Add ldap support to nagios

This adds an apache reverse proxy to the nagios chart, similar to elasticsearch and kibana. It also adds authentication to nagios via ldap Change-Id: I7b17703b5d4c1e041691ffceb984a9f5951cbeb9
2018-05-14 11:14:47 -05:00 · 2018-05-14 11:14:47 -05:00 · db89ab8204
commit db89ab8204
parent 85208fe98a
8 changed files with 343 additions and 20 deletions
--- a/nagios/templates/bin/_apache.sh.tpl
+++ b/nagios/templates/bin/_apache.sh.tpl
@ -0,0 +1,40 @@
 #!/bin/bash
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 set -ev
 COMMAND="${@:-start}"
 function start () {
  if [ -f /etc/apache2/envvars ]; then
     # Loading Apache2 ENV variables
     source /etc/httpd/apache2/envvars
  fi
  # Apache gets grumpy about PID files pre-existing
  rm -f /etc/httpd/logs/httpd.pid
  #Launch Apache on Foreground
  exec httpd -DFOREGROUND
 }
 function stop () {
  apachectl -k graceful-stop
 }
 $COMMAND
--- a/nagios/templates/configmap-bin.yaml
+++ b/nagios/templates/configmap-bin.yaml
@ -22,6 +22,8 @@ kind: ConfigMap
 metadata:
  name: nagios-bin
 data:
  apache.sh: |
 {{ tuple "bin/_apache.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  image-repo-sync.sh: |+
 {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
 {{- end }}
--- a/nagios/templates/configmap-etc.yaml
+++ b/nagios/templates/configmap-etc.yaml
@ -22,6 +22,10 @@ kind: ConfigMap
 metadata:
  name: nagios-etc
 data:
  httpd.conf: |
 {{- tuple .Values.conf.apache.httpd "etc/_httpd.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
  nagios-host.conf: |
 {{- tuple .Values.conf.apache.host "etc/_nagios-host.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
  nagios.cfg: |+
 {{ include "nagios.to_nagios_conf" .Values.conf.nagios.config | indent 4 }}
  nagios_objects.cfg: |+
--- a/nagios/templates/deployment.yaml
+++ b/nagios/templates/deployment.yaml
@ -78,25 +78,54 @@ spec:
      initContainers:
 {{ tuple $envAll "nagios" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
-        - name: nagios
+        - name: apache-proxy
-{{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/apache.sh
            - start
          ports:
            - name: http
              containerPort: {{ tuple "nagios" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          env:
            - name: NAGIOS_PORT
              value: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
            - name: LDAP_URL
              value: {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
            - name: BIND_DN
              valueFrom:
                secretKeyRef:
                  name: {{ $nagiosUserSecret }}
                  key: BIND_DN
            - name: BIND_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ $nagiosUserSecret }}
                  key: BIND_PASSWORD
          volumeMounts:
            - name: nagios-bin
              mountPath: /tmp/apache.sh
              subPath: apache.sh
              readOnly: true
            - name: nagios-etc
              mountPath: /usr/local/apache2/conf/httpd.conf
              subPath: httpd.conf
              readOnly: true
            - name: pod-etc-apache
              mountPath: /usr/local/apache2/conf/sites-enabled
            - name: nagios-etc
              mountPath: /usr/local/apache2/conf/sites-enabled/nagios-host.conf
              subPath: nagios-host.conf
              readOnly: true
        - name: nagios
 {{ tuple $envAll "nagios" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.nagios | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          ports:
            - name: nagios
              containerPort: {{ tuple "nagios" "internal" "nagios" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          env:
            - name: PROMETHEUS_SERVICE
              value: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
            - name: NAGIOSADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: {{ $nagiosUserSecret }}
                  key: NAGIOSADMIN_USER
            - name: NAGIOSADMIN_PASS
              valueFrom:
                secretKeyRef:
                  name: {{ $nagiosUserSecret }}
                  key: NAGIOSADMIN_PASS
          volumeMounts:
            - name: nagios-etc
              mountPath: /opt/nagios/etc/nagios.cfg
@ -111,4 +140,10 @@ spec:
          configMap:
            name: nagios-etc
            defaultMode: 0444
        - name: pod-etc-apache
          emptyDir: {}
        - name: nagios-bin
          configMap:
            name: nagios-bin
            defaultMode: 0555
 {{- end }}
--- a/nagios/templates/etc/_httpd.conf.tpl
+++ b/nagios/templates/etc/_httpd.conf.tpl
@ -0,0 +1,189 @@
 #
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
 # In particular, see
 # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
 # for a discussion of each configuration directive.
 #
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
 # consult the online docs. You have been warned.
 #
 # Configuration and logfile names: If the filenames you specify for many
 # of the server's control files begin with "/" (or "drive:/" for Win32), the
 # server will use that explicit path.  If the filenames do *not* begin
 # with "/", the value of ServerRoot is prepended -- so "logs/access_log"
 # with ServerRoot set to "/usr/local/apache2" will be interpreted by the
 # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
 # will be interpreted as '/logs/access_log'.
 ServerRoot "/usr/local/apache2"
 #
 # Listen: Allows you to bind Apache to specific IP addresses and/or
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
 # Change this to Listen on specific IP addresses as shown below to
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
 Listen 80
 #
 # Dynamic Shared Object (DSO) Support
 #
 # To be able to use the functionality of a module which was built as a DSO you
 # have to place corresponding `LoadModule' lines at this location so the
 # directives contained in it are actually available _before_ they are used.
 # Statically compiled modules (those listed by `httpd -l') do not need
 # to be loaded here.
 #
 # Example:
 # LoadModule foo_module modules/mod_foo.so
 #
 LoadModule mpm_event_module modules/mod_mpm_event.so
 LoadModule authn_file_module modules/mod_authn_file.so
 LoadModule authn_core_module modules/mod_authn_core.so
 LoadModule authz_host_module modules/mod_authz_host.so
 LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
 LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule authz_core_module modules/mod_authz_core.so
 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule auth_basic_module modules/mod_auth_basic.so
 LoadModule ldap_module modules/mod_ldap.so
 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
 LoadModule reqtimeout_module modules/mod_reqtimeout.so
 LoadModule filter_module modules/mod_filter.so
 LoadModule proxy_html_module modules/mod_proxy_html.so
 LoadModule log_config_module modules/mod_log_config.so
 LoadModule env_module modules/mod_env.so
 LoadModule headers_module modules/mod_headers.so
 LoadModule setenvif_module modules/mod_setenvif.so
 LoadModule version_module modules/mod_version.so
 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_connect_module modules/mod_proxy_connect.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
 LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
 LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule status_module modules/mod_status.so
 LoadModule autoindex_module modules/mod_autoindex.so
 <IfModule unixd_module>
 #
 # If you wish httpd to run as a different user or group, you must run
 # httpd as root initially and it will switch.
 #
 # User/Group: The name (or #number) of the user/group to run httpd as.
 # It is usually good practice to create a dedicated user and group for
 # running httpd, as with most system services.
 #
 User daemon
 Group daemon
 </IfModule>
 # 'Main' server configuration
 #
 # The directives in this section set up the values used by the 'main'
 # server, which responds to any requests that aren't handled by a
 # <VirtualHost> definition.  These values also provide defaults for
 # any <VirtualHost> containers you may define later in the file.
 #
 # All of these directives may appear inside <VirtualHost> containers,
 # in which case these default settings will be overridden for the
 # virtual host being defined.
 #
 #
 # Deny access to the entirety of your server's filesystem. You must
 # explicitly permit access to web content directories in other
 # <Directory> blocks below.
 #
 <Directory />
    AllowOverride none
    Require all denied
 </Directory>
 #
 # The following lines prevent .htaccess and .htpasswd files from being
 # viewed by Web clients.
 #
 <Files ".ht*">
    Require all denied
 </Files>
 #
 # ErrorLog: The location of the error log file.
 # If you do not specify an ErrorLog directive within a <VirtualHost>
 # container, error messages relating to that virtual host will be
 # logged here.  If you *do* define an error logfile for a <VirtualHost>
 # container, that host's errors will be logged there and not here.
 #
 ErrorLog /dev/stderr
 #
 # LogLevel: Control the number of messages logged to the error_log.
 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 #
 LogLevel warn
 <IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog /dev/stdout common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog /dev/stdout combined
 </IfModule>
 #
 # "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased
 # CGI directory exists, if you have that configured.
 #
 <Directory "/usr/local/apache2/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
 </Directory>
 <IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
 </IfModule>
 # Virtual hosts
 Include conf/sites-enabled/*.conf
 # Configure mod_proxy_html to understand HTML4/XHTML1
 <IfModule proxy_html_module>
 Include conf/extra/proxy-html.conf
 </IfModule>
--- a/nagios/templates/etc/_nagios-host.conf.tpl
+++ b/nagios/templates/etc/_nagios-host.conf.tpl
@ -0,0 +1,28 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 <VirtualHost *:80>
  <Location />
      ProxyPass http://localhost:${NAGIOS_PORT}/
      ProxyPassReverse http://localhost:${NAGIOS_PORT}/
  </Location>
  <Proxy *>
    AuthName "Nagios"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPBindDN ${BIND_DN}
    AuthLDAPBindPassword ${BIND_PASSWORD}
    AuthLDAPURL ${LDAP_URL}
    Require valid-user
  </Proxy>
 </VirtualHost>
--- a/nagios/templates/secret-nagios.yaml
+++ b/nagios/templates/secret-nagios.yaml
@ -24,6 +24,6 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  NAGIOSADMIN_USER: {{ .Values.endpoints.nagios.auth.admin.username | b64enc }}
+  BIND_DN: {{ .Values.endpoints.ldap.auth.admin.bind | b64enc }}
-  NAGIOSADMIN_PASS: {{ .Values.endpoints.nagios.auth.admin.password | b64enc }}
+  BIND_PASSWORD: {{ .Values.endpoints.ldap.auth.admin.password | b64enc }}
 {{- end }}
--- a/nagios/values.yaml
+++ b/nagios/values.yaml
@ -18,7 +18,8 @@
 images:
  tags:
-    nagios: quay.io/attcomdev/nagios:931116b88c54931c616dfa66f424be38f74d8ad2
+    apache_proxy: docker.io/httpd:2.4
    nagios: quay.io/attcomdev/nagios:8ed23ede915ccf23aacd370953291090007ed16d
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
    image_repo_sync: docker.io/docker:17.07.0
  pull_policy: IfNotPresent
@ -88,10 +89,6 @@ endpoints:
  nagios:
    name: nagios
    namespace: null
    auth:
      admin:
        username: admin
        password: changeme
    hosts:
      default: nagios-metrics
      public: nagios
@ -102,8 +99,26 @@ endpoints:
    scheme:
      default: http
    port:
      nagios:
        default: 8000
      http:
        default: 80
  ldap:
    hosts:
      default: ldap
    auth:
      admin:
        bind: "cn=admin,dc=cluster,dc=local"
        password: password
    host_fqdn_override:
      default: null
    path:
      default: "/ou=People,dc=cluster,dc=local"
    scheme:
      default: ldap
    port:
      ldap:
        default: 389
 network:
  nagios:
@ -140,6 +155,13 @@ pod:
      requests:
        memory: "128Mi"
        cpu: "100m"
    apache_proxy:
      limits:
        memory: "1024Mi"
        cpu: "2000m"
      requests:
        memory: "128Mi"
        cpu: "100m"
    jobs:
      image_repo_sync:
        limits:
@ -160,6 +182,9 @@ manifests:
  service_ingress: true
 conf:
  apache:
    httpd: null
    elasticsearch_host: null
  nagios:
    hosts:
      - prometheus: