(fleet/kube-prometheus-stack) add ldap auth to pillan

Author: csilva-cl

fleet/lib/kube-prometheus-stack-pre/fleet.yaml

@@ -12,3 +12,14 @@ dependsOn:
   - selector:
       matchLabels:
         bundle: external-secrets
+targetCustomizations:
+  - name: pillan
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - pillan
+    yaml:
+      overlays:
+        - ldap

fleet/lib/kube-prometheus-stack-pre/overlays/ldap/externalsecret-grafana-ldap.yaml

@@ -0,0 +1,70 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-ldap
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    template:
+      data:
+        ldap-toml: |
+          [[servers]]
+          host = "{{ .servers }}"
+          port = 636
+          use_ssl = true
+          start_tls = false
+          ssl_skip_verify = true
+          bind_dn = "uid={{ .username }},cn=users,cn=accounts,dc=lsst,dc=cloud"
+          # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+          bind_password = """{{ .password }}"""
+          # Timeout in seconds. Applies to each host specified in the 'host' entry (space separated).
+          timeout = 10
+
+          # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+          # Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
+          search_filter = "(uid=%s)"
+
+          # An array of base dns to search through
+          search_base_dns = ["cn=users,cn=accounts,dc=lsst,dc=cloud"]
+
+          # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+          # group_search_filter_user_attribute = "distinguishedName"
+          # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+
+          # Specify names of the LDAP attributes your LDAP uses
+          [servers.attributes]
+          name = "givenName"
+          surname = "sn"
+          username = "cn"
+          member_of = "memberOf"
+          email =  "email"
+
+          # Map ldap groups to grafana org roles
+          [[servers.group_mappings]]
+          group_dn = "cn=admins,cn=groups,cn=accounts,dc=lsst,dc=cloud"
+          org_role = "Admin"
+
+          [[servers.group_mappings]]
+          group_dn = "cn=k8s-pillan-admins,cn=groups,cn=accounts,dc=lsst,dc=cloud"
+          org_role = "Editor"
+
+          [[servers.group_mappings]]
+          # If you want to match all (or no ldap groups) then you can use wildcard
+          group_dn = "cn=k8s-pillan,cn=groups,cn=accounts,dc=lsst,dc=cloud"
+          org_role = "Viewer"
+  data:
+    - secretKey: username
+      remoteRef:
+        key: &item grafana service account
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: *item
+        property: password
+    - secretKey: servers
+      remoteRef:
+        key: *item
+        property: servers

fleet/lib/kube-prometheus-stack/overlays/pillan/values.yaml

@@ -126,3 +126,11 @@ grafana:
       - secretName: tls-grafana-ingress
         hosts:
           - grafana.tu.lsst.org
+  grafana.ini:
+    auth.ldap:
+      enabled: true
+      allow_sign_up: true
+      config_file: /etc/grafana/ldap.toml
+  ldap:
+    enabled: true
+    existingSecret: grafana-ldap