enh: use basic auth for Grafana by default and feature flag to switch between basic auth, github oauth and gitlab oauth (#215)

mglotov · web-flow · commit ac2b6b77890c · 2021-11-19T09:36:35.000+06:00
diff --git a/README.md b/README.md
@@ -265,24 +265,9 @@ $ cp terraform/layer1-aws/demo.tfvars.example terraform/layer1-aws/terraform.tfv
 > You can find all possible variables in each layer's Readme.
 
 #### Secrets
+Some local variables expect [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`. 
 
-In the root of `layer2-k8s` is the `aws-sm-secrets.tf` where several local variables expect [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`. These secrets are used for authentication with Kibana and Grafana using GitLab and register gitlab runner.
-
-  ```json
-  {
-    "kibana_gitlab_client_id": "access key token",
-    "kibana_gitlab_client_secret": "secret key token",
-    "kibana_gitlab_group": "gitlab group",
-    "grafana_gitlab_client_id": "access key token",
-    "grafana_gitlab_client_secret": "secret key token",
-    "gitlab_registration_token": "gitlab-runner token",
-    "grafana_gitlab_group": "gitlab group",
-    "alertmanager_slack_url": "slack url",
-    "alertmanager_slack_channel": "slack channel"
-  }
-  ```
-
-> Set proper secrets; you also can set empty/mock values.
+> The secret `/${local.name_wo_region}/infra/layer2-k8s` must be pre-created before running `terraform apply`
 
 #### Domain and SSL
 
diff --git a/docs/FAQ.md b/docs/FAQ.md
@@ -211,4 +211,14 @@ runners:
   serviceAccountName: my-gitlab-runners-sa
   image: ubuntu:18.04
 ...
-```
+```
+
+## Grafana: How to add GitHub/Gitlab OAuth2 Authentication:
+By default we install Grafana without integrating it with GitHub or Gitlab and use basic authentication (login/password). If you want to integrate it to use OAuth2, then do next:
+1. Set `grafana_oauth_type` variable in the `terraform/layer2-k8s/eks-kube-prometheus-stack.tf` to the desired value (github or gitlab). 
+2. **Gitlab**:
+   * See [this instruction](https://grafana.com/docs/grafana/latest/auth/gitlab/#gitlab-oauth2-authentication) and generate necessary tokens.
+   * Set `grafana_gitlab_client_id`, `grafana_gitlab_client_secret`, `grafana_gitlab_group` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
+3. **GitHub**:
+   * See [this instruction](https://grafana.com/docs/grafana/latest/auth/github/#github-oauth2-authentication)
+   * Set `grafana_github_client_id`, `grafana_github_client_secret`, `grafana_github_team_ids`, `grafana_github_allowed_organizations` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
diff --git a/terraform/layer2-k8s/aws-sm-secrets.tf b/terraform/layer2-k8s/aws-sm-secrets.tf
@@ -1,13 +1,10 @@
 locals {
-  kibana_gitlab_client_id      = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["kibana_gitlab_client_id"]
-  kibana_gitlab_client_secret  = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["kibana_gitlab_client_secret"]
-  kibana_gitlab_group          = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["kibana_gitlab_group"]
-  grafana_gitlab_client_id     = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["grafana_gitlab_client_id"]
-  grafana_gitlab_client_secret = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["grafana_gitlab_client_secret"]
-  gitlab_registration_token    = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["gitlab_registration_token"]
-  grafana_gitlab_group         = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["grafana_gitlab_group"]
-  alertmanager_slack_url       = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["alertmanager_slack_url"]
-  alertmanager_slack_channel   = jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string)["alertmanager_slack_channel"]
+  kibana_gitlab_client_id     = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_client_id", "mock_value")
+  kibana_gitlab_client_secret = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_client_secret", "mock_value")
+  kibana_gitlab_group         = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "kibana_gitlab_group", "mock_value")
+  gitlab_registration_token   = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "gitlab_registration_token", "mock_value")
+  alertmanager_slack_url      = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_url", "mock_value")
+  alertmanager_slack_channel  = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "alertmanager_slack_channel", "mock_value")
 }
 
 data "aws_secretsmanager_secret" "infra" {
diff --git a/terraform/layer2-k8s/eks-kube-prometheus-stack.tf b/terraform/layer2-k8s/eks-kube-prometheus-stack.tf
@@ -7,11 +7,19 @@ locals {
     chart_version = local.helm_releases[index(local.helm_releases.*.id, "kube-prometheus-stack")].chart_version
     namespace     = local.helm_releases[index(local.helm_releases.*.id, "kube-prometheus-stack")].namespace
   }
-  grafana_password             = local.kube_prometheus_stack.enabled ? random_string.grafana_password[0].result : "test123"
-  grafana_domain_name          = "grafana-${local.domain_suffix}"
-  prometheus_domain_name       = "prometheus-${local.domain_suffix}"
-  alertmanager_domain_name     = "alertmanager-${local.domain_suffix}"
-  kube_prometheus_stack_values = <<VALUES
+  grafana_oauth_type                   = "" # we support three options: without ouath (empty value), github or gitlab. Default is empty
+  grafana_password                     = local.kube_prometheus_stack.enabled ? random_string.grafana_password[0].result : "test123"
+  grafana_gitlab_client_id             = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_client_id", "")
+  grafana_gitlab_client_secret         = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_client_secret", "")
+  grafana_gitlab_group                 = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_gitlab_group", "")
+  grafana_github_client_id             = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_client_id", "")
+  grafana_github_client_secret         = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_client_secret", "")
+  grafana_github_team_ids              = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_team_ids", "")
+  grafana_github_allowed_organizations = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "grafana_github_allowed_organizations", "")
+  grafana_domain_name                  = "grafana-${local.domain_suffix}"
+  prometheus_domain_name               = "prometheus-${local.domain_suffix}"
+  alertmanager_domain_name             = "alertmanager-${local.domain_suffix}"
+  kube_prometheus_stack_values         = <<VALUES
 # Prometheus Server parameters
 prometheus:
   ingress:
@@ -65,7 +73,7 @@ prometheusOperator:
               - ON_DEMAND
 VALUES
 
-  kube_prometheus_stack_grafana_values = <<VALUES
+  kube_prometheus_stack_grafana_values              = <<VALUES
 # Grafana settings
 grafana:
   enabled: true
@@ -89,22 +97,11 @@ grafana:
     - hosts:
       - ${local.grafana_domain_name}
   env:
-    # all values must be quoted
-    GF_SERVER_ROOT_URL: "https://${local.grafana_domain_name}"
-    GF_USERS_ALLOW_SIGN_UP: "false"
-    GF_AUTH_GITLAB_ENABLED: "true"
-    GF_AUTH_GITLAB_ALLOW_SIGN_UP: "true"
-    GF_AUTH_GITLAB_CLIENT_ID: "${local.grafana_gitlab_client_id}"
-    GF_AUTH_GITLAB_CLIENT_SECRET: "${local.grafana_gitlab_client_secret}"
-    GF_AUTH_GITLAB_SCOPES: "read_api"
-    GF_AUTH_GITLAB_AUTH_URL: "https://gitlab.com/oauth/authorize"
-    GF_AUTH_GITLAB_TOKEN_URL: "https://gitlab.com/oauth/token"
-    GF_AUTH_GITLAB_API_URL: "https://gitlab.com/api/v4"
-    GF_AUTH_GITLAB_ALLOWED_GROUPS: "${local.grafana_gitlab_group}"
+    GF_SERVER_ROOT_URL: https://${local.grafana_domain_name}
+    GF_USERS_ALLOW_SIGN_UP: false
 
   persistence:
     enabled: false
-
   sidecar:
     datasources:
       enabled: true
@@ -150,7 +147,6 @@ grafana:
       logs:
         ## Dashboard for quick search application logs for loki with two datasources loki and prometheus - https://grafana.com/grafana/dashboards/12019
         url: https://grafana-dashboards.maddevs.org/common/aws-eks-base/loki-dashboard-quick-search.json
-
     k8s:
       nginx-ingress:
       ## Dashboard for nginx-ingress metrics - https://grafana.com/grafana/dashboards/9614
@@ -175,8 +171,32 @@ grafana:
             values:
               - SPOT
 VALUES
-
-  kube_prometheus_stack_alertmanager_values = <<VALUES
+  kube_prometheus_stack_grafana_gitlab_oauth_values = <<VALUES
+grafana:
+  env:
+    GF_AUTH_GITLAB_ENABLED: true
+    GF_AUTH_GITLAB_ALLOW_SIGN_UP: true
+    GF_AUTH_GITLAB_CLIENT_ID: ${local.grafana_gitlab_client_id}
+    GF_AUTH_GITLAB_CLIENT_SECRET: ${local.grafana_gitlab_client_secret}
+    GF_AUTH_GITLAB_SCOPES: read_api
+    GF_AUTH_GITLAB_AUTH_URL: https://gitlab.com/oauth/authorize
+    GF_AUTH_GITLAB_TOKEN_URL: https://gitlab.com/oauth/token
+    GF_AUTH_GITLAB_API_URL: https://gitlab.com/api/v4
+    GF_AUTH_GITLAB_ALLOWED_GROUPS: ${local.grafana_gitlab_group}
+VALUES
+  kube_prometheus_stack_grafana_github_oauth_values = <<VALUES
+    GF_AUTH_GITHUB_ENABLED: true
+    GF_AUTH_GITHUB_ALLOW_SIGN_UP: true
+    GF_AUTH_GITHUB_CLIENT_ID: ${local.grafana_github_client_id}
+    GF_AUTH_GITHUB_CLIENT_SECRET: ${local.grafana_github_client_secret}
+    GF_AUTH_GITHUB_SCOPES: user:email,read:org
+    GF_AUTH_GITHUB_AUTH_URL: https://github.com/login/oauth/authorize
+    GF_AUTH_GITHUB_TOKEN_URL: https://github.com/login/oauth/access_token
+    GF_AUTH_GITHUB_API_URL: https://api.github.com/user
+    GF_AUTH_GITHUB_TEAM_IDS: ${local.grafana_github_team_ids}
+    GF_AUTH_GITHUB_ALOWED_ORGANISATIONS: ${local.grafana_github_allowed_organizations}
+VALUES
+  kube_prometheus_stack_alertmanager_values         = <<VALUES
 # Alertmanager parameters
 alertmanager:
   enabled: false
@@ -397,11 +417,13 @@ resource "helm_release" "prometheus_operator" {
   namespace   = module.monitoring_namespace[count.index].name
   max_history = var.helm_release_history_size
 
-  values = [
+  values = compact([
     local.kube_prometheus_stack_values,
     local.kube_prometheus_stack_grafana_values,
+    local.grafana_oauth_type == "gitlab" ? local.kube_prometheus_stack_grafana_gitlab_oauth_values : null,
+    local.grafana_oauth_type == "github" ? local.kube_prometheus_stack_grafana_github_oauth_values : null,
     local.kube_prometheus_stack_alertmanager_values
-  ]
+  ])
 
 }
 
