stuff

grafana/ingress.yml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production-http
+spec:
+  tls:
+    - hosts:
+        - grafana.mainscnt.eu
+      secretName: grafana-cert
+  rules:
+    - host: grafana.mainscnt.eu
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service: 
+                name: mainscntgrafana
+                port: 
+                  number: 80

grafana/install.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+ARG1=$1
+NAMESPACE=$(cat namespace)
+
+echo "Namespace: $NAMESPACE"
+
+
+
+
+if [ "$ARG1" = "initial" ]; then
+  psql << EOF
+create user mainscntgrafana;
+commit;
+create database mainscntgrafana with owner mainscntgrafana;
+EOF
+fi
+
+./roll-db-credential.sh
+
+helm repo add grafana https://grafana.github.io/helm-charts
+helm repo update
+helm upgrade --install -f values.yml mainscntgrafana grafana/grafana --version 6.59.0 --namespace=$NAMESPACE
+
+kubectl annotate deployments mainscntgrafana -n $NAMESPACE --overwrite=true secret.reloader.stakater.com/reload=grafana-db-cred
+
+kubectl -f ingress.yml -n $NAMESPACE apply
+

grafana/namespace

@@ -0,0 +1 @@
+mainscnt

grafana/provisioning.json

@@ -0,0 +1,108 @@
+[
+  {
+    "name": "createClientMainscntGrafana",
+    "method": "POST",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+    "data": {
+      "protocol": "openid-connect",
+      "enabled": "true",
+      "clientId": "mainscnt-grafana",
+      "name": "Grafana2",
+      "baseUrl": "https://grafana.mainscnt.eu",
+      "redirectUris": [
+        "https://grafana.mainscnt.eu/login/generic_oauth"
+      ],
+      "standardFlowEnabled": "true",
+      "implicitFlowEnabled": "false",
+      "publicClient": "false"
+    }
+  },
+  {
+    "name": "createClientRoleMaincntGrafanaAdmin",
+    "method": "POST",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients/$result/roles",
+    "use": {
+      "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+      "data": { "clientId": "mainscnt-grafana" },
+      "resultIndexes": [ 0, "id" ]
+    },
+    "data": {
+      "name": "Admin"
+    }
+  },
+  {
+    "name": "createClientRoleMainscntGrafanaGrafanaAdmin",
+    "method": "POST",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients/$result/roles",
+    "use": {
+      "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+      "data": { "clientId": "mainscnt-grafana" },
+      "resultIndexes": [ 0, "id" ]
+    },
+    "data": {
+      "name": "GrafanaAdmin"
+    }
+  },
+  {
+    "name": "createClientRoleMainscntGrafanaViewer",
+    "method": "POST",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients/$result/roles",
+    "use": {
+      "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+      "data": { "clientId": "mainscnt-grafana" },
+      "resultIndexes": [ 0, "id" ]
+    },
+    "data": {
+      "name": "Viewer"
+    }
+  },
+  {
+    "name": "createClientRoleMainscntGrafanaEditor",
+    "method": "POST",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients/$result/roles",
+    "use": {
+      "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+      "data": { "clientId": "mainscnt-grafana" },
+      "resultIndexes": [ 0, "id" ]
+    },
+    "data": {
+      "name": "Editor"
+    }
+  },
+  {
+    "name": "createRoleMapperMainscntGrafana",
+    "method": "POST",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients/$result/protocol-mappers/add-models",
+    "use": {
+      "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+      "data": { "clientId": "mainscnt-grafana" },
+      "resultIndexes": [ 0, "id" ]
+    },
+    "data": [
+      {
+        "name": "client roles",
+        "protocol": "openid-connect",
+        "protocolMapper": "oidc-usermodel-client-role-mapper",
+        "consentRequired": false,
+        "config": {
+          "multivalued": "true",
+          "user.attribute": "foo",
+          "access.token.claim": "true",
+          "claim.name": "roles",
+          "jsonType.label": "String",
+          "id.token.claim": "true",
+          "access.token.claim": "true",
+          "clientId": "mainscnt-grafana"
+        }
+      }
+    ]
+  },
+  {
+    "name": "getClientMainscntGrafana",
+    "method": "GET",
+    "url": "https://auth2.hottis.de/admin/realms/hottis/clients",
+    "data": { "clientId": "mainscnt-grafana" }
+  }
+]
+
+

grafana/readme.md

@@ -0,0 +1,5 @@
+For the OAuth configuration follow the docs at
+https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
+
+With keycloak create under "client scopes" a dedicated mapper to fill the client roles into the claim roles.
+

grafana/roll-db-credential.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+
+DATABASE=mainscntgrafana
+LOGIN=mainscntgrafana
+PASSWORD=`openssl rand -base64 24`
+NAMESPACE=$(cat namespace)
+
+psql <<EOF
+do
+\$\$
+begin
+  if not exists (SELECT * FROM pg_user WHERE usename = '$LOGIN') then
+    CREATE USER $LOGIN WITH PASSWORD '$PASSWORD';
+  else
+    ALTER USER $LOGIN WITH PASSWORD '$PASSWORD';
+  end if;
+  GRANT ALL PRIVILEGES ON DATABASE $DATABASE TO $LOGIN;
+end
+\$\$
+;
+commit;
+EOF
+
+kubectl create secret generic grafana-db-cred \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=GF_DATABASE_USER="$LOGIN" \
+  --from-literal=GF_DATABASE_PASSWORD="$PASSWORD" | \
+kubectl apply -f - -n $NAMESPACE
+
+

grafana/test.yml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secretloader
+  labels:
+    app: secretloader
+spec:
+  containers:
+    - name: secretloader
+      image: nginx
+      env:
+        - name: USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: grafana-admin-credentials
+              key: username
+        - name: PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: grafana-admin-credentials
+              key: password
+

grafana/values.yml

@@ -0,0 +1,51 @@
+persistence:
+  enabled: true
+  storageClassName: nfs-client
+
+grafana.ini:
+  server:
+    root_url: https://grafana.mainscnt.eu
+  smtp:
+    enabled: true
+    host: smtp.system.svc.cluster.local
+    from_address: grafana@mainscnt.eu
+    from_name: "Mainscnt Grafana Pseudouser"
+  log:
+    level: debug
+  emails:
+    welcome_email_on_sign_up: true
+  security:
+    cookie_secure: true
+    cookie_samesite: none
+  auth:
+    disable_login_form: true
+  auth.generic_oauth:
+    enabled: true
+    name: Mainscnt Grafana via Keycloak
+    allow_sign_up: true
+    client_id: mainscnt-grafana
+    client_secret: ...
+    scopes: openid email profile offline_access roles
+    email_attribute_path: email
+    login_attribute_path: username
+    name_attribute_path: fullname
+    auth_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/auth
+    token_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token
+    api_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo
+    role_attribute_path: "contains(roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || contains(roles[*], 'Viewer') && 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
+    tls_skip_verify_insecure: true
+  database:
+    type: postgres
+    host: timescaledb.database.svc.cluster.local
+    name: mainscntgrafana
+    ssl_mode: require
+
+# add the oauth client secret in this secret with the key GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+# example:
+# kubectl create secret generic grafana-oauth-secret --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="geheim"
+envFromSecrets:
+  - name: grafana-oauth-secret
+  - name: grafana-db-cred
+