From 8c7d6c3daa354b33a1fd67c035ad9ca077bcd67a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 20 Apr 2019 23:11:22 +0200 Subject: [PATCH 1/3] [grafana] Initial role --- monitoring.yml | 5 +++ roles/grafana/handlers/main.yml | 5 +++ roles/grafana/tasks/main.yml | 74 +++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 roles/grafana/handlers/main.yml create mode 100644 roles/grafana/tasks/main.yml diff --git a/monitoring.yml b/monitoring.yml index 4400869d..cea4352d 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -21,3 +21,8 @@ - hosts: all roles: - prometheus-node + +# Deploy grafana +- hosts: fy.adm.crans.org + roles: + - grafana diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml new file mode 100644 index 00000000..cbd4ffd0 --- /dev/null +++ b/roles/grafana/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart grafana + service: + name: grafana-server + state: restarted diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml new file mode 100644 index 00000000..54c346c6 --- /dev/null +++ b/roles/grafana/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: Install APT HTTPS support + apt: + name: apt-transport-https + state: present + update_cache: true + +- name: Import Grafana GPG signing key + apt_key: + url: https://packages.grafana.com/gpg.key + state: present + validate_certs: false + +- name: Add Grafana repository + apt_repository: + repo: deb https://packages.grafana.com/oss/deb stable main + state: present + update_cache: true + +- name: Install Grafana + apt: + name: grafana + state: present + +- name: Configure Grafana + ini_file: + path: /etc/grafana/grafana.ini + section: "{{ item.section }}" + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: 640 + loop: + - section: server + option: root_url + value: https://grafana.crans.org # TODO put var in playbook + - section: session # This will break with HTTPS + option: cookie_secure + value: "true" + - section: analytics + option: reporting_enabled + value: "false" + - section: snapshots + option: external_enabled + value: "false" + - section: users + option: allow_sign_up + value: "false" + - section: users + option: allow_org_create + value: "false" + - section: auth.basic # Only LDAP auth + option: enabled + value: "false" + - section: auth.ldap + option: enabled + value: "true" + - section: auth.ldap # We don't want registration + option: allow_sign_up + value: "false" + notify: Restart grafana + +#- name: Configure Grafana LDAP +# lineinfile: +# # TODO +# loop: +# # TODO +# notify: Restart grafana + +#- name: Enable and start Grafana +# systemd: +# name: grafana-server +# enabled: true +# state: started +# daemon_reload: true From fe2061810c158d8b4c5858936a5143e745761b50 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 20 Apr 2019 23:15:28 +0200 Subject: [PATCH 2/3] [grafana] Fix missing retry --- roles/grafana/tasks/main.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index 54c346c6..bf811636 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -4,12 +4,18 @@ name: apt-transport-https state: present update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded - name: Import Grafana GPG signing key apt_key: url: https://packages.grafana.com/gpg.key state: present validate_certs: false + register: apt_key_result + retries: 3 + until: apt_key_result is succeeded - name: Add Grafana repository apt_repository: @@ -21,6 +27,9 @@ apt: name: grafana state: present + register: apt_result + retries: 3 + until: apt_result is succeeded - name: Configure Grafana ini_file: @@ -28,7 +37,7 @@ section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" - mode: 640 + mode: 0640 loop: - section: server option: root_url From d51db7568f3aa040cea8a3b372002d018e4dcfac Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 21 Apr 2019 19:14:16 +0200 Subject: [PATCH 3/3] [grafana] Working grafana with LDAP groups --- group_vars/all/vault.yml | 57 ++++++++++++------------ monitoring.yml | 8 ++++ roles/grafana/tasks/main.yml | 29 ++++++------- roles/grafana/templates/ldap.toml.j2 | 65 ++++++++++++++++++++++++++++ 4 files changed, 116 insertions(+), 43 deletions(-) create mode 100644 roles/grafana/templates/ldap.toml.j2 diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index eeb53a93..0e007106 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,28 +1,31 @@ $ANSIBLE_VAULT;1.1;AES256 -35323634643434386162333935333434356266646165373339343861383330313237306433326638 -3137623039383732663764613030313235653638636333300a313838633264323436316663653162 -31343864326565393261643230326564386237666563323066363332613065643831656339613164 -3263313530363663350a663038303331656337636534343939633933636435633933373139353364 -33663832333761343037663361373334356464643139323033353839313033306465353238323334 -32326338366133313836393730633930626261363135636262333932313737303839636438636265 -30366634373562643334666336666262383336343334376364663534303964313831653131353139 -31643162343965363164636465323866373235633139333239646134666535323531653637316230 -61643432303134643761393562373662646538363635613566383630373361323663343639666430 -32626663363534393063336166653865383964316165653032323134646637346664373661323665 -65386538343664653164363236633062616339393663633437376539353139333937616537616436 -38613338613965313662623832393362633032313539376536636363636366666238333239623532 -65376538386565373564383839326133333464376261333230323663333033323939336535623133 -31643164353534653537666361346531306261376234323065643364623737323433323435386438 -38623739313964303664393532316566313932396462303433323861303931663261336464366463 -36316465356330643666613637623335663535323635373730623237383631666366626335323932 -66386362623737316535663738313163333066633662353635666537646666383139303134623462 -39306366306136303138333936373634383436336565386631376531346335303034646233646639 -63356663343462393635373939633936356530303663663964623564646461306137643932653934 -34316630646439356464303661666134393036303339353635663736396535653064386636323832 -36383330663132633839663633653937663264653062303235366664666163376635623130323531 -39633235623038373464333130373364333937386638323935316339346361616463663861303764 -33656565386464316131626234306464396664666363646138633866313865323231346634653163 -36656266333436336464633361613433626661633434613461363238616133363165316662656462 -66626135316135613366633833646639323061313838393035303064613336306435623261343261 -30393539376430346333666639653736333330613566343038646262666263366338383330336333 -613538656663623631363161633631363239 +31333537633064326436386262343965626135306366386437666635613839333364336366356535 +3862663966643462663662616166656366366266326539380a303932616262336461653832363163 +31393964376632623462333964666533333639393631393865343062393135653937663063616135 +3763666336383136300a636662616534323639623663303730653230323330343366616235393239 +37666335393532623732336135633331306136323766323866313138643830386461303839623234 +37623031346638323061346666396632663036643964666130633131393632306165646438633030 +62383064643963643539353039373131336333343230663863653433653466643734313566383566 +66653664303031626562366430623336613363343130373063313463386631616235316663613664 +63353836626231376230356237313036373934663563326131613866323932663464633133316565 +64376261313435306265336666326264663933333138346437343063313932626633306533303135 +64336531313864656234396232373437626132333932336337643562313730323865343433326138 +39376438363132396439656532616161376639363663636264646366646530663139666334343637 +66313161363661623636336165356139333966396138336465643264323261363236353631316562 +36343135393062336633626439666332653462343438656566323236616131653463333738396530 +61633439663661386635373437343564303231363862356439343839393037393961643866666130 +37646435373966373662666263333561326365333530373333373633653539643334323762393533 +63393537643138376465623230613530393235616566663534333033643430643263323464616133 +38626333306263313139396635323732646561366334313639366162656435393230333664646330 +33333137373538666136643363636366333730313033356561366564383563393837396266306264 +33383966663132376235333037653861353265346338396633376363393062633033653065343539 +36663561393365623336653036633039316235396134303137353565653365613831333364663961 +33336134666662336162386635393432346138313137386561373731393033323733663663373639 +32656636646361303833313835323032356633333861636533333061646461366632633037333863 +64353638613236363063363136393338646361303066333837356664333834336465343565633461 +30316164333133306166366534643962303766626663326366376234376138353837353263646437 +32643734343530643035393938643663633537323134316263666362333564303234316535383936 +39633237643061656230633837356230323263343265643162323536633432633936633330323830 +32663932313431353837356139306631376466633861313663376237336438366637333862366134 +61303136643536363535376262346639346361366161323934336230633861376433366138343937 +3366396137633132316239623437633131323765383239653031 diff --git a/monitoring.yml b/monitoring.yml index cea4352d..4bfc5e3f 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -10,6 +10,7 @@ - localhost:9100 - vulcain.adm.crans.org:9100 - odlyd.adm.crans.org:9100 + - fy.adm.crans.org:9100 - labels: job: prometheus targets: @@ -24,5 +25,12 @@ # Deploy grafana - hosts: fy.adm.crans.org + vars: + grafana_root_url: https://grafana.crans.org + ldap_base: 'dc=crans,dc=org' + ldap_master_ipv4: '10.231.136.19' + ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}" + ldap_grafana_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}" + ldap_grafana_passwd: "{{ vault_ldap_grafana_passwd }}" roles: - grafana diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index bf811636..2890217c 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -41,7 +41,7 @@ loop: - section: server option: root_url - value: https://grafana.crans.org # TODO put var in playbook + value: "{{ grafana_root_url }}" - section: session # This will break with HTTPS option: cookie_secure value: "true" @@ -63,21 +63,18 @@ - section: auth.ldap option: enabled value: "true" - - section: auth.ldap # We don't want registration - option: allow_sign_up - value: "false" notify: Restart grafana -#- name: Configure Grafana LDAP -# lineinfile: -# # TODO -# loop: -# # TODO -# notify: Restart grafana +- name: Configure Grafana LDAP + template: + src: ldap.toml.j2 + dest: /etc/grafana/ldap.toml + mode: 0640 + notify: Restart grafana -#- name: Enable and start Grafana -# systemd: -# name: grafana-server -# enabled: true -# state: started -# daemon_reload: true +- name: Enable and start Grafana + systemd: + name: grafana-server + enabled: true + state: started + daemon_reload: true diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2 new file mode 100644 index 00000000..9540cfab --- /dev/null +++ b/roles/grafana/templates/ldap.toml.j2 @@ -0,0 +1,65 @@ +# {{ ansible_managed }} +# To troubleshoot and get more log info enable ldap debug logging in grafana.ini +# [log] +# filters = ldap:debug + +[[servers]] +# Ldap server host (specify multiple hosts space separated) +host = "{{ ldap_master_ipv4 }}" +# Default port is 389 or 636 if use_ssl = true +port = 389 +# Set to true if ldap server supports TLS +use_ssl = false +# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) +start_tls = false +# set to true if you want to skip ssl cert validation +ssl_skip_verify = false +# set to the path to your root CA certificate or leave unset to use system defaults +# root_ca_cert = "/path/to/certificate.crt" +# Authentication against LDAP servers requiring client certificates +# client_cert = "/path/to/client.crt" +# client_key = "/path/to/client.key" + +# Search user bind dn +bind_dn = "{{ ldap_grafana_bind_dn }}" +# Search user bind password +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +bind_password = '{{ ldap_grafana_passwd }}' + +# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" +search_filter = "(cn=%s)" + +# An array of base dns to search through +search_base_dns = ["{{ ldap_user_tree }}"] + +## For Posix or LDAP setups that does not support member_of attribute you can define the below settings +## Please check grafana LDAP docs for examples +group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" +group_search_base_dns = ["ou=posix,ou=groups,{{ ldap_base }}"] +group_search_filter_user_attribute = "cn" + +# Specify names of the ldap attributes your ldap uses +[servers.attributes] +name = "sn" +surname = "" +username = "cn" +member_of = "dn" +email = "mail" + +# Map ldap groups to grafana org roles +[[servers.group_mappings]] +group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org" +org_role = "Admin" +# To make user an instance admin (Grafana Admin) uncomment line below +grafana_admin = true +# The Grafana organization database id, optional, if left out the default org (id 1) will be used +# org_id = 1 + +[[servers.group_mappings]] +group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org" +org_role = "Editor" + +[[servers.group_mappings]] +# If you want to match all (or no ldap groups) then you can use wildcard +group_dn = "*" +org_role = "Viewer"