在 Helm 图表安装期间 grafana.ini 未选取 LDAP 配置
LDAP configuration not picked up by grafana.ini during Helm chart install
我已经使用 Helm 安装了 kube-prometheus-stack-9.4.5 operator,主要通过为 Grafana URL 和 LDAP 配置传递自定义 values.yaml 使用默认设置。当我执行到 Grafana 容器时,我可以访问 Grafana 仪表板并在 grafana.ini 中看到配置。然后,我将如下所示的 LDAP 设置添加到 YAML 文件中,并注意到 none 的 LDAP 信息已在 grafana.ini 文件中更新。容器在 grafana.ini 中将 admin.ldap 标志设置为 true,但在 secret 或 /etc/grafana/ldap.toml 或 secret 中看不到 LDAP 配置。
/etc/grafana/ldap.toml 具有默认的 LDAP 设置并且看不到 values.yaml.
中指定的任何自定义值
grafana:
enabled: true
namespaceOverride: ""
rbac:
pspUseAppArmor: false
grafana.ini:
server:
domain: sandboxgrmysite.com
#root_url: "%(protocol)s://%(domain)s/"
root_url: https://sandboxgrmysite.com/grafana/
serve_from_sub_path: true
auth.ldap:
enabled: true
allow_sign_up: true
envFromSecret: "grafana-ldap-cred"
ldap:
enabled: true
existingSecret: ""
config: |-
verbose_logging = true
[[servers]]
host = "my.ldap.server.com"
port = 636
use_ssl = true
root_ca_cert = "/home/myid/CA_Cert.pem"
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=ldapbind,ou=Users,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(uid=%s)"
search_base_dns = ["dc=com"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
email = "mail"
group_search_filter = "(&(objectClass=groupOfUniqueNames)
(uniquemember=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=groups,dc=Global,dc=com"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "uid"
[[servers.group_mappings]]
group_dn = "cn=admin_ldap,ou=Users,dc=com"
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
我看了 post 并比较了配置,但仍然没有运气。这里缺少什么线索?
花了一些时间查看 Helm 模板和其他配置,以了解缺少的内容,并能够使其与 custom-values.yaml 中由操作员创建的 Grafana 的以下配置一起使用。
特别注意缩进,因为当我尝试从 Grafana 图表的 values.yaml.
复制 n 粘贴时,这导致了一些问题
grafana:
enabled: true
namespaceOverride: ""
rbac:
pspUseAppArmor: false
grafana.ini:
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
log:
mode: console
#level: debug
# to enable debug level for ldap calls only
#filters: ldap:debug
server:
domain: sbgrafana.mysite.com
#root_url: "%(protocol)s://%(domain)s/"
root_url: https://sbgrafana.mysite.com/grafana/
serve_from_sub_path: true
auth.ldap:
enabled: true
allow_sign_up: true
config_file: /etc/grafana/ldap.toml
ldap:
enabled: true
# `existingSecret` is a reference to an existing secret containing the ldap configuration
# for Grafana in a key `ldap-toml`.
existingSecret: ""
# `config` is the content of `ldap.toml` that will be stored in the created secret
config: |-
verbose_logging = true
[[servers]]
host = "my.ldap.com"
# Default port is 389 or 636 if use_ssl = true
# port = 389
# use_ssl = false
port = 636
use_ssl = true
# CA cert is mapped as certs-configmap in extraConfigmapMounts section below -- path in Grafana container
root_ca_cert = "/etc/grafana/ssl/CACert.pem"
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(uid=%s)"
group_search_filter = "(&(objectClass=groupOfUniqueNames)
uniquemember=%s))"
group_search_base_dns = ["uid=%s,ou=users,dc=myorg,dc=com"]
group_search_filter_user_attribute = "uid"
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
email = "mail"
[[servers.group_mappings]]
group_dn = "cn=admins,dc=grafana,dc=org"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=users,dc=grafana,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
extraConfigmapMounts:
- name: certs-configmap
mountPath: /etc/grafana/ssl/
configMap: certs-configmap
readOnly: true
上面提到的为 LDAP SSL/HTTPS 通信创建配置映射的步骤。至少我找不到明确的信息,所以在这里为其他人添加。
kubectl -n monitoring create configmap certs-configmap --from-file=my-ca-cert.pem
在监控命名空间中创建自定义机密,密钥为 LDAP_BIND_PASSWORD,LDAP 绑定密码为值。现在我们不再需要在自定义 values.yaml 文件中以纯文本形式保存它。
我已经使用 Helm 安装了 kube-prometheus-stack-9.4.5 operator,主要通过为 Grafana URL 和 LDAP 配置传递自定义 values.yaml 使用默认设置。当我执行到 Grafana 容器时,我可以访问 Grafana 仪表板并在 grafana.ini 中看到配置。然后,我将如下所示的 LDAP 设置添加到 YAML 文件中,并注意到 none 的 LDAP 信息已在 grafana.ini 文件中更新。容器在 grafana.ini 中将 admin.ldap 标志设置为 true,但在 secret 或 /etc/grafana/ldap.toml 或 secret 中看不到 LDAP 配置。 /etc/grafana/ldap.toml 具有默认的 LDAP 设置并且看不到 values.yaml.
中指定的任何自定义值grafana:
enabled: true
namespaceOverride: ""
rbac:
pspUseAppArmor: false
grafana.ini:
server:
domain: sandboxgrmysite.com
#root_url: "%(protocol)s://%(domain)s/"
root_url: https://sandboxgrmysite.com/grafana/
serve_from_sub_path: true
auth.ldap:
enabled: true
allow_sign_up: true
envFromSecret: "grafana-ldap-cred"
ldap:
enabled: true
existingSecret: ""
config: |-
verbose_logging = true
[[servers]]
host = "my.ldap.server.com"
port = 636
use_ssl = true
root_ca_cert = "/home/myid/CA_Cert.pem"
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=ldapbind,ou=Users,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(uid=%s)"
search_base_dns = ["dc=com"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
email = "mail"
group_search_filter = "(&(objectClass=groupOfUniqueNames)
(uniquemember=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=groups,dc=Global,dc=com"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "uid"
[[servers.group_mappings]]
group_dn = "cn=admin_ldap,ou=Users,dc=com"
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
我看了
花了一些时间查看 Helm 模板和其他配置,以了解缺少的内容,并能够使其与 custom-values.yaml 中由操作员创建的 Grafana 的以下配置一起使用。
特别注意缩进,因为当我尝试从 Grafana 图表的 values.yaml.
复制 n 粘贴时,这导致了一些问题grafana:
enabled: true
namespaceOverride: ""
rbac:
pspUseAppArmor: false
grafana.ini:
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
log:
mode: console
#level: debug
# to enable debug level for ldap calls only
#filters: ldap:debug
server:
domain: sbgrafana.mysite.com
#root_url: "%(protocol)s://%(domain)s/"
root_url: https://sbgrafana.mysite.com/grafana/
serve_from_sub_path: true
auth.ldap:
enabled: true
allow_sign_up: true
config_file: /etc/grafana/ldap.toml
ldap:
enabled: true
# `existingSecret` is a reference to an existing secret containing the ldap configuration
# for Grafana in a key `ldap-toml`.
existingSecret: ""
# `config` is the content of `ldap.toml` that will be stored in the created secret
config: |-
verbose_logging = true
[[servers]]
host = "my.ldap.com"
# Default port is 389 or 636 if use_ssl = true
# port = 389
# use_ssl = false
port = 636
use_ssl = true
# CA cert is mapped as certs-configmap in extraConfigmapMounts section below -- path in Grafana container
root_ca_cert = "/etc/grafana/ssl/CACert.pem"
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(uid=%s)"
group_search_filter = "(&(objectClass=groupOfUniqueNames)
uniquemember=%s))"
group_search_base_dns = ["uid=%s,ou=users,dc=myorg,dc=com"]
group_search_filter_user_attribute = "uid"
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
email = "mail"
[[servers.group_mappings]]
group_dn = "cn=admins,dc=grafana,dc=org"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=users,dc=grafana,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
extraConfigmapMounts:
- name: certs-configmap
mountPath: /etc/grafana/ssl/
configMap: certs-configmap
readOnly: true
上面提到的为 LDAP SSL/HTTPS 通信创建配置映射的步骤。至少我找不到明确的信息,所以在这里为其他人添加。
kubectl -n monitoring create configmap certs-configmap --from-file=my-ca-cert.pem
在监控命名空间中创建自定义机密,密钥为 LDAP_BIND_PASSWORD,LDAP 绑定密码为值。现在我们不再需要在自定义 values.yaml 文件中以纯文本形式保存它。