From db89ab82048e1cc77f9be803dc2e33c88a60d80c Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Mon, 14 May 2018 11:14:47 -0500
Subject: [PATCH] Add ldap support to nagios
This adds an apache reverse proxy to the nagios chart, similar
to elasticsearch and kibana. It also adds authentication to
nagios via ldap
Change-Id: I7b17703b5d4c1e041691ffceb984a9f5951cbeb9
---
nagios/templates/bin/_apache.sh.tpl | 40 +++++
nagios/templates/configmap-bin.yaml | 2 +
nagios/templates/configmap-etc.yaml | 4 +
nagios/templates/deployment.yaml | 61 +++++--
nagios/templates/etc/_httpd.conf.tpl | 189 +++++++++++++++++++++
nagios/templates/etc/_nagios-host.conf.tpl | 28 +++
nagios/templates/secret-nagios.yaml | 4 +-
nagios/values.yaml | 35 +++-
8 files changed, 343 insertions(+), 20 deletions(-)
create mode 100644 nagios/templates/bin/_apache.sh.tpl
create mode 100644 nagios/templates/etc/_httpd.conf.tpl
create mode 100644 nagios/templates/etc/_nagios-host.conf.tpl
diff --git a/nagios/templates/bin/_apache.sh.tpl b/nagios/templates/bin/_apache.sh.tpl
new file mode 100644
index 000000000..e80ead098
--- /dev/null
+++ b/nagios/templates/bin/_apache.sh.tpl
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ev
+
+COMMAND="${@:-start}"
+
+function start () {
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/httpd/apache2/envvars
+ fi
+ # Apache gets grumpy about PID files pre-existing
+ rm -f /etc/httpd/logs/httpd.pid
+
+ #Launch Apache on Foreground
+ exec httpd -DFOREGROUND
+}
+
+function stop () {
+ apachectl -k graceful-stop
+}
+
+$COMMAND
diff --git a/nagios/templates/configmap-bin.yaml b/nagios/templates/configmap-bin.yaml
index 5761d1a8d..db1ea00fe 100644
--- a/nagios/templates/configmap-bin.yaml
+++ b/nagios/templates/configmap-bin.yaml
@@ -22,6 +22,8 @@ kind: ConfigMap
metadata:
name: nagios-bin
data:
+ apache.sh: |
+{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
image-repo-sync.sh: |+
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
{{- end }}
diff --git a/nagios/templates/configmap-etc.yaml b/nagios/templates/configmap-etc.yaml
index 75c9fa1f9..121ddeaa5 100644
--- a/nagios/templates/configmap-etc.yaml
+++ b/nagios/templates/configmap-etc.yaml
@@ -22,6 +22,10 @@ kind: ConfigMap
metadata:
name: nagios-etc
data:
+ httpd.conf: |
+{{- tuple .Values.conf.apache.httpd "etc/_httpd.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+ nagios-host.conf: |
+{{- tuple .Values.conf.apache.host "etc/_nagios-host.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
nagios.cfg: |+
{{ include "nagios.to_nagios_conf" .Values.conf.nagios.config | indent 4 }}
nagios_objects.cfg: |+
diff --git a/nagios/templates/deployment.yaml b/nagios/templates/deployment.yaml
index 25a885803..27937e735 100644
--- a/nagios/templates/deployment.yaml
+++ b/nagios/templates/deployment.yaml
@@ -78,25 +78,54 @@ spec:
initContainers:
{{ tuple $envAll "nagios" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- - name: nagios
-{{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ - name: apache-proxy
+{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /tmp/apache.sh
+ - start
ports:
- name: http
containerPort: {{ tuple "nagios" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ env:
+ - name: NAGIOS_PORT
+ value: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+ - name: LDAP_URL
+ value: {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+ - name: BIND_DN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $nagiosUserSecret }}
+ key: BIND_DN
+ - name: BIND_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $nagiosUserSecret }}
+ key: BIND_PASSWORD
+ volumeMounts:
+ - name: nagios-bin
+ mountPath: /tmp/apache.sh
+ subPath: apache.sh
+ readOnly: true
+ - name: nagios-etc
+ mountPath: /usr/local/apache2/conf/httpd.conf
+ subPath: httpd.conf
+ readOnly: true
+ - name: pod-etc-apache
+ mountPath: /usr/local/apache2/conf/sites-enabled
+ - name: nagios-etc
+ mountPath: /usr/local/apache2/conf/sites-enabled/nagios-host.conf
+ subPath: nagios-host.conf
+ readOnly: true
+ - name: nagios
+{{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ ports:
+ - name: nagios
+ containerPort: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PROMETHEUS_SERVICE
value: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
- - name: NAGIOSADMIN_USER
- valueFrom:
- secretKeyRef:
- name: {{ $nagiosUserSecret }}
- key: NAGIOSADMIN_USER
- - name: NAGIOSADMIN_PASS
- valueFrom:
- secretKeyRef:
- name: {{ $nagiosUserSecret }}
- key: NAGIOSADMIN_PASS
volumeMounts:
- name: nagios-etc
mountPath: /opt/nagios/etc/nagios.cfg
@@ -111,4 +140,10 @@ spec:
configMap:
name: nagios-etc
defaultMode: 0444
+ - name: pod-etc-apache
+ emptyDir: {}
+ - name: nagios-bin
+ configMap:
+ name: nagios-bin
+ defaultMode: 0555
{{- end }}
diff --git a/nagios/templates/etc/_httpd.conf.tpl b/nagios/templates/etc/_httpd.conf.tpl
new file mode 100644
index 000000000..19af85523
--- /dev/null
+++ b/nagios/templates/etc/_httpd.conf.tpl
@@ -0,0 +1,189 @@
+#
+# This is the main Apache HTTP server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
+# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
+# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
+# will be interpreted as '/logs/access_log'.
+
+ServerRoot "/usr/local/apache2"
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule ldap_module modules/mod_ldap.so
+LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule proxy_html_module modules/mod_proxy_html.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_connect_module modules/mod_proxy_connect.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+
+<IfModule unixd_module>
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User daemon
+Group daemon
+
+</IfModule>
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition. These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other
+# <Directory> blocks below.
+#
+<Directory />
+ AllowOverride none
+ Require all denied
+</Directory>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<Files ".ht*">
+ Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /dev/stderr
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+ #
+ # The following directives define some format nicknames for use with
+ # a CustomLog directive (see below).
+ #
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+ <IfModule logio_module>
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+ </IfModule>
+
+ #
+ # The location and format of the access logfile (Common Logfile Format).
+ # If you do not define any access logfiles within a <VirtualHost>
+ # container, they will be logged here. Contrariwise, if you *do*
+ # define per-<VirtualHost> access logfiles, transactions will be
+ # logged therein and *not* in this file.
+ #
+ CustomLog /dev/stdout common
+
+ #
+ # If you prefer a logfile with access, agent, and referer information
+ # (Combined Logfile Format) you can use the following directive.
+ #
+ CustomLog /dev/stdout combined
+</IfModule>
+
+#
+# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/usr/local/apache2/cgi-bin">
+ AllowOverride None
+ Options None
+ Require all granted
+</Directory>
+
+<IfModule headers_module>
+ #
+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+ # backend servers which have lingering "httpoxy" defects.
+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
+ #
+ RequestHeader unset Proxy early
+</IfModule>
+
+# Virtual hosts
+Include conf/sites-enabled/*.conf
+
+# Configure mod_proxy_html to understand HTML4/XHTML1
+<IfModule proxy_html_module>
+Include conf/extra/proxy-html.conf
+</IfModule>
diff --git a/nagios/templates/etc/_nagios-host.conf.tpl b/nagios/templates/etc/_nagios-host.conf.tpl
new file mode 100644
index 000000000..e57372455
--- /dev/null
+++ b/nagios/templates/etc/_nagios-host.conf.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+<VirtualHost *:80>
+ <Location />
+ ProxyPass http://localhost:${NAGIOS_PORT}/
+ ProxyPassReverse http://localhost:${NAGIOS_PORT}/
+ </Location>
+ <Proxy *>
+ AuthName "Nagios"
+ AuthType Basic
+ AuthBasicProvider ldap
+ AuthLDAPBindDN ${BIND_DN}
+ AuthLDAPBindPassword ${BIND_PASSWORD}
+ AuthLDAPURL ${LDAP_URL}
+ Require valid-user
+ </Proxy>
+</VirtualHost>
diff --git a/nagios/templates/secret-nagios.yaml b/nagios/templates/secret-nagios.yaml
index 60dba4e4c..bbfeb7796 100644
--- a/nagios/templates/secret-nagios.yaml
+++ b/nagios/templates/secret-nagios.yaml
@@ -24,6 +24,6 @@ metadata:
name: {{ $secretName }}
type: Opaque
data:
- NAGIOSADMIN_USER: {{ .Values.endpoints.nagios.auth.admin.username | b64enc }}
- NAGIOSADMIN_PASS: {{ .Values.endpoints.nagios.auth.admin.password | b64enc }}
+ BIND_DN: {{ .Values.endpoints.ldap.auth.admin.bind | b64enc }}
+ BIND_PASSWORD: {{ .Values.endpoints.ldap.auth.admin.password | b64enc }}
{{- end }}
diff --git a/nagios/values.yaml b/nagios/values.yaml
index 38d57b9e8..4352fa7fc 100644
--- a/nagios/values.yaml
+++ b/nagios/values.yaml
@@ -18,7 +18,8 @@
images:
tags:
- nagios: quay.io/attcomdev/nagios:931116b88c54931c616dfa66f424be38f74d8ad2
+ apache_proxy: docker.io/httpd:2.4
+ nagios: quay.io/attcomdev/nagios:8ed23ede915ccf23aacd370953291090007ed16d
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
@@ -88,10 +89,6 @@ endpoints:
nagios:
name: nagios
namespace: null
- auth:
- admin:
- username: admin
- password: changeme
hosts:
default: nagios-metrics
public: nagios
@@ -102,8 +99,26 @@ endpoints:
scheme:
default: http
port:
+ nagios:
+ default: 8000
http:
default: 80
+ ldap:
+ hosts:
+ default: ldap
+ auth:
+ admin:
+ bind: "cn=admin,dc=cluster,dc=local"
+ password: password
+ host_fqdn_override:
+ default: null
+ path:
+ default: "/ou=People,dc=cluster,dc=local"
+ scheme:
+ default: ldap
+ port:
+ ldap:
+ default: 389
network:
nagios:
@@ -140,6 +155,13 @@ pod:
requests:
memory: "128Mi"
cpu: "100m"
+ apache_proxy:
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
jobs:
image_repo_sync:
limits:
@@ -160,6 +182,9 @@ manifests:
service_ingress: true
conf:
+ apache:
+ httpd: null
+ elasticsearch_host: null
nagios:
hosts:
- prometheus: