Add ldap support to nagios

This adds an apache reverse proxy to the nagios chart, similar to elasticsearch and kibana. It also adds authentication to nagios via ldap Change-Id: I7b17703b5d4c1e041691ffceb984a9f5951cbeb9
2018-05-14 11:14:47 -05:00 · 2018-05-14 11:14:47 -05:00 · db89ab8204
commit db89ab8204
parent 85208fe98a
8 changed files with 343 additions and 20 deletions
--- a/nagios/templates/bin/_apache.sh.tpl
+++ b/nagios/templates/bin/_apache.sh.tpl
@ -0,0 +1,40 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ev
+
+COMMAND="${@:-start}"
+
+function start () {
+
+  if [ -f /etc/apache2/envvars ]; then
+     # Loading Apache2 ENV variables
+     source /etc/httpd/apache2/envvars
+  fi
+  # Apache gets grumpy about PID files pre-existing
+  rm -f /etc/httpd/logs/httpd.pid
+
+  #Launch Apache on Foreground
+  exec httpd -DFOREGROUND
+}
+
+function stop () {
+  apachectl -k graceful-stop
+}
+
+$COMMAND
--- a/nagios/templates/configmap-bin.yaml
+++ b/nagios/templates/configmap-bin.yaml
@ -22,6 +22,8 @@ kind: ConfigMap
 metadata:
  name: nagios-bin
 data:
+  apache.sh: |
+{{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  image-repo-sync.sh: |+
 {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
 {{- end }}
--- a/nagios/templates/configmap-etc.yaml
+++ b/nagios/templates/configmap-etc.yaml
@ -22,6 +22,10 @@ kind: ConfigMap
 metadata:
  name: nagios-etc
 data:
+  httpd.conf: |
+{{- tuple .Values.conf.apache.httpd "etc/_httpd.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+  nagios-host.conf: |
+{{- tuple .Values.conf.apache.host "etc/_nagios-host.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
  nagios.cfg: |+
 {{ include "nagios.to_nagios_conf" .Values.conf.nagios.config | indent 4 }}
  nagios_objects.cfg: |+
--- a/nagios/templates/deployment.yaml
+++ b/nagios/templates/deployment.yaml
@ -78,25 +78,54 @@ spec:
      initContainers:
 {{ tuple $envAll "nagios" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
-        - name: nagios
-{{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+        - name: apache-proxy
+{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /tmp/apache.sh
+            - start
          ports:
            - name: http
              containerPort: {{ tuple "nagios" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+          env:
+            - name: NAGIOS_PORT
+              value: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: LDAP_URL
+              value: {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+            - name: BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $nagiosUserSecret }}
+                  key: BIND_DN
+            - name: BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $nagiosUserSecret }}
+                  key: BIND_PASSWORD
+          volumeMounts:
+            - name: nagios-bin
+              mountPath: /tmp/apache.sh
+              subPath: apache.sh
+              readOnly: true
+            - name: nagios-etc
+              mountPath: /usr/local/apache2/conf/httpd.conf
+              subPath: httpd.conf
+              readOnly: true
+            - name: pod-etc-apache
+              mountPath: /usr/local/apache2/conf/sites-enabled
+            - name: nagios-etc
+              mountPath: /usr/local/apache2/conf/sites-enabled/nagios-host.conf
+              subPath: nagios-host.conf
+              readOnly: true
+        - name: nagios
+{{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          ports:
+            - name: nagios
+              containerPort: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          env:
            - name: PROMETHEUS_SERVICE
              value: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
-            - name: NAGIOSADMIN_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $nagiosUserSecret }}
-                  key: NAGIOSADMIN_USER
-            - name: NAGIOSADMIN_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $nagiosUserSecret }}
-                  key: NAGIOSADMIN_PASS
          volumeMounts:
            - name: nagios-etc
              mountPath: /opt/nagios/etc/nagios.cfg
@ -111,4 +140,10 @@ spec:
          configMap:
            name: nagios-etc
            defaultMode: 0444
+        - name: pod-etc-apache
+          emptyDir: {}
+        - name: nagios-bin
+          configMap:
+            name: nagios-bin
+            defaultMode: 0555
 {{- end }}
--- a/nagios/templates/etc/_httpd.conf.tpl
+++ b/nagios/templates/etc/_httpd.conf.tpl
@ -0,0 +1,189 @@
+#
+# This is the main Apache HTTP server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
+# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
+# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
+# will be interpreted as '/logs/access_log'.
+
+ServerRoot "/usr/local/apache2"
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule ldap_module modules/mod_ldap.so
+LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule proxy_html_module modules/mod_proxy_html.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_connect_module modules/mod_proxy_connect.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+
+<IfModule unixd_module>
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User daemon
+Group daemon
+
+</IfModule>
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other
+# <Directory> blocks below.
+#
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<Files ".ht*">
+    Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /dev/stderr
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    CustomLog /dev/stdout common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    CustomLog /dev/stdout combined
+</IfModule>
+
+#
+# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/usr/local/apache2/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
+# Virtual hosts
+Include conf/sites-enabled/*.conf
+
+# Configure mod_proxy_html to understand HTML4/XHTML1
+<IfModule proxy_html_module>
+Include conf/extra/proxy-html.conf
+</IfModule>
--- a/nagios/templates/etc/_nagios-host.conf.tpl
+++ b/nagios/templates/etc/_nagios-host.conf.tpl
@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+<VirtualHost *:80>
+  <Location />
+      ProxyPass http://localhost:${NAGIOS_PORT}/
+      ProxyPassReverse http://localhost:${NAGIOS_PORT}/
+  </Location>
+  <Proxy *>
+    AuthName "Nagios"
+    AuthType Basic
+    AuthBasicProvider ldap
+    AuthLDAPBindDN ${BIND_DN}
+    AuthLDAPBindPassword ${BIND_PASSWORD}
+    AuthLDAPURL ${LDAP_URL}
+    Require valid-user
+  </Proxy>
+</VirtualHost>
--- a/nagios/templates/secret-nagios.yaml
+++ b/nagios/templates/secret-nagios.yaml
@ -24,6 +24,6 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  NAGIOSADMIN_USER: {{ .Values.endpoints.nagios.auth.admin.username | b64enc }}
-  NAGIOSADMIN_PASS: {{ .Values.endpoints.nagios.auth.admin.password | b64enc }}
+  BIND_DN: {{ .Values.endpoints.ldap.auth.admin.bind | b64enc }}
+  BIND_PASSWORD: {{ .Values.endpoints.ldap.auth.admin.password | b64enc }}
 {{- end }}
--- a/nagios/values.yaml
+++ b/nagios/values.yaml
@ -18,7 +18,8 @@

 images:
  tags:
-    nagios: quay.io/attcomdev/nagios:931116b88c54931c616dfa66f424be38f74d8ad2
+    apache_proxy: docker.io/httpd:2.4
+    nagios: quay.io/attcomdev/nagios:8ed23ede915ccf23aacd370953291090007ed16d
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
    image_repo_sync: docker.io/docker:17.07.0
  pull_policy: IfNotPresent
@ -88,10 +89,6 @@ endpoints:
  nagios:
    name: nagios
    namespace: null
-    auth:
-      admin:
-        username: admin
-        password: changeme
    hosts:
      default: nagios-metrics
      public: nagios
@ -102,8 +99,26 @@ endpoints:
    scheme:
      default: http
    port:
+      nagios:
+        default: 8000
      http:
        default: 80
+  ldap:
+    hosts:
+      default: ldap
+    auth:
+      admin:
+        bind: "cn=admin,dc=cluster,dc=local"
+        password: password
+    host_fqdn_override:
+      default: null
+    path:
+      default: "/ou=People,dc=cluster,dc=local"
+    scheme:
+      default: ldap
+    port:
+      ldap:
+        default: 389

 network:
  nagios:
@ -140,6 +155,13 @@ pod:
      requests:
        memory: "128Mi"
        cpu: "100m"
+    apache_proxy:
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
    jobs:
      image_repo_sync:
        limits:
@ -160,6 +182,9 @@ manifests:
  service_ingress: true

 conf:
+  apache:
+    httpd: null
+    elasticsearch_host: null
  nagios:
    hosts:
      - prometheus: