Grafana高可用-LDAP

一. grafana高可用

1. 迁移之前的 grafana

sqlitedump.sh

sh 复制代码
#!/bin/bash
DB=$1
TABLES=$(sqlite3 $DB .tables | sed -r 's/(\S+)\s+(\S)/\1\n\2/g' | grep -v migration_log)
for t in $TABLES; do
	echo "TRUNCATE TABLE $t;"
done
for t in $TABLES; do
	echo -e ".mode insert $t\nselect * from $t;"
done | sqlite3 $DB

将grafana.db 转为mysql的sql文件

  • 找到 grafana 的 grafana.db,得到sql文件,source到mysql上即可
sh 复制代码
sh sqlitedump grafana.db >grafana.sql

2. 部署

  • 将数据存储到 mysql

1) mysql

  • grafna会自己初始化库,前提是需要创建出来
yaml 复制代码
apiVersion: apps/v1
kind: PersistentVolumeClaim
metadata:
  name: mysql
  namespace: monitor
spec:
  storageClassName: monitor-nfs-storage
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
yaml 复制代码
#apiVersion: v1
#kind: ConfigMap
#metadata:
#  name: my.cnf
#  namespace: monitor
#data:
#  my.cnf: |
#    [mysqld]
#    port=3306
#---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: mysql
  name: mysql
  namespace: monitor
spec:
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - image: mysql:5.7
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
          value: Man10f&3^H_98est$
          #valueFrom:
          #  secretKeyRef:
          #    name: mysql-root-password
          #    key: password
        ports:
        - containerPort: 3306
        volumeMounts:
        - name: mysqlvolume
          mountPath: /var/lib/mysql
      #  - name: mysql-conf
      #    mountPath: /etc/mysql/my.cnf
      #    subPath: my.cnf
      volumes:
      - name: mysqlvolume
        persistentVolumeClaim:
          claimName: mysql
      #- name: mysql-conf
      #  configMap:
      #    name: my.cnf
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: mysql
  name: mysql
  namespace: monitor
spec:
  selector:
    app: mysql
  type: ClusterIP
  ports:
  - port: 3306
    protocol: TCP
    targetPort: 3306
sh 复制代码
mysql -h mysql -p
create database grafana;
use grafana;
CREATE USER 'grafana'@'%' IDENTIFIED BY 'Man10f&3^H_98est$';
GRANT all on *.* TO 'grafana'@'%';
# 导入数据
source /grafana.sql

2). grafna

  • 配置文件需要改为如下的,其他的配置自行添加上去,这里只是mysql的配置
yaml 复制代码
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: grafana
  namespace: monitor
  #annotations:
    #volume.beta.kubernetes.io/storage-class: "nfs"
spec:
  storageClassName: monitor-nfs-storage
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
yaml 复制代码
kind: ConfigMap
apiVersion: v1
metadata:
  name: grafana-config
  namespace: monitor
data:
  grafana.ini: | 
    [database]
    type = mysql
    host = mysql.prometheus.svc.cluster.local:3306
    name = grafana
    user = grafana
    password = Man10f&3^H_98est$
    [auth.ldap]
    enabled = true
    config_file = /etc/grafana/ldap.toml
    [log]
    level = debug

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  namespace: monitor
spec:
  rules:
  - host: grafana-panel.yee.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: 
            name: grafana
            port:
              number: 3000
  tls:
  - hosts:
    - grafana-panel.yee.com
    secretName: 2022-yee.com
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitor
spec:
  replicas: 2
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        runAsUser: 0
      containers:
      - name: grafana
        image: harbor.yee.com:8443/library/grafana:8.5.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
          name: grafana
        env:
        - name: GF_SECURITY_ADMIN_USER
          value: admin
        - name: GF_SECURITY_ADMIN_PASSWORD
          value: Manifest%0304
        readinessProbe:
          failureThreshold: 10
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          initialDelaySeconds: 60
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 30
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 2
            memory: 2Gi
          requests:
            cpu: 150m
            memory: 512Mi
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: storage
        - mountPath: /etc/grafana/grafana.ini
          subPath: grafana.ini
          name: config
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grafana
      - name: config
        configMap:
          name: grafana-config

---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: monitor
spec:
  type: ClusterIP
  ports:
    - port: 3000
  selector:
    app: grafana

3. LDAP

  • grafana 使用加域,使用域账号登录,需要配置LDAP,LDAP是一种通讯协议,如同HTTP是一种协议一样的,
  • 域控的dn, 在 LDAP 目录中:
    • DC (Domain Component)
    • CN (Common Name)
    • OU (Organizational Unit)
  • An LDAP 目录类似于文件系统目录. 下列目录: DC=redmond,DC=wa,DC=microsoft,DC=com ,如果我们类比文件系统的话,可被看作如下文件路径: Com\Microsoft\Wa\Redmond
  • 例如:cn=test 可能代表一个用户名, ou=developer 代表一个active directory中的 组织单位。这句话的含义可能就是说明test这个对象处在domainname. com域的developer组织单元中
yaml 复制代码
kind: ConfigMap
apiVersion: v1
metadata:
  name: grafana-config
  namespace: prometheus
data:
  grafana.ini: | 
    [database]
    type = mysql
    host = mysql.prometheus.svc.cluster.local:3306
    name = grafana
    user = grafana
    password = Man10f&3^H_98est$
    [auth.ldap]
    enabled = true
    config_file = /etc/grafana/ldap.toml
    [log]
    level = info
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: grafana-ldap
  namespace: prometheus
data:
  ldap.toml: |
    # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
    # [log]
    # filters = ldap:debug
    
    [[servers]]
    # Ldap server host (specify multiple hosts space separated)
    host = "192.168.1.250"
    # Default port is 389 or 636 if use_ssl = true
    port = 389
    # Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
    use_ssl = false
    # If set to true, use LDAP with STARTTLS instead of LDAPS
    start_tls = false
    # set to true if you want to skip ssl cert validation
    ssl_skip_verify = false
    # set to the path to your root CA certificate or leave unset to use system defaults
    # root_ca_cert = "/path/to/certificate.crt"
    # Authentication against LDAP servers requiring client certificates
    # client_cert = "/path/to/client.crt"
    # client_key = "/path/to/client.key"
    
    # Search user bind dn
    #bind_dn = "CN=xingguang,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
    bind_dn = "ooo"		# 根据自己的写
    # Search user bind password
    # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
    bind_password = 'dfs@52%2(89!ykWc'
    
    # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
    #search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(name=*))"
    search_filter = "(sAMAccountName=%s)"
    #search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(sAMAccountName={login}))"
    
    # An array of base dns to search through
    search_base_dns = ["OU=ooo,DC=sdrad,DC=com"]
    
    ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
    ## Please check grafana LDAP docs for examples
    # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
    # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
    # group_search_filter_user_attribute = "uid"
    
    # Specify names of the ldap attributes your ldap uses
    [servers.attributes]
    name = "displayName"
    #surname = "sn"
    #username = "username"
    username = "sAMAccountName"
    #member_of = "memberOf"
    email =  "mail"
    
    # Map ldap groups to grafana org roles
    [[servers.group_mappings]]
    group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
    org_role = "Admin"
    # To make user an instance admin  (Grafana Admin) uncomment line below
    grafana_admin = true
    # The Grafana organization database id, optional, if left out the default org (id 1) will be used
    #org_id = 1
    
    [[servers.group_mappings]]
    group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
    org_role = "Editor"
    #org_id = 2
    #
    [[servers.group_mappings]]
    ## If you want to match all (or no ldap groups) then you can use wildcard
    group_dn = "*"
    org_role = "Viewer"
    #org_id = 3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  namespace: prometheus
spec:
  rules:
  - host: grafana-test.yee.net.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: 
            name: grafana
            port:
              number: 3000
  tls:
  - hosts:
    - grafana-test.yee.net.cn
    secretName: yee.net.cn
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: prometheus
spec:
  replicas: 2
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      nodeSelector:
        ldap: "true"
      securityContext:
        runAsUser: 0
      containers:
      - name: grafana
        image: harbor.yee.net.cn/library/grafana:8.5.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
          name: grafana
        env:
        - name: GF_SECURITY_ADMIN_USER
          value: admin
        - name: GF_SECURITY_ADMIN_PASSWORD
          value: Manifest%0304OUR
        readinessProbe:
          failureThreshold: 10
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          initialDelaySeconds: 60
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 30
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 2
            memory: 2Gi
          requests:
            cpu: 150m
            memory: 512Mi
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: storage
        - mountPath: /etc/grafana/grafana.ini
          subPath: grafana.ini
          name: config
        - mountPath: /etc/grafana/ldap.toml
          subPath: ldap.toml
          name: ldap
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grafana
      - name: config
        configMap:
          name: grafana-config
      - name: ldap
        configMap:
          name: grafana-ldap

---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: prometheus
spec:
  type: ClusterIP
  ports:
    - port: 3000
  selector:
    app: grafana

同样 Deployment 需要加一些配置

yaml 复制代码
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: storage
        - mountPath: /etc/grafana/grafana.ini
          subPath: grafana.ini
          name: config
        - mountPath: /etc/grafana/ldap.toml
          subPath: ldap.toml
          name: ldap
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grafana
      - name: config
        configMap:
          name: grafana-config
      - name: ldap
        configMap:
          name: grafana-ldap
相关推荐
运维开发故事8 天前
基于 Arthas 的多集群在线诊断系统设计与实现
kubernetes
Patrick_Wilson9 天前
从「改个端口」到 502:Next.js on k8s 的容器端口、Service 映射与 env 覆盖
docker·kubernetes·next.js
SRETalk9 天前
Zabbix、Prometheus、Grafana、Nightingale,四个监控如何选型?
zabbix·grafana·prometheus·nightingale
探索云原生10 天前
K8s 1.36 这个 GA 特性,把 initContainer 拉模型的 hack 干掉了
ai·云原生·kubernetes
Java之美11 天前
一次k8s升级引发的DevicePlugin注册失败
云原生·kubernetes
虚无境17 天前
如何编写一个SpringBoot项目告警推送的Starter
java·prometheus·webhook
活宝小娜18 天前
mysql详细安装教程
数据库·mysql·adb
java_cj18 天前
深入kube-apiserver认证机制:从Bearer Token到mTLS的完整认证链解析
linux·运维·服务器·云原生·容器·kubernetes
zhangjin112018 天前
adb install和 pm install 的区别是什么?
adb