Add LDAP to Alertmanager
This change adds an apache sidecar to the Alertmanager statefulset in order to facillitate authentication to the service. Change-Id: I6e3cfb582251ecd280644439bfbd432a1f86ede3
This commit is contained in:
parent
1884f2c957
commit
72f42ba091
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v0.20.0
|
||||
description: OpenStack-Helm Alertmanager for Prometheus
|
||||
name: prometheus-alertmanager
|
||||
version: 0.1.2
|
||||
version: 0.1.3
|
||||
home: https://prometheus.io/docs/alerting/alertmanager/
|
||||
sources:
|
||||
- https://github.com/prometheus/alertmanager
|
||||
|
44
prometheus-alertmanager/templates/bin/_apache.sh.tpl
Normal file
44
prometheus-alertmanager/templates/bin/_apache.sh.tpl
Normal file
@ -0,0 +1,44 @@
|
||||
#!/bin/bash
|
||||
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
set -exv
|
||||
|
||||
COMMAND="${@:-start}"
|
||||
|
||||
function start () {
|
||||
|
||||
if [ -f /etc/apache2/envvars ]; then
|
||||
# Loading Apache2 ENV variables
|
||||
source /etc/httpd/apache2/envvars
|
||||
fi
|
||||
# Apache gets grumpy about PID files pre-existing
|
||||
rm -f /etc/httpd/logs/httpd.pid
|
||||
|
||||
if [ -f /usr/local/apache2/conf/.htpasswd ]; then
|
||||
htpasswd -b /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
|
||||
else
|
||||
htpasswd -cb /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
|
||||
fi
|
||||
|
||||
#Launch Apache on Foreground
|
||||
exec httpd -DFOREGROUND
|
||||
}
|
||||
|
||||
function stop () {
|
||||
apachectl -k graceful-stop
|
||||
}
|
||||
|
||||
$COMMAND
|
@ -18,8 +18,10 @@ limitations under the License.
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: alertmanager-bin
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
|
||||
data:
|
||||
apache.sh: |
|
||||
{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
alertmanager.sh: |
|
||||
{{ tuple "bin/_alertmanager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
image-repo-sync.sh: |
|
||||
|
@ -16,13 +16,13 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: alertmanager-etc
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
|
||||
data:
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml") | indent 2 }}
|
||||
alert-templates.tmpl: |
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml" "format" "Secret") | indent 2 }}
|
||||
{{- if .Values.conf.alert_templates }}
|
||||
{{ .Values.conf.alert_templates | indent 4 }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alert_templates "key" "alert-templates.tmpl" "format" "Secret") | indent 2 }}
|
||||
{{- end }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
|
||||
{{- end }}
|
||||
|
@ -13,6 +13,6 @@ limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.manifests.ingress .Values.network.alertmanager.ingress.public }}
|
||||
{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "alerts-api" -}}
|
||||
{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "http" -}}
|
||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||
{{- end }}
|
||||
|
26
prometheus-alertmanager/templates/secret-admin-user.yaml
Normal file
26
prometheus-alertmanager/templates/secret-admin-user.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.secret_admin_user }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||
type: Opaque
|
||||
data:
|
||||
ALERTMANAGER_USERNAME: {{ .Values.endpoints.alertmanager.auth.admin.username | b64enc }}
|
||||
ALERTMANAGER_PASSWORD: {{ .Values.endpoints.alertmanager.auth.admin.password | b64enc }}
|
||||
{{- end }}
|
@ -21,11 +21,11 @@ metadata:
|
||||
name: {{ tuple "alertmanager" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
spec:
|
||||
ports:
|
||||
- name: alerts-api
|
||||
- name: http
|
||||
port: {{ tuple "alertmanager" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{ if .Values.network.alertmanager.node_port.enabled }}
|
||||
nodePort: {{ .Values.network.alertmanager.node_port.port }}
|
||||
{{ end }}
|
||||
port: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
selector:
|
||||
{{ tuple $envAll "prometheus-alertmanager" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{ if .Values.network.alertmanager.node_port.enabled }}
|
||||
|
@ -70,6 +70,40 @@ spec:
|
||||
- name: alertmanager-data
|
||||
mountPath: /var/lib/alertmanager/data
|
||||
containers:
|
||||
- name: apache-proxy
|
||||
{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "server" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /tmp/apache.sh
|
||||
- start
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
env:
|
||||
- name: ALERTMANAGER_PORT
|
||||
value: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||
- name: ALERTMANAGER_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||
key: ALERTMANAGER_USERNAME
|
||||
- name: ALERTMANAGER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||
key: ALERTMANAGER_PASSWORD
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: alertmanager-bin
|
||||
mountPath: /tmp/apache.sh
|
||||
subPath: apache.sh
|
||||
readOnly: true
|
||||
- name: alertmanager-etc
|
||||
mountPath: /usr/local/apache2/conf/httpd.conf
|
||||
subPath: httpd.conf
|
||||
readOnly: true
|
||||
- name: prometheus-alertmanager
|
||||
{{ tuple $envAll "prometheus-alertmanager" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.alertmanager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
@ -104,10 +138,12 @@ spec:
|
||||
mountPath: /tmp
|
||||
- name: etc-alertmanager
|
||||
mountPath: /etc/config
|
||||
{{- if .Values.conf.alert_templates }}
|
||||
- name: alertmanager-etc
|
||||
mountPath: /etc/alertmanager/template/alert-templates.tmpl
|
||||
subPath: alert-templates.tmpl
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: alertmanager-etc
|
||||
mountPath: /etc/alertmanager/config.yml
|
||||
subPath: config.yml
|
||||
@ -125,11 +161,12 @@ spec:
|
||||
- name: etc-alertmanager
|
||||
emptyDir: {}
|
||||
- name: alertmanager-etc
|
||||
configMap:
|
||||
name: alertmanager-etc
|
||||
secret:
|
||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
|
||||
defaultMode: 0444
|
||||
- name: alertmanager-bin
|
||||
configMap:
|
||||
name: alertmanager-bin
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
|
||||
defaultMode: 0555
|
||||
{{ if $mounts_alertmanager.volumes }}{{ toYaml $mounts_alertmanager.volumes | indent 8 }}{{ end }}
|
||||
{{- if not .Values.storage.alertmanager.enabled }}
|
||||
|
@ -18,6 +18,7 @@
|
||||
---
|
||||
images:
|
||||
tags:
|
||||
apache_proxy: docker.io/httpd:2.4
|
||||
prometheus-alertmanager: docker.io/prom/alertmanager:v0.20.0
|
||||
snmpnotifier: docker.io/maxwo/snmp-notifier:v1.0.0
|
||||
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
||||
@ -49,6 +50,9 @@ pod:
|
||||
prometheus_alertmanager_perms:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
apache_proxy:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
prometheus_alertmanager:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
@ -83,6 +87,13 @@ pod:
|
||||
timeout: 30
|
||||
resources:
|
||||
enabled: false
|
||||
apache_proxy:
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
alertmanager:
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
@ -123,6 +134,10 @@ endpoints:
|
||||
alertmanager:
|
||||
name: prometheus-alertmanager
|
||||
namespace: null
|
||||
auth:
|
||||
admin:
|
||||
username: admin
|
||||
password: changeme
|
||||
hosts:
|
||||
default: alerts-engine
|
||||
public: prometheus-alertmanager
|
||||
@ -146,6 +161,24 @@ endpoints:
|
||||
public: 80
|
||||
mesh:
|
||||
default: 9094
|
||||
http:
|
||||
default: 80
|
||||
ldap:
|
||||
hosts:
|
||||
default: ldap
|
||||
auth:
|
||||
admin:
|
||||
bind: "cn=admin,dc=cluster,dc=local"
|
||||
password: password
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: "/ou=People,dc=cluster,dc=local"
|
||||
scheme:
|
||||
default: ldap
|
||||
port:
|
||||
ldap:
|
||||
default: 389
|
||||
snmpnotifier:
|
||||
name: snmpnotifier
|
||||
namespace: null
|
||||
@ -231,6 +264,7 @@ manifests:
|
||||
ingress: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_admin_user: true
|
||||
secret_ingress_tls: true
|
||||
service: true
|
||||
service_discovery: true
|
||||
@ -248,6 +282,105 @@ network_policy:
|
||||
- {}
|
||||
|
||||
conf:
|
||||
httpd: |
|
||||
ServerRoot "/usr/local/apache2"
|
||||
|
||||
Listen 80
|
||||
|
||||
LoadModule mpm_event_module modules/mod_mpm_event.so
|
||||
LoadModule authn_file_module modules/mod_authn_file.so
|
||||
LoadModule authn_core_module modules/mod_authn_core.so
|
||||
LoadModule authz_host_module modules/mod_authz_host.so
|
||||
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
|
||||
LoadModule authz_user_module modules/mod_authz_user.so
|
||||
LoadModule authz_core_module modules/mod_authz_core.so
|
||||
LoadModule access_compat_module modules/mod_access_compat.so
|
||||
LoadModule auth_basic_module modules/mod_auth_basic.so
|
||||
LoadModule ldap_module modules/mod_ldap.so
|
||||
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
|
||||
LoadModule reqtimeout_module modules/mod_reqtimeout.so
|
||||
LoadModule filter_module modules/mod_filter.so
|
||||
LoadModule proxy_html_module modules/mod_proxy_html.so
|
||||
LoadModule log_config_module modules/mod_log_config.so
|
||||
LoadModule env_module modules/mod_env.so
|
||||
LoadModule headers_module modules/mod_headers.so
|
||||
LoadModule setenvif_module modules/mod_setenvif.so
|
||||
LoadModule version_module modules/mod_version.so
|
||||
LoadModule proxy_module modules/mod_proxy.so
|
||||
LoadModule proxy_connect_module modules/mod_proxy_connect.so
|
||||
LoadModule proxy_http_module modules/mod_proxy_http.so
|
||||
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
|
||||
LoadModule remoteip_module modules/mod_remoteip.so
|
||||
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
|
||||
LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
|
||||
LoadModule unixd_module modules/mod_unixd.so
|
||||
LoadModule status_module modules/mod_status.so
|
||||
LoadModule autoindex_module modules/mod_autoindex.so
|
||||
|
||||
<IfModule unixd_module>
|
||||
User daemon
|
||||
Group daemon
|
||||
</IfModule>
|
||||
|
||||
<Directory />
|
||||
AllowOverride none
|
||||
Require all denied
|
||||
</Directory>
|
||||
|
||||
<Files ".ht*">
|
||||
Require all denied
|
||||
</Files>
|
||||
|
||||
ErrorLog /dev/stderr
|
||||
|
||||
LogLevel warn
|
||||
|
||||
<IfModule log_config_module>
|
||||
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
||||
|
||||
<IfModule logio_module>
|
||||
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
||||
</IfModule>
|
||||
|
||||
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||
CustomLog /dev/stdout common
|
||||
CustomLog /dev/stdout combined
|
||||
CustomLog /dev/stdout proxy env=forwarded
|
||||
</IfModule>
|
||||
|
||||
<Directory "/usr/local/apache2/cgi-bin">
|
||||
AllowOverride None
|
||||
Options None
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
<IfModule headers_module>
|
||||
RequestHeader unset Proxy early
|
||||
</IfModule>
|
||||
|
||||
<IfModule proxy_html_module>
|
||||
Include conf/extra/proxy-html.conf
|
||||
</IfModule>
|
||||
|
||||
<VirtualHost *:80>
|
||||
RemoteIPHeader X-Original-Forwarded-For
|
||||
<Location />
|
||||
ProxyPass http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
|
||||
ProxyPassReverse http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
|
||||
</Location>
|
||||
<Proxy *>
|
||||
AuthName "Alertmanager"
|
||||
AuthType Basic
|
||||
AuthBasicProvider file ldap
|
||||
AuthUserFile /usr/local/apache2/conf/.htpasswd
|
||||
AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
|
||||
AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
|
||||
AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
|
||||
Require valid-user
|
||||
</Proxy>
|
||||
</VirtualHost>
|
||||
command_flags:
|
||||
alertmanager:
|
||||
storage.path: /var/lib/alertmanager/data
|
||||
|
Loading…
x
Reference in New Issue
Block a user