Grafana OIDC

manifests/helm/monitor-stack/charts/grafana/templates/_pod.tpl

@@ -218,7 +218,7 @@ containers:
         containerPort: {{ .Values.service.port }}
         protocol: TCP
       - name: {{ .Values.podPortName }}
-        containerPort: 3000
+        containerPort: 30000
         protocol: TCP
     env:
       {{- if not .Values.env.GF_SECURITY_ADMIN_USER }}

manifests/helm/monitor-stack/charts/grafana/values.yaml

@@ -33,12 +33,12 @@ deploymentStrategy:
 readinessProbe:
   httpGet:
     path: /api/health
-    port: 3000
+    port: 30000
 
 livenessProbe:
   httpGet:
     path: /api/health
-    port: 3000
+    port: 30000
   initialDelaySeconds: 60
   timeoutSeconds: 30
   failureThreshold: 10
@@ -113,9 +113,7 @@ podPortName: grafana
 ## ref: http://kubernetes.io/docs/user-guide/services/
 ##
 service:
-  type: ClusterIP
-  port: 80
-  targetPort: 3000
+  port: 30000
     # targetPort: 4181 To be used with a proxy extraContainer
   annotations: {}
   labels: {}
@@ -382,20 +380,20 @@ dashboardsConfigMaps: {}
 ## ref: http://docs.grafana.org/installation/configuration/
 ##
 grafana.ini:
-  paths:
-    data: /var/lib/grafana/data
-    logs: /var/log/grafana
-    plugins: /var/lib/grafana/plugins
-    provisioning: /etc/grafana/provisioning
-  analytics:
-    check_for_updates: false
+#  paths:
+#    data: /var/lib/grafana/data
+#    logs: /var/log/grafana
+#    plugins: /var/lib/grafana/plugins
+#    provisioning: /etc/grafana/provisioning
+#  analytics:
+#    check_for_updates: false
   log:
     mode: console
-  grafana_net:
-    url: https://grafana.net
-  auth.anonymous:
-    enabled: true
-    org_role: Viewer
+#  grafana_net:
+#    url: https://grafana.net
+#  auth.anonymous:
+#    enabled: true
+#    org_role: Viewer
 ## grafana Authentication can be enabled with the following values on grafana.ini
  # server:
       # The full public facing url you use in browser, used for redirects and emails

manifests/helm/monitor-stack/values.yaml

@@ -2001,4 +2001,4 @@ prometheus:
 loki:
   enabled: true
 promtail:
-  enabled: true
+  enabled: true

pkg/kubeserver/api/component.go

@@ -1,6 +1,8 @@
 package api
 
-import "yunion.io/x/onecloud/pkg/apis"
+import (
+	"yunion.io/x/onecloud/pkg/apis"
+)
 
 const (
 	ClusterComponentCephCSI      = "cephCSI"

pkg/kubeserver/models/component_base.go

@@ -5,6 +5,9 @@ import (
 	"fmt"
 	"strings"
 
+	"yunion.io/x/jsonutils"
+	"yunion.io/x/log"
+
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/release"
@@ -146,6 +149,7 @@ func (m HelmComponentManager) CreateHelmResource(
 	if err := m.EnsureNamespace(cluster, m.namespace); err != nil {
 		return errors.Wrapf(err, "%s ensure namespace %q", m.releaseName, m.namespace)
 	}
+	log.Errorf("**** helm install vals: %s", jsonutils.Marshal(vals).PrettyString())
 	if _, err := m.HelmInstall(cluster, m.namespace, m.embedChartName, m.releaseName, vals); err != nil {
 		return errors.Wrapf(err, "create helm %s release", m.releaseName)
 	}

pkg/kubeserver/models/components.go

@@ -5,12 +5,12 @@ import (
 	"crypto/md5"
 	"encoding/hex"
 	"fmt"
-	"reflect"
-
 	"gopkg.in/yaml.v2"
 	"k8s.io/apimachinery/pkg/api/resource"
-
+	"reflect"
 	"yunion.io/x/jsonutils"
+	"yunion.io/x/kubecomps/pkg/kubeserver/api"
+	"yunion.io/x/kubecomps/pkg/kubeserver/drivers"
 	"yunion.io/x/log"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/lockman"
@@ -21,9 +21,6 @@ import (
 	"yunion.io/x/pkg/tristate"
 	"yunion.io/x/pkg/utils"
 	"yunion.io/x/sqlchemy"
-
-	"yunion.io/x/kubecomps/pkg/kubeserver/api"
-	"yunion.io/x/kubecomps/pkg/kubeserver/drivers"
 )
 
 var (

pkg/kubeserver/models/components_monitor.go

@@ -2,7 +2,12 @@ package models
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
+	"time"
+	"yunion.io/x/onecloud/pkg/mcclient/modules"
+	"yunion.io/x/onecloud/pkg/mcclient/modules/identity"
+	"yunion.io/x/pkg/util/seclib"
 
 	"github.com/minio/minio-go/v7"
 	"k8s.io/api/core/v1"
@@ -29,7 +34,8 @@ var (
 )
 
 const (
-	MonitorNamespace                  = "onecloud-monitoring"
+	//MonitorNamespace                  = "onecloud-monitoring"
+	MonitorNamespace                  = "kube-monitoring"
 	MonitorReleaseName                = "monitor"
 	ThanosObjectStoreConfigSecretName = "thanos-objstore-config"
 	ThanosObjectStoreConfigSecretKey  = "thanos.yaml"
@@ -393,6 +399,59 @@ func (c componentDriverMonitor) FetchStatus(cluster *SCluster, comp *SComponent,
 	return nil
 }
 
+func (m SMonitorComponentManager) CreateOIDCSecret(cluster *SCluster, uid string, pid string) (*identity.SOpenIDConnectCredential, error) {
+	grafanaHost, err := m.GetGrafanaHost(cluster)
+	if err != nil {
+		return nil, err
+	}
+	serverDomain := options.Options.ApiServer
+	redirectUrl := fmt.Sprintf("%s/grafana-proxy/%s/login/generic_oauth", serverDomain, grafanaHost)
+	s, err := GetClusterManager().GetSession()
+	if err != nil {
+		return nil, err
+	}
+	Credentials := &identity.SCredentialManager{
+		ResourceManager: modules.NewIdentityV3Manager("credential", "credentials",
+			[]string{},
+			[]string{"ID", "Type", "user_id", "project_id", "blob"}),
+	}
+	oidcCred := &identity.SOpenIDConnectCredential{}
+	oidcCred.Secret = base64.URLEncoding.EncodeToString([]byte(seclib.RandomPassword(32)))
+	oidcCred.RedirectUri = redirectUrl
+	blobJson := jsonutils.Marshal(&oidcCred)
+	params := jsonutils.NewDict()
+	name := fmt.Sprintf("oidc-%s-%s-%d", uid, pid, time.Now().Unix())
+	if len(pid) > 0 {
+		params.Add(jsonutils.NewString(pid), "project_id")
+	}
+	params.Add(jsonutils.NewString(identity.OIDC_CREDENTIAL_TYPE), "type")
+	if len(uid) > 0 {
+		params.Add(jsonutils.NewString(uid), "user_id")
+	}
+	params.Add(jsonutils.NewString(blobJson.String()), "blob")
+	params.Add(jsonutils.NewString(name), "name")
+	result, err := Credentials.Create(s, params)
+	if err != nil {
+		return oidcCred, err
+	}
+	oidcCred.ClientId, err = result.GetString("id")
+	return oidcCred, err
+}
+
+func (m SMonitorComponentManager) GetGrafanaHost(cluster *SCluster) (grafanaHost string, err error) {
+	grafanaEip, err := cluster.GetAPIServerPublicEndpoint()
+	if err != nil {
+		fmt.Println("k8s cluster no eip", err)
+		return "", err
+	}
+	grafanaHost = fmt.Sprintf("%s:%s", grafanaEip, m.GetGrafanaPort())
+	return
+}
+
+func (m SMonitorComponentManager) GetGrafanaPort() string {
+	return "30000"
+}
+
 func (m SMonitorComponentManager) GetHelmValues(cluster *SCluster, setting *api.ComponentSettings) (map[string]interface{}, error) {
 	imgRepo, err := cluster.GetImageRepository()
 	if err != nil {
@@ -412,48 +471,54 @@ func (m SMonitorComponentManager) GetHelmValues(cluster *SCluster, setting *api.
 			Tag:        tag,
 		}
 	}
-	grafanaHost := input.Grafana.Host
-	if grafanaHost == "" {
-		grafanaHost = input.Grafana.PublicAddress
-	}
-
-	grafanaProto := "https"
-	rootUrl := fmt.Sprintf("%s://%s", grafanaProto, grafanaHost)
-	serveSubPath := false
-	grafanaIni := &components.GrafanaIni{
-		Server: &components.GrafanaIniServer{},
+	serverDomain := options.Options.ApiServer
+	grafanaEip, err := cluster.GetAPIServerPublicEndpoint()
+	if err != nil {
+		return nil, err
 	}
-	if !input.Grafana.DisableSubpath {
-		serveSubPath = true
-		subpath := input.Grafana.Subpath
-		if subpath == "" {
-			subpath = "grafana"
-		}
-		rootUrl = fmt.Sprintf("%s/%s/", rootUrl, subpath)
+	grafanaHost, err := m.GetGrafanaHost(cluster)
+	if err != nil {
+		return nil, err
 	}
-	grafanaIni.Server.ServeFromSubPath = serveSubPath
-	grafanaIni.Server.RootUrl = rootUrl
-	if input.Grafana.EnforceDomain {
-		grafanaIni.Server.Domain = grafanaHost
-		grafanaIni.Server.EnforceDomain = true
-	}
-
-	if input.Grafana.OAuth != nil {
-		oauth := input.Grafana.OAuth
-		grafanaIni.OAuth = &components.GrafanaIniOAuth{
-			Enabled:           oauth.Enabled,
-			ClientId:          oauth.ClientId,
-			ClientSecret:      oauth.ClientSecret,
-			Scopes:            oauth.Scopes,
-			AuthURL:           oauth.AuthURL,
-			TokenURL:          oauth.TokenURL,
-			APIURL:            oauth.APIURL,
-			AllowedDomains:    oauth.AllowedDomains,
-			AllowSignUp:       oauth.AllowSignUp,
-			RoleAttributePath: oauth.RoleAttributePath,
-		}
+	rootUrl := fmt.Sprintf("%s/grafana-proxy/%s", serverDomain, grafanaHost)
+	grafanaIni := &components.GrafanaIni{
+		Server:   &components.GrafanaIniServer{},
+		OAuth:    &components.GrafanaIniOAuth{},
+		Users:    &components.GrafanaIniUsers{},
+		Security: &components.GrafanaIniSecurity{},
+		Auth:     &components.GrafanaIniAuth{},
 	}
 
+	grafanaIni.Auth.LoginCookieName = "grafana_session_721"
+
+	grafanaIni.Server.ServeFromSubPath = true
+	grafanaIni.Server.RootUrl = rootUrl
+	grafanaIni.Server.EnforceDomain = true
+	grafanaIni.Server.Domain = grafanaEip
+	grafanaIni.Server.HttpPort = m.GetGrafanaPort()
+	grafanaIni.Server.Protocol = "http"
+
+	grafanaIni.Security.CookieSecure = true
+	grafanaIni.Security.CookieSamesite = "none"
+	grafanaIni.Security.AllowEmbedding = true
+
+	grafanaIni.Users.DefaultTheme = "light"
+
+	if setting.Monitor.Grafana.OAuth != nil {
+		grafanaIni.OAuth.ClientId = setting.Monitor.Grafana.OAuth.ClientId
+		grafanaIni.OAuth.ClientSecret = setting.Monitor.Grafana.OAuth.ClientSecret
+	}
+
+	grafanaIni.OAuth.Enabled = true
+	grafanaIni.OAuth.Scopes = "user profile"
+	grafanaIni.OAuth.IdTokenAttributeName = "data.id"
+	grafanaIni.OAuth.AuthURL = fmt.Sprintf("%s/api/v1/auth/oidc/auth", serverDomain)
+	grafanaIni.OAuth.TokenURL = fmt.Sprintf("%s/api/v1/auth/oidc/token", serverDomain)
+	grafanaIni.OAuth.APIURL = fmt.Sprintf("%s/api/v1/auth/oidc/user", serverDomain)
+	grafanaIni.OAuth.RoleAttributePath = "projectName == 'system' && contains(roles, 'admin') && 'Admin' || 'Editor'"
+	grafanaIni.OAuth.TlsSkipVerifyInsecure = true
+	grafanaIni.OAuth.AllowAssignGrafanaAdmin = true
+	grafanaIni.OAuth.AllowSignUp = true
 	if input.Grafana.DB != nil {
 		db := input.Grafana.DB
 		if db.Host == "" {
@@ -541,7 +606,8 @@ func (m SMonitorComponentManager) GetHelmValues(cluster *SCluster, setting *api.
 			},
 			Image: mi("grafana", "6.7.1"),
 			Service: &components.Service{
-				Type: string(v1.ServiceTypeClusterIP),
+				Type:     string(v1.ServiceTypeNodePort),
+				NodePort: m.GetGrafanaPort(),
 			},
 			Ingress: &components.GrafanaIngress{
 				Enabled: true,

pkg/kubeserver/tasks/component_deploy_task.go

@@ -3,9 +3,8 @@ package tasks
 import (
 	"context"
 	"fmt"
-	"yunion.io/x/kubecomps/pkg/kubeserver/models"
-
 	"yunion.io/x/jsonutils"
+	"yunion.io/x/kubecomps/pkg/kubeserver/models"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db"
 	"yunion.io/x/onecloud/pkg/cloudcommon/db/taskman"
 
@@ -37,6 +36,20 @@ func (t *ComponentDeployTask) OnInit(ctx context.Context, obj db.IStandaloneMode
 		if err != nil {
 			return nil, err
 		}
+
+		if settings.Namespace == models.MonitorNamespace {
+			// create oidc secret
+			secret, err := models.MonitorComponentManager.CreateOIDCSecret(cluster, "", "")
+			if err != nil {
+				return nil, err
+			}
+			if settings.Monitor.Grafana.OAuth == nil {
+				settings.Monitor.Grafana.OAuth = &api.ComponentSettingMonitorGrafanaOAuth{}
+			}
+			settings.Monitor.Grafana.OAuth.ClientId = secret.ClientId
+			settings.Monitor.Grafana.OAuth.ClientSecret = secret.SAccessKeySecretBlob.Secret
+		}
+
 		if err := drv.DoEnable(cluster, settings); err != nil {
 			return nil, err
 		}