unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add ldap auth to grafana

Browse Source 
- add ldap_cfg section
- add ldap_bind_pass to eyaml
This commit is contained in:
Ben Vincent 2025-06-30 19:12:58 +10:00
parent d6ccb8aafe
commit 9529d74863
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hieradata/roles/infra/metrics/grafana.eyaml
View File

@ -1,2 +1,3 @@
--- ---
profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAnG+tRQ71dgDjsILb0Ay81eIassCOdBSS3d9g+nAXzHfdW+WGA5MbqEJ9ooQrrwsjf2rz4fK54X5WPw+vt45e5o6STjdY8TOk7dc881+ABbAyMi4eEVhIJ39saZuIPueEu+HmqySjUl3Qwz/8y4sCav0T5LLusIz1koW9vAxX11tBp/kKwwZZH/PaIj7le3hZm3+BlAPntjrErGL8u5h8tL+bRA/I1NmPZFXZ7Nj0nfLK6hWnCJfQn28Q3MuIa9Fb65+eOQeoBzn2q6qOz1kYvopoj0XQ/Vwn/EPOAppdROBa3ryMGsEWe9tLD/RQdAejAxOepg8wnO/6YzJoFniTNzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDgkT0peDegh86u5IkQwDnNgDCHSJ+zs6lkpagS4ZOEGBxm6hPbIj0pbY20P4Dt+WeuYPqjiL7iVGQp810tVptjIbY=] profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAnG+tRQ71dgDjsILb0Ay81eIassCOdBSS3d9g+nAXzHfdW+WGA5MbqEJ9ooQrrwsjf2rz4fK54X5WPw+vt45e5o6STjdY8TOk7dc881+ABbAyMi4eEVhIJ39saZuIPueEu+HmqySjUl3Qwz/8y4sCav0T5LLusIz1koW9vAxX11tBp/kKwwZZH/PaIj7le3hZm3+BlAPntjrErGL8u5h8tL+bRA/I1NmPZFXZ7Nj0nfLK6hWnCJfQn28Q3MuIa9Fb65+eOQeoBzn2q6qOz1kYvopoj0XQ/Vwn/EPOAppdROBa3ryMGsEWe9tLD/RQdAejAxOepg8wnO/6YzJoFniTNzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDgkT0peDegh86u5IkQwDnNgDCHSJ+zs6lkpagS4ZOEGBxm6hPbIj0pbY20P4Dt+WeuYPqjiL7iVGQp810tVptjIbY=]
profiles::metrics::grafana::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO4xWWXGFjryWBT8o5OdB9DEWneSMgy1u2x6eYe0wiNdPmbSO/jVVZPDkXwPn2C5fPJ4YoHNoUMjNX+ykbVyWKINr+OmlaI7etOtaQzoinBoATXIyz8GoDjQDSmTFWjcfDaB0yHnhQw1ThDycO5v5tT3/IAETPO7EC/HsRriiMsSx64eu7a0aN1wtd1ztwHANv+RIozFwuWNV41JpmIRpWox/wLWVra59Merju+7F/kH95M1WIZ04ZutJw3pTvOXdzKb1LkDPzgqga7PNgSWAjMcfxoz1zifWOV3jNTS2j01PLDHO64eAFFK4LaYg2ZL+5oc8ZvoF9Bsf82P7xR6S/zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBDgsLSjEI2ZV3+GQQRDpSwgDB1kt23gUX8+tpCXg2E3GdAW05gztE0U5rVBlRHpeOU/2Ddiyuqdg2rOFFxXqd4av4=]

38
site/profiles/manifests/metrics/grafana.pp
View File

@ -1,5 +1,6 @@
# profiles::metrics::grafana # profiles::metrics::grafana
class profiles::metrics::grafana ( class profiles::metrics::grafana (
String $ldap_bind_pass,
Stdlib::Port $http_port = 8080, Stdlib::Port $http_port = 8080,
String $app_mode = 'production', String $app_mode = 'production',
Boolean $allow_sign_up = false, Boolean $allow_sign_up = false,
@ -65,11 +66,48 @@ class profiles::metrics::grafana (
users => { users => {
allow_sign_up => $allow_sign_up, allow_sign_up => $allow_sign_up,
}, },
'auth.ldap' => {
enabled => 'true',
config_file => '/etc/grafana/ldap.toml',
},
} }
# build the ldap config hash
$ldap_cfg = Sensitive({
servers => [
{ host => 'ldap.service.consul',
port => 389,
use_ssl => false,
search_filter => '(uid=%s)',
search_base_dns => [ 'dc=main,dc=unkin,dc=net' ],
bind_dn => 'cn=svc_grafana,ou=services,ou=users,dc=main,dc=unkin,dc=net',
bind_password => $ldap_bind_pass,
},
],
'servers.attributes' => {
name => 'givenName',
surname => 'sn',
username => 'uid',
member_of => 'memberOf',
email => 'mail',
},
'servers.group_mappings' => [
{
group_dn => 'ou=grafana_admin,ou=groups,dc=main,dc=unkin,dc=net',
org_role => 'Admin',
grafana_admin => true,
},
{
group_dn => 'ou=grafana_user,ou=groups,dc=main,dc=unkin,dc=net',
org_role => 'Viewer',
}
],
})
# deploy grafana # deploy grafana
class { 'grafana': class { 'grafana':
cfg => $cfg, cfg => $cfg,
ldap_cfg => $ldap_cfg,
} }
# fix the package provided systemd service # fix the package provided systemd service