameReference.yaml create mode 100644 apps/grafana/namespace.yaml create mode 100644 apps/grafana/release.yaml create mode 100644 apps/grafana/repository.yaml diff --git a/apps/grafana/kustomization.yaml b/apps/grafana/kustomization.yaml new file mode 100644 index 0000000..28f923a --- /dev/null +++ b/apps/grafana/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: grafana +resources: + - ./namespace.yaml + - ./repository.yaml + - ./release.yaml + - ./lldap.yaml + +configurations: + - nameReference.yaml + +secretGenerator: + - name: grafana-ldap-toml + files: + - ldap-toml diff --git a/apps/grafana/ldap-toml b/apps/grafana/ldap-toml new file mode 100644 index 0000000..3077448 --- /dev/null +++ b/apps/grafana/ldap-toml @@ -0,0 +1,53 @@ +# This is only the ldap config, you also need to enable ldap support in the main config file +# of Grafana. See https://grafana.com/docs/grafana/latest/auth/ldap/#enable-ldap +# You can test that it is working correctly by trying usernames at: https:///admin/ldap + +[[servers]] +# Ldap server host (specify multiple hosts space separated) +host = "lldap.lldap.svc.cluster.local" +# Default port is 389 or 636 if use_ssl = true +port = 3890 +# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS) +use_ssl = false +# If set to true, use LDAP with STARTTLS instead of LDAPS +start_tls = false +# set to true if you want to skip SSL cert validation +ssl_skip_verify = false +# set to the path to your root CA certificate or leave unset to use system defaults +# root_ca_cert = "/path/to/certificate.crt" +# Authentication against LDAP servers requiring client certificates +# client_cert = "/path/to/client.crt" +# client_key = "/path/to/client.key" + +# Search user bind dn +bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev" +# Search user bind password +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +bind_password = """${LDAP_ADMIN_PASSWORD}""" + +# User search filter +search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))" +# If you want to limit to only users of a specific group use this instead: +# search_filter = "(&(uid=%s)(memberOf=cn=,ou=groups,dc=huizinga,dc=dev))" + +# An array of base dns to search through +search_base_dns = ["dc=huizinga,dc=dev"] + +# Specify names of the LDAP attributes your LDAP uses +[servers.attributes] +member_of = "memberOf" +email = "mail" +name = "givenName" +surname = "sn" +username = "uid" + +# If you want to map your ldap groups to grafana's groups, see: https://grafana.com/docs/grafana/latest/auth/ldap/#group-mappings +# As a quick example, here is how you would map lldap's admin group to grafana's admin +[[servers.group_mappings]] +group_dn = "cn=lldap_admin,ou=groups,dc=huizinga,dc=dev" +org_role = "Admin" +grafana_admin = true + +[[servers.group_mappings]] +group_dn = "*" +org_role = "Viewer" diff --git a/apps/grafana/lldap.yaml b/apps/grafana/lldap.yaml new file mode 100644 index 0000000..dcb4bfe --- /dev/null +++ b/apps/grafana/lldap.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-lldap +type: Opaque +stringData: + password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str] + user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-12-30T03:11:38Z" + mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str] + pgp: + - created_at: "2024-12-30T03:06:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti + CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU + QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2 + GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG + omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq + U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/ + kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW + mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij + 92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58 + psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT + 07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU + aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5 + E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj + 8PqQ49TpHxYC + =eBq+ + -----END PGP MESSAGE----- + fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E + - created_at: "2024-12-30T03:06:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll + tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi + /mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9 + gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU + LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr + wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH + qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop + el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN + R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8 + IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9 + 2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S + XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4 + FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM= + =9p2Q + -----END PGP MESSAGE----- + fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28 + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/apps/grafana/nameReference.yaml b/apps/grafana/nameReference.yaml new file mode 100644 index 0000000..bddbc10 --- /dev/null +++ b/apps/grafana/nameReference.yaml @@ -0,0 +1,6 @@ +# This makes sure the field in the HelmRelease is recognized as a Secret +nameReference: + - kind: Secret + fieldSpecs: + - kind: HelmRelease + path: spec/values/ldap/existingSecret diff --git a/apps/grafana/namespace.yaml b/apps/grafana/namespace.yaml new file mode 100644 index 0000000..201d7d3 --- /dev/null +++ b/apps/grafana/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: grafana diff --git a/apps/grafana/release.yaml b/apps/grafana/release.yaml new file mode 100644 index 0000000..385f136 --- /dev/null +++ b/apps/grafana/release.yaml @@ -0,0 +1,37 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: grafana +spec: + chart: + spec: + chart: grafana + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: grafana + version: 8.8.2 + interval: 15m + values: + replicas: 1 + + ingress: + enabled: true + hosts: + - grafana.${domain} + tls: + - secretName: ${domain//./-}-tls + + envValueFrom: + LDAP_ADMIN_PASSWORD: + secretKeyRef: + name: grafana-lldap + key: password + + grafana.ini: + auth.ldap: + enabled: true + + ldap: + enabled: true + existingSecret: grafana-ldap-toml diff --git a/apps/grafana/repository.yaml b/apps/grafana/repository.yaml new file mode 100644 index 0000000..9c7b735 --- /dev/null +++ b/apps/grafana/repository.yaml @@ -0,0 +1,7 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: grafana +spec: + interval: 15m + url: https://grafana.github.io/helm-charts diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index c06dd53..336ea90 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - ./lldap - ./authelia + - ./grafana - ./whoami.yaml - ./akri-demo.yaml diff --git a/apps/lldap/bootstrap/bootstrap-job.yaml b/apps/lldap/bootstrap/bootstrap-job.yaml index ca236ca..9b89165 100644 --- a/apps/lldap/bootstrap/bootstrap-job.yaml +++ b/apps/lldap/bootstrap/bootstrap-job.yaml @@ -67,6 +67,11 @@ spec: items: - key: user-configs.json path: authelia-configs.json + - secret: + name: grafana-lldap + items: + - key: user-configs.json + path: grafana-configs.json - name: group-configs projected: diff --git a/apps/lldap/bootstrap/kustomization.yaml b/apps/lldap/bootstrap/kustomization.yaml index 7e95252..8c41fa0 100644 --- a/apps/lldap/bootstrap/kustomization.yaml +++ b/apps/lldap/bootstrap/kustomization.yaml @@ -3,6 +3,8 @@ kind: Kustomization resources: - ./bootstrap-job.yaml - ../../authelia/lldap.yaml + - ../../grafana/lldap.yaml + configMapGenerator: - name: bootstrap options: