Grafana高可用-LDAP

在这里插入图片描述

一. grafana高可用

1. 迁移之前的 grafana

sqlitedump.sh

#!/bin/bash
DB=$1
TABLES=$(sqlite3 $DB .tables | sed -r 's/(\S+)\s+(\S)/\1\n\2/g' | grep -v migration_log)
for t in $TABLES; doecho "TRUNCATE TABLE $t;"
done
for t in $TABLES; doecho -e ".mode insert $t\nselect * from $t;"
done | sqlite3 $DB

将grafana.db 转为mysql的sql文件

找到 grafana 的 grafana.db，得到sql文件，source到mysql上即可

sh sqlitedump grafana.db >grafana.sql

2. 部署

将数据存储到 mysql中

1) mysql

grafna会自己初始化库，前提是需要创建出来

apiVersion: apps/v1
kind: PersistentVolumeClaim
metadata:name: mysqlnamespace: monitor
spec:storageClassName: monitor-nfs-storageaccessModes:- ReadWriteManyresources:requests:storage: 10Gi

#apiVersion: v1
#kind: ConfigMap
#metadata:
#  name: my.cnf
#  namespace: monitor
#data:
#  my.cnf: |
#    [mysqld]
#    port=3306
#---
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: mysqlname: mysqlnamespace: monitor
spec:selector:matchLabels:app: mysqltemplate:metadata:labels:app: mysqlspec:containers:- image: mysql:5.7name: mysqlenv:- name: MYSQL_ROOT_PASSWORDvalue: Man10f&3^H_98est$#valueFrom:#  secretKeyRef:#    name: mysql-root-password#    key: passwordports:- containerPort: 3306volumeMounts:- name: mysqlvolumemountPath: /var/lib/mysql#  - name: mysql-conf#    mountPath: /etc/mysql/my.cnf#    subPath: my.cnfvolumes:- name: mysqlvolumepersistentVolumeClaim:claimName: mysql#- name: mysql-conf#  configMap:#    name: my.cnf
---
apiVersion: v1
kind: Service
metadata:labels:app: mysqlname: mysqlnamespace: monitor
spec:selector:app: mysqltype: ClusterIPports:- port: 3306protocol: TCPtargetPort: 3306

mysql -h mysql -p
create database grafana;
use grafana;
CREATE USER 'grafana'@'%' IDENTIFIED BY 'Man10f&3^H_98est$';
GRANT all on *.* TO 'grafana'@'%';
# 导入数据
source /grafana.sql

2). grafna

配置文件需要改为如下的，其他的配置自行添加上去，这里只是mysql的配置

apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: grafananamespace: monitor#annotations:#volume.beta.kubernetes.io/storage-class: "nfs"
spec:storageClassName: monitor-nfs-storageaccessModes:- ReadWriteManyresources:requests:storage: 10Gi

kind: ConfigMap
apiVersion: v1
metadata:name: grafana-confignamespace: monitor
data:grafana.ini: | [database]type = mysqlhost = mysql.prometheus.svc.cluster.local:3306name = grafanauser = grafanapassword = Man10f&3^H_98est$[auth.ldap]enabled = trueconfig_file = /etc/grafana/ldap.toml[log]level = debug---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: grafananamespace: monitor
spec:rules:- host: grafana-panel.yee.comhttp:paths:- path: /pathType: Prefixbackend:service: name: grafanaport:number: 3000tls:- hosts:- grafana-panel.yee.comsecretName: 2022-yee.com
---
apiVersion: apps/v1
kind: Deployment
metadata:name: grafananamespace: monitor
spec:replicas: 2selector:matchLabels:app: grafanatemplate:metadata:labels:app: grafanaspec:securityContext:runAsUser: 0containers:- name: grafanaimage: harbor.yee.com:8443/library/grafana:8.5.0imagePullPolicy: IfNotPresentports:- containerPort: 3000name: grafanaenv:- name: GF_SECURITY_ADMIN_USERvalue: admin- name: GF_SECURITY_ADMIN_PASSWORDvalue: Manifest%0304readinessProbe:failureThreshold: 10httpGet:path: /api/healthport: 3000scheme: HTTPinitialDelaySeconds: 60periodSeconds: 10successThreshold: 1timeoutSeconds: 30livenessProbe:failureThreshold: 3httpGet:path: /api/healthport: 3000scheme: HTTPperiodSeconds: 10successThreshold: 1timeoutSeconds: 1resources:limits:cpu: 2memory: 2Girequests:cpu: 150mmemory: 512MivolumeMounts:- mountPath: /var/lib/grafananame: storage- mountPath: /etc/grafana/grafana.inisubPath: grafana.ininame: configvolumes:- name: storagepersistentVolumeClaim:claimName: grafana- name: configconfigMap:name: grafana-config---
apiVersion: v1
kind: Service
metadata:name: grafananamespace: monitor
spec:type: ClusterIPports:- port: 3000selector:app: grafana

3. LDAP

grafana 使用加域，使用域账号登录，需要配置LDAP，LDAP是一种通讯协议，如同HTTP是一种协议一样的，
域控的dn，在 LDAP 目录中：
- DC (Domain Component)
- CN (Common Name)
- OU (Organizational Unit)
An LDAP 目录类似于文件系统目录. 下列目录: DC=redmond,DC=wa,DC=microsoft,DC=com，如果我们类比文件系统的话，可被看作如下文件路径: Com\Microsoft\Wa\Redmond
例如：cn=test 可能代表一个用户名， ou=developer 代表一个active directory中的组织单位。这句话的含义可能就是说明test这个对象处在domainname. com域的developer组织单元中

kind: ConfigMap
apiVersion: v1
metadata:name: grafana-confignamespace: prometheus
data:grafana.ini: | [database]type = mysqlhost = mysql.prometheus.svc.cluster.local:3306name = grafanauser = grafanapassword = Man10f&3^H_98est$[auth.ldap]enabled = trueconfig_file = /etc/grafana/ldap.toml[log]level = info
---
kind: ConfigMap
apiVersion: v1
metadata:name: grafana-ldapnamespace: prometheus
data:ldap.toml: |# To troubleshoot and get more log info enable ldap debug logging in grafana.ini# [log]# filters = ldap:debug[[servers]]# Ldap server host (specify multiple hosts space separated)host = "192.168.1.250"# Default port is 389 or 636 if use_ssl = trueport = 389# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)use_ssl = false# If set to true, use LDAP with STARTTLS instead of LDAPSstart_tls = false# set to true if you want to skip ssl cert validationssl_skip_verify = false# set to the path to your root CA certificate or leave unset to use system defaults# root_ca_cert = "/path/to/certificate.crt"# Authentication against LDAP servers requiring client certificates# client_cert = "/path/to/client.crt"# client_key = "/path/to/client.key"# Search user bind dn#bind_dn = "CN=xingguang,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"bind_dn = "ooo"		# 根据自己的写# Search user bind password# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""bind_password = 'dfs@52%2(89!ykWc'# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"#search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(name=*))"search_filter = "(sAMAccountName=%s)"#search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(sAMAccountName={login}))"# An array of base dns to search throughsearch_base_dns = ["OU=ooo,DC=sdrad,DC=com"]## For Posix or LDAP setups that does not support member_of attribute you can define the below settings## Please check grafana LDAP docs for examples# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]# group_search_filter_user_attribute = "uid"# Specify names of the ldap attributes your ldap uses[servers.attributes]name = "displayName"#surname = "sn"#username = "username"username = "sAMAccountName"#member_of = "memberOf"email =  "mail"# Map ldap groups to grafana org roles[[servers.group_mappings]]group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"org_role = "Admin"# To make user an instance admin  (Grafana Admin) uncomment line belowgrafana_admin = true# The Grafana organization database id, optional, if left out the default org (id 1) will be used#org_id = 1[[servers.group_mappings]]group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"org_role = "Editor"#org_id = 2#[[servers.group_mappings]]## If you want to match all (or no ldap groups) then you can use wildcardgroup_dn = "*"org_role = "Viewer"#org_id = 3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: grafananamespace: prometheus
spec:rules:- host: grafana-test.yee.net.cnhttp:paths:- path: /pathType: Prefixbackend:service: name: grafanaport:number: 3000tls:- hosts:- grafana-test.yee.net.cnsecretName: yee.net.cn
---
apiVersion: apps/v1
kind: Deployment
metadata:name: grafananamespace: prometheus
spec:replicas: 2selector:matchLabels:app: grafanatemplate:metadata:labels:app: grafanaspec:nodeSelector:ldap: "true"securityContext:runAsUser: 0containers:- name: grafanaimage: harbor.yee.net.cn/library/grafana:8.5.0imagePullPolicy: IfNotPresentports:- containerPort: 3000name: grafanaenv:- name: GF_SECURITY_ADMIN_USERvalue: admin- name: GF_SECURITY_ADMIN_PASSWORDvalue: Manifest%0304OURreadinessProbe:failureThreshold: 10httpGet:path: /api/healthport: 3000scheme: HTTPinitialDelaySeconds: 60periodSeconds: 10successThreshold: 1timeoutSeconds: 30livenessProbe:failureThreshold: 3httpGet:path: /api/healthport: 3000scheme: HTTPperiodSeconds: 10successThreshold: 1timeoutSeconds: 1resources:limits:cpu: 2memory: 2Girequests:cpu: 150mmemory: 512MivolumeMounts:- mountPath: /var/lib/grafananame: storage- mountPath: /etc/grafana/grafana.inisubPath: grafana.ininame: config- mountPath: /etc/grafana/ldap.tomlsubPath: ldap.tomlname: ldapvolumes:- name: storagepersistentVolumeClaim:claimName: grafana- name: configconfigMap:name: grafana-config- name: ldapconfigMap:name: grafana-ldap---
apiVersion: v1
kind: Service
metadata:name: grafananamespace: prometheus
spec:type: ClusterIPports:- port: 3000selector:app: grafana

同样 Deployment 需要加一些配置

        volumeMounts:- mountPath: /var/lib/grafananame: storage- mountPath: /etc/grafana/grafana.inisubPath: grafana.ininame: config- mountPath: /etc/grafana/ldap.tomlsubPath: ldap.tomlname: ldapvolumes:- name: storagepersistentVolumeClaim:claimName: grafana- name: configconfigMap:name: grafana-config- name: ldapconfigMap:name: grafana-ldap