在 Helm 图表安装期间 grafana.ini 未拾取 LDAP 配置

【问题标题】:LDAP configuration not picked up by grafana.ini during Helm chart install在 Helm 图表安装期间 grafana.ini 未拾取 LDAP 配置
【发布时间】:2021-02-11 23:24:42
【问题描述】:

我已经使用 Helm 安装了 kube-prometheus-stack-9.4.5 运算符,主要是通过为 Grafana URL 和 LDAP 配置传递自定义 values.yaml 来使用默认设置。当我执行到 Grafana 容器时,我可以访问 Grafana 仪表板并查看 grafana.ini 中的配置。然后,我将如下 LDAP 设置添加到 YAML 文件中,并注意到 grafana.ini 文件中没有更新任何 LDAP 信息。容器在 grafana.ini 中将 admin.ldap 标志设置为 true,但在密钥或 /etc/grafana/ldap.toml 或密钥中都看不到 LDAP 配置。 /etc/grafana/ldap.toml 具有默认 LDAP 设置,并且看不到 values.yaml 中指定的任何自定义值。

grafana:
enabled: true
namespaceOverride: ""
rbac:
  pspUseAppArmor: false
grafana.ini:
server:
  domain: sandboxgrmysite.com
  #root_url: "%(protocol)s://%(domain)s/"
  root_url: https://sandboxgrmysite.com/grafana/
  serve_from_sub_path: true
auth.ldap:
  enabled: true
  allow_sign_up: true
envFromSecret: "grafana-ldap-cred"
ldap:
 enabled: true
 existingSecret: ""
config: |-
verbose_logging = true

[[servers]]
host = "my.ldap.server.com"
port = 636
use_ssl = true
root_ca_cert = "/home/myid/CA_Cert.pem"
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=ldapbind,ou=Users,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(uid=%s)"
search_base_dns = ["dc=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
email = "mail"
 group_search_filter = "(&(objectClass=groupOfUniqueNames) 
(uniquemember=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=groups,dc=Global,dc=com"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "uid"

[[servers.group_mappings]]
group_dn = "cn=admin_ldap,ou=Users,dc=com"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

我查看了this 的帖子并比较了配置,但仍然没有运气。任何线索这里缺少什么?

【问题讨论】:

    标签: grafana prometheus-operator


    【解决方案1】:

    花了一些时间查看 Helm 模板和其他配置,以了解缺少的内容,并使其能够在从操作员创建的 custom-values.yaml 中使用 Grafana 的以下配置。

    请特别注意缩进,因为当我尝试从 Grafana 图表的 values.yaml 复制 n 粘贴时,这会导致一些问题。

    grafana:
  enabled: true
  namespaceOverride: ""
  rbac:
    pspUseAppArmor: false
  grafana.ini:
    # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
    log:
      mode: console
      #level: debug
      # to enable debug level for ldap calls only
      #filters: ldap:debug
    
    server:
      domain: sbgrafana.mysite.com
      #root_url: "%(protocol)s://%(domain)s/"
      root_url: https://sbgrafana.mysite.com/grafana/
      serve_from_sub_path: true
    auth.ldap:
      enabled: true
      allow_sign_up: true
      config_file: /etc/grafana/ldap.toml

  ldap:
    enabled: true
    # `existingSecret` is a reference to an existing secret containing the ldap configuration
    # for Grafana in a key `ldap-toml`.
    existingSecret: ""
    # `config` is the content of `ldap.toml` that will be stored in the created secret
    config: |-
      verbose_logging = true

      [[servers]]
      host = "my.ldap.com"
      # Default port is 389 or 636 if use_ssl = true
      # port = 389
      # use_ssl = false
      port = 636
      use_ssl = true
      # CA cert is mapped as certs-configmap in extraConfigmapMounts section below -- path in Grafana container
      root_ca_cert = "/etc/grafana/ssl/CACert.pem"
      start_tls = false
      ssl_skip_verify = false
      bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
      bind_password = "${LDAP_BIND_PASSWORD}"
      search_filter = "(uid=%s)"
      group_search_filter = "(&(objectClass=groupOfUniqueNames) 
       uniquemember=%s))"
      group_search_base_dns = ["uid=%s,ou=users,dc=myorg,dc=com"]
      group_search_filter_user_attribute = "uid"
      
      [servers.attributes]
      name = "givenName"
      surname = "sn"
      username = "cn"
      email = "mail"

      [[servers.group_mappings]]
      group_dn = "cn=admins,dc=grafana,dc=org"
      org_role = "Admin"

      [[servers.group_mappings]]
      group_dn = "cn=users,dc=grafana,dc=org"
      org_role = "Editor"

      [[servers.group_mappings]]
      group_dn = "*"
      org_role = "Viewer"

  extraConfigmapMounts:
    - name: certs-configmap
      mountPath: /etc/grafana/ssl/
      configMap: certs-configmap
      readOnly: true

    上面提到的为 LDAP SSL/HTTPS 通信创建配置映射的步骤。至少我找不到明确的信息,所以在这里添加给其他人。

    kubectl -n monitoring create configmap certs-configmap --from-file=my-ca-cert.pem

    在监控命名空间中创建一个自定义密钥,密钥为 LDAP_BIND_PASSWORD,LDAP 绑定密码为值。现在我们不再需要在自定义 values.yaml 文件中以纯文本形式保存它。

    【讨论】:

      猜你喜欢
      • 2020-03-28
      • 2022-10-08
      • 2020-01-25
      • 2021-07-13
      • 2020-05-16
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode