generated from giantswarm/template-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
use sso settings api instead of app user-values
- Loading branch information
1 parent
b16ca41
commit 0c7b930
Showing
6 changed files
with
122 additions
and
135 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
package grafana | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/grafana/grafana-openapi-client-go/client" | ||
"github.com/grafana/grafana-openapi-client-go/models" | ||
"github.com/pkg/errors" | ||
"sigs.k8s.io/controller-runtime/pkg/log" | ||
) | ||
|
||
const ( | ||
grafanaAdminRole = "Admin" | ||
grafanaEditorRole = "Editor" | ||
grafanaViewerRole = "Viewer" | ||
) | ||
|
||
func ConfigureSSOSettings(ctx context.Context, grafanaAPI *client.GrafanaHTTPAPI, organizations []Organization) error { | ||
logger := log.FromContext(ctx) | ||
|
||
provider := "generic_oauth" | ||
resp, err := grafanaAPI.SsoSettings.GetProviderSettings(provider, nil) | ||
if err != nil { | ||
logger.Error(err, "failed to get sso provider settings.") | ||
return errors.WithStack(err) | ||
} | ||
|
||
orgsMapping := generateGrafanaOrgsMapping(organizations) | ||
settings := resp.Payload.Settings.(map[string]interface{}) | ||
settings["role_attribute_path"] = "to_string('Viewer')" | ||
settings["org_attribute_path"] = "groups" | ||
settings["org_mapping"] = fmt.Sprintf("'%s'", orgsMapping) | ||
|
||
// Update the provider settings | ||
_, err = grafanaAPI.SsoSettings.UpdateProviderSettings(provider, | ||
&models.UpdateProviderSettingsParamsBody{ | ||
ID: resp.Payload.ID, | ||
Provider: resp.Payload.Provider, | ||
Settings: settings, | ||
}) | ||
|
||
if err != nil { | ||
logger.Error(err, "failed to configure grafana sso.") | ||
return errors.WithStack(err) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func generateGrafanaOrgsMapping(organizations []Organization) string { | ||
var orgMappings []string | ||
// TODO: We need to be admins to be able to see the private dashboards for now, remove the 2 GS groups once https://github.com/giantswarm/roadmap/issues/3696 is done. | ||
// Grant Admin role to Giantswarm users logging in via azure active directory. | ||
orgMappings = append(orgMappings, buildOrgMapping(SharedOrg.Name, "giantswarm-ad:giantswarm-admins", grafanaAdminRole)) | ||
// Grant Admin role to Giantswarm users logging in via github. | ||
orgMappings = append(orgMappings, buildOrgMapping(SharedOrg.Name, "giantswarm-github:giantswarm:giantswarm-admins", grafanaAdminRole)) | ||
// Grant Editor role to every other users. | ||
orgMappings = append(orgMappings, fmt.Sprintf(`"*:%s:%s"`, SharedOrg.Name, grafanaEditorRole)) | ||
for _, organization := range organizations { | ||
for _, adminOrgAttribute := range organization.Admins { | ||
orgMappings = append(orgMappings, buildOrgMapping(organization.Name, adminOrgAttribute, grafanaAdminRole)) | ||
} | ||
for _, editorOrgAttribute := range organization.Editors { | ||
orgMappings = append(orgMappings, buildOrgMapping(organization.Name, editorOrgAttribute, grafanaEditorRole)) | ||
} | ||
for _, viewerOrgAttribute := range organization.Viewers { | ||
orgMappings = append(orgMappings, buildOrgMapping(organization.Name, viewerOrgAttribute, grafanaViewerRole)) | ||
} | ||
} | ||
|
||
return strings.Join(orgMappings, " ") | ||
} | ||
|
||
func buildOrgMapping(organizationName, userOrgAttribute, role string) string { | ||
// We need to escape the colon in the userOrgAttribute | ||
u := strings.ReplaceAll(userOrgAttribute, ":", "\\:") | ||
// We add double quotes to the org mapping to support spaces in display names | ||
return fmt.Sprintf(`"%s:%s:%s"`, u, organizationName, role) | ||
} |
8 changes: 0 additions & 8 deletions
8
pkg/grafana/templating/templates/grafana-user-values.yaml.template
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters