[MAISTRA-624] Use basic HTTP auth for internal communication

Between kiali, grafana and prometheus. This way we can get rid of cluster role bindings.
maistra · Jul 30, 2019 · f36c187 · f36c187
1 parent 8729eeb
commit f36c187
Show file tree

Hide file tree

Showing 10 changed files with 57 additions and 99 deletions.
diff --git a/helm/istio/charts/grafana/templates/meshclusterrole.yaml b/helm/istio/charts/grafana/templates/meshclusterrole.yaml
diff --git a/helm/istio/charts/grafana/templates/meshclusterrolebinding.yaml b/helm/istio/charts/grafana/templates/meshclusterrolebinding.yaml
diff --git a/helm/istio/charts/kiali/templates/kiali-cr.yaml b/helm/istio/charts/kiali/templates/kiali-cr.yaml
@@ -36,16 +36,20 @@ spec:
     grafana:
       auth:
         ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-        type: "bearer"
-        use_kiali_token: true
+        type: "basic"
+        use_kiali_token: false
+        username: "internal"
+        password: ""
       enabled: true
       in_cluster_url: "https://grafana.{{ .Release.Namespace }}.svc:3000"
       url: "{{ .Values.dashboard.grafanaURL }}"
     prometheus:
       auth:
         ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-        type: "bearer"
-        use_kiali_token: true
+        type: "basic"
+        use_kiali_token: false
+        username: "internal"
+        password: ""
       url: "https://prometheus.{{ .Release.Namespace }}.svc:9090"
     tracing:
       auth:

diff --git a/helm/istio/charts/prometheus/templates/meshclusterrole.yaml b/helm/istio/charts/prometheus/templates/meshclusterrole.yaml
diff --git a/helm/istio/charts/prometheus/templates/meshclusterrolebindings.yaml b/helm/istio/charts/prometheus/templates/meshclusterrolebindings.yaml
diff --git a/...prometheus/templates/htpasswd-secret.yaml → helm/istio/templates/htpasswd-secret.yaml b/...prometheus/templates/htpasswd-secret.yaml → helm/istio/templates/htpasswd-secret.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 data:
   auth: ""
+  rawPassword: ""
 kind: Secret
 metadata:
-  name: prometheus-htpasswd
+  name: htpasswd
   namespace: {{ .Release.Namespace }}
   labels:
-    app: prometheus
-    chart: {{ template "prometheus.chart" . }}
+    app: istio
+    chart: {{ template "istio.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 type: Opaque
diff --git a/pkg/controller/servicemesh/controlplane/hooks.go b/pkg/controller/servicemesh/controlplane/hooks.go
@@ -54,8 +54,8 @@ func (r *ControlPlaneReconciler) preprocessObject(object *unstructured.Unstructu
 			return r.patchGrafanaConfig(object)
 		}
 	case "Secret":
-		if object.GetName() == "prometheus-htpasswd" {
-			return r.patchPrometheusHtpasswd(object)
+		if object.GetName() == "htpasswd" {
+			return r.patchHtpasswdSecret(object)
 		}
 	}
 	return nil
@@ -170,6 +170,19 @@ func (r *ControlPlaneReconciler) patchKialiConfig(object *unstructured.Unstructu
 		return fmt.Errorf("could not set grafana enabled flag in kiali CR: %s", err)
 	}
 
+	rawPassword, err := r.getRawHtPasswd(object)
+	if err != nil {
+		return err
+	}
+	err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "grafana", "auth", "password")
+	if err != nil {
+		return fmt.Errorf("could not set grafana password in kiali CR: %s", err)
+	}
+	err = unstructured.SetNestedField(object.UnstructuredContent(), rawPassword, "spec", "external_services", "prometheus", "auth", "password")
+	if err != nil {
+		return fmt.Errorf("could not set prometheus password in kiali CR: %s", err)
+	}
+
 	return nil
 }
 

diff --git a/...oller/servicemesh/controlplane/grafana.go → ...ller/servicemesh/controlplane/htpasswd.go b/...oller/servicemesh/controlplane/grafana.go → ...ller/servicemesh/controlplane/htpasswd.go
@@ -14,20 +14,20 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func (r *ControlPlaneReconciler) patchPrometheusHtpasswd(object *unstructured.Unstructured) error {
+func (r *ControlPlaneReconciler) patchHtpasswdSecret(object *unstructured.Unstructured) error {
 	var rawPassword, auth string
 
 	htSecret := &corev1.Secret{}
-	err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "prometheus-htpasswd"}, htSecret)
+	err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "htpasswd"}, htSecret)
 	if err == nil {
 		rawPassword = string(htSecret.Data["rawPassword"])
 		auth = string(htSecret.Data["auth"])
 	} else {
-		r.Log.Info("Creating Prometheus HTPasswd entry", object.GetKind(), object.GetName())
+		r.Log.Info("Creating HTPasswd entry", object.GetKind(), object.GetName())
 
 		rawPassword, err = generatePassword(255)
 		if err != nil {
-			r.Log.Error(err, "failed to generate the Prometheus password")
+			r.Log.Error(err, "failed to generate the HTPasswd password")
 			return err
 		}
 		h := sha1.New()
@@ -41,19 +41,30 @@ func (r *ControlPlaneReconciler) patchPrometheusHtpasswd(object *unstructured.Un
 	// We store the raw password in order to be able to retrieve it below, when patching Grafana ConfigMap
 	err = unstructured.SetNestedField(object.UnstructuredContent(), b64Password, "data", "rawPassword")
 	if err != nil {
-		r.Log.Error(err, "failed to set prometheus raw password")
+		r.Log.Error(err, "failed to set htpasswd raw password")
 		return err
 	}
 
 	err = unstructured.SetNestedField(object.UnstructuredContent(), b64Auth, "data", "auth")
 	if err != nil {
-		r.Log.Error(err, "failed to set prometheus htpasswd entry")
+		r.Log.Error(err, "failed to set htpasswd auth entry")
 		return err
 	}
 
 	return nil
 }
 
+func (r *ControlPlaneReconciler) getRawHtPasswd(object *unstructured.Unstructured) (string, error) {
+	htSecret := &corev1.Secret{}
+	err := r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "htpasswd"}, htSecret)
+	if err != nil {
+		r.Log.Error(err, "error retrieving htpasswd Secret")
+		return "", err
+	}
+
+	return string(htSecret.Data["rawPassword"]), nil
+}
+
 func (r *ControlPlaneReconciler) patchGrafanaConfig(object *unstructured.Unstructured) error {
 	dsYaml, found, err := unstructured.NestedString(object.UnstructuredContent(), "data", "datasources.yaml")
 	if err != nil || !found {
@@ -63,14 +74,10 @@ func (r *ControlPlaneReconciler) patchGrafanaConfig(object *unstructured.Unstruc
 
 	r.Log.Info("patching Grafana-Prometheus link", object.GetKind(), object.GetName())
 
-	// Retrieve the raw password created when processing Prometheus charts
-	htSecret := &corev1.Secret{}
-	err = r.Client.Get(context.TODO(), client.ObjectKey{Namespace: object.GetNamespace(), Name: "prometheus-htpasswd"}, htSecret)
+	rawPassword, err := r.getRawHtPasswd(object)
 	if err != nil {
-		r.Log.Error(err, "error retrieving prometheus-htpasswd Secret")
 		return err
 	}
-	rawPassword := string(htSecret.Data["rawPassword"])
 
 	var re = regexp.MustCompile("(?s)(basicAuthPassword:).*?\n")
 	dsYaml = re.ReplaceAllString(dsYaml, fmt.Sprintf("${1} %s\n", rawPassword))

diff --git a/tmp/build/patch-grafana.sh b/tmp/build/patch-grafana.sh
@@ -28,15 +28,17 @@ function grafana_patch_deployment() {
           volumeMounts:\
           - mountPath: /etc/tls/private\
             name: secret-grafana-tls\
+          - mountPath: /etc/proxy/htpasswd\
+            name: secret-htpasswd\
           args:\
           - -provider=openshift\
           - -https-address=:3001\
           - -http-address=\
           - -email-domain=*\
           - -upstream=http://localhost:3000\
+          - -htpasswd-file=/etc/proxy/htpasswd/auth\
+          - -display-htpasswd-form=false\
           - '\''-openshift-sar={"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'\''\
-          - '\''-openshift-delegate-urls={"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}'\''\
-          - -skip-auth-regex=^/metrics\
           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token\
           - -openshift-service-account=grafana\
           - -cookie-secret=SECRET\
@@ -49,7 +51,11 @@ function grafana_patch_deployment() {
       - name: secret-grafana-tls\
         secret:\
           defaultMode: 420\
-          secretName: grafana-tls' \
+          secretName: grafana-tls\
+      - name: secret-htpasswd\
+        secret:\
+          defaultMode: 420\
+          secretName: htpasswd' \
       -e 's/^\(.*\)containers:\(.*\)$/\1serviceAccountName: grafana\
 \1containers:\2/' \
       -e '/- if \.Values\.security\.enabled/,/- end/ { d }' \

diff --git a/tmp/build/patch-prometheus.sh b/tmp/build/patch-prometheus.sh
@@ -24,7 +24,7 @@ function prometheus_patch_deployment() {
           - mountPath: /etc/tls/private\
             name: secret-prometheus-tls\
           - mountPath: /etc/proxy/htpasswd\
-            name: secret-prometheus-htpasswd\
+            name: secret-htpasswd\
           args:\
           - -provider=openshift\
           - -https-address=:3001\
@@ -34,8 +34,6 @@ function prometheus_patch_deployment() {
           - -htpasswd-file=/etc/proxy/htpasswd/auth\
           - -display-htpasswd-form=false\
           - '\''-openshift-sar={"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}'\''\
-          - '\''-openshift-delegate-urls={"/":{"namespace": "{{ .Release.Namespace }}", "resource": "pods", "verb": "get"}}'\''\
-          - -skip-auth-regex=^/metrics\
           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token\
           - -openshift-service-account=prometheus\
           - -cookie-secret=SECRET\
@@ -49,10 +47,10 @@ function prometheus_patch_deployment() {
         secret:\
           defaultMode: 420\
           secretName: prometheus-tls\
-      - name: secret-prometheus-htpasswd\
+      - name: secret-htpasswd\
         secret:\
           defaultMode: 420\
-          secretName: prometheus-htpasswd' \
+          secretName: htpasswd' \
       -e 's/^\(.*\)containers:\(.*\)$/\1serviceAccountName: prometheus\
 \1containers:\2/' \
   ${HELM_DIR}/istio/charts/prometheus/templates/deployment.yaml