Grafana高可用-LDAP

一. grafana高可用

1. 迁移之前的 grafana

sqlitedump.sh

sh 复制代码
#!/bin/bash
DB=$1
TABLES=$(sqlite3 $DB .tables | sed -r 's/(\S+)\s+(\S)/\1\n\2/g' | grep -v migration_log)
for t in $TABLES; do
	echo "TRUNCATE TABLE $t;"
done
for t in $TABLES; do
	echo -e ".mode insert $t\nselect * from $t;"
done | sqlite3 $DB

将grafana.db 转为mysql的sql文件

  • 找到 grafana 的 grafana.db,得到sql文件,source到mysql上即可
sh 复制代码
sh sqlitedump grafana.db >grafana.sql

2. 部署

  • 将数据存储到 mysql

1) mysql

  • grafna会自己初始化库,前提是需要创建出来
yaml 复制代码
apiVersion: apps/v1
kind: PersistentVolumeClaim
metadata:
  name: mysql
  namespace: monitor
spec:
  storageClassName: monitor-nfs-storage
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
yaml 复制代码
#apiVersion: v1
#kind: ConfigMap
#metadata:
#  name: my.cnf
#  namespace: monitor
#data:
#  my.cnf: |
#    [mysqld]
#    port=3306
#---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: mysql
  name: mysql
  namespace: monitor
spec:
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - image: mysql:5.7
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
          value: Man10f&3^H_98est$
          #valueFrom:
          #  secretKeyRef:
          #    name: mysql-root-password
          #    key: password
        ports:
        - containerPort: 3306
        volumeMounts:
        - name: mysqlvolume
          mountPath: /var/lib/mysql
      #  - name: mysql-conf
      #    mountPath: /etc/mysql/my.cnf
      #    subPath: my.cnf
      volumes:
      - name: mysqlvolume
        persistentVolumeClaim:
          claimName: mysql
      #- name: mysql-conf
      #  configMap:
      #    name: my.cnf
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: mysql
  name: mysql
  namespace: monitor
spec:
  selector:
    app: mysql
  type: ClusterIP
  ports:
  - port: 3306
    protocol: TCP
    targetPort: 3306
sh 复制代码
mysql -h mysql -p
create database grafana;
use grafana;
CREATE USER 'grafana'@'%' IDENTIFIED BY 'Man10f&3^H_98est$';
GRANT all on *.* TO 'grafana'@'%';
# 导入数据
source /grafana.sql

2). grafna

  • 配置文件需要改为如下的,其他的配置自行添加上去,这里只是mysql的配置
yaml 复制代码
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: grafana
  namespace: monitor
  #annotations:
    #volume.beta.kubernetes.io/storage-class: "nfs"
spec:
  storageClassName: monitor-nfs-storage
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
yaml 复制代码
kind: ConfigMap
apiVersion: v1
metadata:
  name: grafana-config
  namespace: monitor
data:
  grafana.ini: | 
    [database]
    type = mysql
    host = mysql.prometheus.svc.cluster.local:3306
    name = grafana
    user = grafana
    password = Man10f&3^H_98est$
    [auth.ldap]
    enabled = true
    config_file = /etc/grafana/ldap.toml
    [log]
    level = debug

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  namespace: monitor
spec:
  rules:
  - host: grafana-panel.yee.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: 
            name: grafana
            port:
              number: 3000
  tls:
  - hosts:
    - grafana-panel.yee.com
    secretName: 2022-yee.com
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitor
spec:
  replicas: 2
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        runAsUser: 0
      containers:
      - name: grafana
        image: harbor.yee.com:8443/library/grafana:8.5.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
          name: grafana
        env:
        - name: GF_SECURITY_ADMIN_USER
          value: admin
        - name: GF_SECURITY_ADMIN_PASSWORD
          value: Manifest%0304
        readinessProbe:
          failureThreshold: 10
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          initialDelaySeconds: 60
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 30
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 2
            memory: 2Gi
          requests:
            cpu: 150m
            memory: 512Mi
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: storage
        - mountPath: /etc/grafana/grafana.ini
          subPath: grafana.ini
          name: config
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grafana
      - name: config
        configMap:
          name: grafana-config

---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: monitor
spec:
  type: ClusterIP
  ports:
    - port: 3000
  selector:
    app: grafana

3. LDAP

  • grafana 使用加域,使用域账号登录,需要配置LDAP,LDAP是一种通讯协议,如同HTTP是一种协议一样的,
  • 域控的dn, 在 LDAP 目录中:
    • DC (Domain Component)
    • CN (Common Name)
    • OU (Organizational Unit)
  • An LDAP 目录类似于文件系统目录. 下列目录: DC=redmond,DC=wa,DC=microsoft,DC=com ,如果我们类比文件系统的话,可被看作如下文件路径: Com\Microsoft\Wa\Redmond
  • 例如:cn=test 可能代表一个用户名, ou=developer 代表一个active directory中的 组织单位。这句话的含义可能就是说明test这个对象处在domainname. com域的developer组织单元中
yaml 复制代码
kind: ConfigMap
apiVersion: v1
metadata:
  name: grafana-config
  namespace: prometheus
data:
  grafana.ini: | 
    [database]
    type = mysql
    host = mysql.prometheus.svc.cluster.local:3306
    name = grafana
    user = grafana
    password = Man10f&3^H_98est$
    [auth.ldap]
    enabled = true
    config_file = /etc/grafana/ldap.toml
    [log]
    level = info
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: grafana-ldap
  namespace: prometheus
data:
  ldap.toml: |
    # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
    # [log]
    # filters = ldap:debug
    
    [[servers]]
    # Ldap server host (specify multiple hosts space separated)
    host = "192.168.1.250"
    # Default port is 389 or 636 if use_ssl = true
    port = 389
    # Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
    use_ssl = false
    # If set to true, use LDAP with STARTTLS instead of LDAPS
    start_tls = false
    # set to true if you want to skip ssl cert validation
    ssl_skip_verify = false
    # set to the path to your root CA certificate or leave unset to use system defaults
    # root_ca_cert = "/path/to/certificate.crt"
    # Authentication against LDAP servers requiring client certificates
    # client_cert = "/path/to/client.crt"
    # client_key = "/path/to/client.key"
    
    # Search user bind dn
    #bind_dn = "CN=xingguang,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
    bind_dn = "ooo"		# 根据自己的写
    # Search user bind password
    # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
    bind_password = 'dfs@52%2(89!ykWc'
    
    # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
    #search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(name=*))"
    search_filter = "(sAMAccountName=%s)"
    #search_filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl=514))(sAMAccountName={login}))"
    
    # An array of base dns to search through
    search_base_dns = ["OU=ooo,DC=sdrad,DC=com"]
    
    ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
    ## Please check grafana LDAP docs for examples
    # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
    # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
    # group_search_filter_user_attribute = "uid"
    
    # Specify names of the ldap attributes your ldap uses
    [servers.attributes]
    name = "displayName"
    #surname = "sn"
    #username = "username"
    username = "sAMAccountName"
    #member_of = "memberOf"
    email =  "mail"
    
    # Map ldap groups to grafana org roles
    [[servers.group_mappings]]
    group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
    org_role = "Admin"
    # To make user an instance admin  (Grafana Admin) uncomment line below
    grafana_admin = true
    # The Grafana organization database id, optional, if left out the default org (id 1) will be used
    #org_id = 1
    
    [[servers.group_mappings]]
    group_dn = "CN=xxx,OU=运维组,OU=研发中心,OU=ooo,DC=SDRAD,DC=COM"
    org_role = "Editor"
    #org_id = 2
    #
    [[servers.group_mappings]]
    ## If you want to match all (or no ldap groups) then you can use wildcard
    group_dn = "*"
    org_role = "Viewer"
    #org_id = 3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  namespace: prometheus
spec:
  rules:
  - host: grafana-test.yee.net.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: 
            name: grafana
            port:
              number: 3000
  tls:
  - hosts:
    - grafana-test.yee.net.cn
    secretName: yee.net.cn
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: prometheus
spec:
  replicas: 2
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      nodeSelector:
        ldap: "true"
      securityContext:
        runAsUser: 0
      containers:
      - name: grafana
        image: harbor.yee.net.cn/library/grafana:8.5.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
          name: grafana
        env:
        - name: GF_SECURITY_ADMIN_USER
          value: admin
        - name: GF_SECURITY_ADMIN_PASSWORD
          value: Manifest%0304OUR
        readinessProbe:
          failureThreshold: 10
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          initialDelaySeconds: 60
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 30
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 2
            memory: 2Gi
          requests:
            cpu: 150m
            memory: 512Mi
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: storage
        - mountPath: /etc/grafana/grafana.ini
          subPath: grafana.ini
          name: config
        - mountPath: /etc/grafana/ldap.toml
          subPath: ldap.toml
          name: ldap
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grafana
      - name: config
        configMap:
          name: grafana-config
      - name: ldap
        configMap:
          name: grafana-ldap

---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: prometheus
spec:
  type: ClusterIP
  ports:
    - port: 3000
  selector:
    app: grafana

同样 Deployment 需要加一些配置

yaml 复制代码
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: storage
        - mountPath: /etc/grafana/grafana.ini
          subPath: grafana.ini
          name: config
        - mountPath: /etc/grafana/ldap.toml
          subPath: ldap.toml
          name: ldap
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grafana
      - name: config
        configMap:
          name: grafana-config
      - name: ldap
        configMap:
          name: grafana-ldap
相关推荐
运维小文几秒前
K8S资源限制之LimitRange
云原生·容器·kubernetes·k8s资源限制
登云时刻1 分钟前
Kubernetes集群外连接redis集群和使用redis-shake工具迁移数据(二)
redis·容器·kubernetes
wuxingge9 小时前
k8s1.30.0高可用集群部署
云原生·容器·kubernetes
志凌海纳SmartX10 小时前
趋势洞察|AI 能否带动裸金属 K8s 强势崛起?
云原生·容器·kubernetes
锅总10 小时前
nacos与k8s service健康检查详解
云原生·容器·kubernetes
BUG弄潮儿10 小时前
k8s 集群安装
云原生·容器·kubernetes
晴天飛 雪11 小时前
Grafana监控PostgreSQL
数据库·postgresql·grafana
颜淡慕潇12 小时前
【K8S系列】kubectl describe pod显示ImagePullBackOff,如何进一步排查?
后端·云原生·容器·kubernetes
Linux运维日记12 小时前
k8s1.31版本最新版本集群使用容器镜像仓库Harbor
linux·docker·云原生·容器·kubernetes
AI_小站14 小时前
RAG 示例:使用 langchain、Redis、llama.cpp 构建一个 kubernetes 知识库问答
人工智能·程序人生·langchain·kubernetes·llama·知识库·rag