Add LDAP to Alertmanager

This change adds an apache sidecar to the Alertmanager statefulset in order to facillitate authentication to the service. Change-Id: I6e3cfb582251ecd280644439bfbd432a1f86ede3
2020-10-06 11:16:52 +00:00 · 2020-10-06 11:16:52 +00:00 · 72f42ba091
parent 1884f2c957
commit 72f42ba091
9 changed files with 255 additions and 13 deletions
--- a/prometheus-alertmanager/Chart.yaml
+++ b/prometheus-alertmanager/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v0.20.0
 description: OpenStack-Helm Alertmanager for Prometheus
 name: prometheus-alertmanager
-version: 0.1.2
+version: 0.1.3
 home: https://prometheus.io/docs/alerting/alertmanager/
 sources:
  - https://github.com/prometheus/alertmanager
--- a/prometheus-alertmanager/templates/bin/_apache.sh.tpl
+++ b/prometheus-alertmanager/templates/bin/_apache.sh.tpl
@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -exv
+
+COMMAND="${@:-start}"
+
+function start () {
+
+  if [ -f /etc/apache2/envvars ]; then
+     # Loading Apache2 ENV variables
+     source /etc/httpd/apache2/envvars
+  fi
+  # Apache gets grumpy about PID files pre-existing
+  rm -f /etc/httpd/logs/httpd.pid
+
+  if [ -f /usr/local/apache2/conf/.htpasswd ]; then
+    htpasswd -b /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
+  else
+    htpasswd -cb /usr/local/apache2/conf/.htpasswd "$ALERTMANAGER_USERNAME" "$ALERTMANAGER_PASSWORD"
+  fi
+
+  #Launch Apache on Foreground
+  exec httpd -DFOREGROUND
+}
+
+function stop () {
+  apachectl -k graceful-stop
+}
+
+$COMMAND
--- a/prometheus-alertmanager/templates/configmap-bin.yaml
+++ b/prometheus-alertmanager/templates/configmap-bin.yaml
@ -18,8 +18,10 @@ limitations under the License.
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: alertmanager-bin
+  name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
 data:
+  apache.sh: |
+{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  alertmanager.sh: |
 {{ tuple "bin/_alertmanager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  image-repo-sync.sh: |
--- a/prometheus-alertmanager/templates/configmap-etc.yaml
+++ b/prometheus-alertmanager/templates/configmap-etc.yaml
@ -16,13 +16,13 @@ limitations under the License.
 {{- $envAll := . }}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: alertmanager-etc
+  name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
 data:
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml") | indent 2 }}
-  alert-templates.tmpl: |
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alertmanager "key" "config.yml" "format" "Secret") | indent 2 }}
 {{- if .Values.conf.alert_templates }}
-{{ .Values.conf.alert_templates | indent 4 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.alert_templates "key" "alert-templates.tmpl" "format" "Secret") | indent 2 }}
 {{- end }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
 {{- end }}
--- a/prometheus-alertmanager/templates/ingress-alertmanager.yaml
+++ b/prometheus-alertmanager/templates/ingress-alertmanager.yaml
@ -13,6 +13,6 @@ limitations under the License.
 */}}

 {{- if and .Values.manifests.ingress .Values.network.alertmanager.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "alerts-api" -}}
+{{- $ingressOpts := dict "envAll" . "backendService" "alertmanager" "backendServiceType" "alertmanager" "backendPort" "http" -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
--- a/prometheus-alertmanager/templates/secret-admin-user.yaml
+++ b/prometheus-alertmanager/templates/secret-admin-user.yaml
@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_admin_user }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
+type: Opaque
+data:
+  ALERTMANAGER_USERNAME: {{ .Values.endpoints.alertmanager.auth.admin.username | b64enc }}
+  ALERTMANAGER_PASSWORD: {{ .Values.endpoints.alertmanager.auth.admin.password | b64enc }}
+{{- end }}
--- a/prometheus-alertmanager/templates/service.yaml
+++ b/prometheus-alertmanager/templates/service.yaml
@ -21,11 +21,11 @@ metadata:
  name: {{ tuple "alertmanager" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
  ports:
-  - name: alerts-api
+  - name: http
+    port: {{ tuple "alertmanager" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
    {{ if .Values.network.alertmanager.node_port.enabled }}
    nodePort: {{ .Values.network.alertmanager.node_port.port }}
    {{ end }}
-    port: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
  selector:
 {{ tuple $envAll "prometheus-alertmanager" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  {{ if .Values.network.alertmanager.node_port.enabled }}
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@ -70,6 +70,40 @@ spec:
            - name: alertmanager-data
              mountPath: /var/lib/alertmanager/data
      containers:
+        - name: apache-proxy
+{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/apache.sh
+            - start
+          ports:
+            - name: http
+              containerPort: 80
+          env:
+            - name: ALERTMANAGER_PORT
+              value: {{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: ALERTMANAGER_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
+                  key: ALERTMANAGER_USERNAME
+            - name: ALERTMANAGER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
+                  key: ALERTMANAGER_PASSWORD
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: alertmanager-bin
+              mountPath: /tmp/apache.sh
+              subPath: apache.sh
+              readOnly: true
+            - name: alertmanager-etc
+              mountPath: /usr/local/apache2/conf/httpd.conf
+              subPath: httpd.conf
+              readOnly: true
        - name: prometheus-alertmanager
 {{ tuple $envAll "prometheus-alertmanager" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.alertmanager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -104,10 +138,12 @@ spec:
              mountPath: /tmp
            - name: etc-alertmanager
              mountPath: /etc/config
+            {{- if .Values.conf.alert_templates }}
            - name: alertmanager-etc
              mountPath: /etc/alertmanager/template/alert-templates.tmpl
              subPath: alert-templates.tmpl
              readOnly: true
+            {{- end }}
            - name: alertmanager-etc
              mountPath: /etc/alertmanager/config.yml
              subPath: config.yml
@ -125,11 +161,12 @@ spec:
        - name: etc-alertmanager
          emptyDir: {}
        - name: alertmanager-etc
-          configMap:
-            name: alertmanager-etc
+          secret:
+            secretName: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-etc" | quote }}
+            defaultMode: 0444
        - name: alertmanager-bin
          configMap:
-            name: alertmanager-bin
+            name: {{ printf "%s-%s" $envAll.Release.Name "alertmanager-bin" | quote }}
            defaultMode: 0555
 {{ if $mounts_alertmanager.volumes }}{{ toYaml $mounts_alertmanager.volumes | indent 8 }}{{ end }}
 {{- if not .Values.storage.alertmanager.enabled }}
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@ -18,6 +18,7 @@
 ---
 images:
  tags:
+    apache_proxy: docker.io/httpd:2.4
    prometheus-alertmanager: docker.io/prom/alertmanager:v0.20.0
    snmpnotifier: docker.io/maxwo/snmp-notifier:v1.0.0
    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
@ -49,6 +50,9 @@ pod:
        prometheus_alertmanager_perms:
          runAsUser: 0
          readOnlyRootFilesystem: true
+        apache_proxy:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
        prometheus_alertmanager:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
@ -83,6 +87,13 @@ pod:
        timeout: 30
  resources:
    enabled: false
+    apache_proxy:
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
    alertmanager:
      limits:
        memory: "1024Mi"
@ -123,6 +134,10 @@ endpoints:
  alertmanager:
    name: prometheus-alertmanager
    namespace: null
+    auth:
+      admin:
+        username: admin
+        password: changeme
    hosts:
      default: alerts-engine
      public: prometheus-alertmanager
@ -146,6 +161,24 @@ endpoints:
        public: 80
      mesh:
        default: 9094
+      http:
+        default: 80
+  ldap:
+    hosts:
+      default: ldap
+    auth:
+      admin:
+        bind: "cn=admin,dc=cluster,dc=local"
+        password: password
+    host_fqdn_override:
+      default: null
+    path:
+      default: "/ou=People,dc=cluster,dc=local"
+    scheme:
+      default: ldap
+    port:
+      ldap:
+        default: 389
  snmpnotifier:
    name: snmpnotifier
    namespace: null
@ -231,6 +264,7 @@ manifests:
  ingress: true
  job_image_repo_sync: true
  network_policy: false
+  secret_admin_user: true
  secret_ingress_tls: true
  service: true
  service_discovery: true
@ -248,6 +282,105 @@ network_policy:
      - {}

 conf:
+  httpd: |
+    ServerRoot "/usr/local/apache2"
+
+    Listen 80
+
+    LoadModule mpm_event_module modules/mod_mpm_event.so
+    LoadModule authn_file_module modules/mod_authn_file.so
+    LoadModule authn_core_module modules/mod_authn_core.so
+    LoadModule authz_host_module modules/mod_authz_host.so
+    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+    LoadModule authz_user_module modules/mod_authz_user.so
+    LoadModule authz_core_module modules/mod_authz_core.so
+    LoadModule access_compat_module modules/mod_access_compat.so
+    LoadModule auth_basic_module modules/mod_auth_basic.so
+    LoadModule ldap_module modules/mod_ldap.so
+    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+    LoadModule reqtimeout_module modules/mod_reqtimeout.so
+    LoadModule filter_module modules/mod_filter.so
+    LoadModule proxy_html_module modules/mod_proxy_html.so
+    LoadModule log_config_module modules/mod_log_config.so
+    LoadModule env_module modules/mod_env.so
+    LoadModule headers_module modules/mod_headers.so
+    LoadModule setenvif_module modules/mod_setenvif.so
+    LoadModule version_module modules/mod_version.so
+    LoadModule proxy_module modules/mod_proxy.so
+    LoadModule proxy_connect_module modules/mod_proxy_connect.so
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+    LoadModule remoteip_module modules/mod_remoteip.so
+    LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+    LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+    LoadModule unixd_module modules/mod_unixd.so
+    LoadModule status_module modules/mod_status.so
+    LoadModule autoindex_module modules/mod_autoindex.so
+
+    <IfModule unixd_module>
+    User daemon
+    Group daemon
+    </IfModule>
+
+    <Directory />
+        AllowOverride none
+        Require all denied
+    </Directory>
+
+    <Files ".ht*">
+        Require all denied
+    </Files>
+
+    ErrorLog /dev/stderr
+
+    LogLevel warn
+
+    <IfModule log_config_module>
+        LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+        LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+        <IfModule logio_module>
+          LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+        </IfModule>
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout common
+        CustomLog /dev/stdout combined
+        CustomLog /dev/stdout proxy env=forwarded
+    </IfModule>
+
+    <Directory "/usr/local/apache2/cgi-bin">
+        AllowOverride None
+        Options None
+        Require all granted
+    </Directory>
+
+    <IfModule headers_module>
+        RequestHeader unset Proxy early
+    </IfModule>
+
+    <IfModule proxy_html_module>
+    Include conf/extra/proxy-html.conf
+    </IfModule>
+
+    <VirtualHost *:80>
+      RemoteIPHeader X-Original-Forwarded-For
+      <Location />
+          ProxyPass http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+          ProxyPassReverse http://localhost:{{ tuple "alertmanager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+      </Location>
+      <Proxy *>
+          AuthName "Alertmanager"
+          AuthType Basic
+          AuthBasicProvider file ldap
+          AuthUserFile /usr/local/apache2/conf/.htpasswd
+          AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+          AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+          AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+          Require valid-user
+      </Proxy>
+    </VirtualHost>
  command_flags:
    alertmanager:
      storage.path: /var/lib/alertmanager/data