search

cloudworkz / grafana-permission-sync

gives grafana users permissions, based on what google groups they are in
MIT License
19 stars 6 forks source link

Use Google Default Credentials Model #1

Open meggieveggie opened 4 years ago

meggieveggie commented 4 years ago

Describe The problem

Generally when using Google Cloud Credentials Model if you set GOOGLE_APPLICATION_CREDENTIALS then the application will look for the credentials at that specified path, this allow for voluming in docker containers to be smoother as when you volume in something like Kubernetes the volume will overwrite any files in the volume directory, hence if you attempted to do something like this:

    containers:
        - name: gsuite-permission-sync
          image: quay.io/google-cloud-tools/grafana-permission-sync:v1.0.6
          imagePullPolicy: IfNotPresent
          resources: {}
          args:
          - --configPath=/app/config/config.yaml
          env:
          - name: GRAFANA_PASS
            valueFrom:
                secretKeyRef:
                  name: grafana
                  key: admin-password
          volumeMounts:
            - name: gsuite-config
              mountPath: "/app/config"
            - name: gsuite-credentials
              mountPath: /app/
              subPath: credentials.json
              readOnly: true

This will overwrite the binary found in /app, however this is the directory that the application looks for the credentials.json

Proposed Solution

If you used the GOOGLE_APPLICATION_CREDENTIALS way you could do something like this:

containers:
        - name: gsuite-permission-sync
          image: quay.io/google-cloud-tools/grafana-permission-sync:v1.0.6
          imagePullPolicy: IfNotPresent
          resources: {}
          args:
          - --configPath=/app/config/config.yaml
          env:
          - name: GRAFANA_PASS
            valueFrom:
                secretKeyRef:
                  name: grafana
                  key: admin-password
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /app/credentials/credentials.json
          volumeMounts:
            - name: gsuite-config
              mountPath: "/app/config"
            - name: gsuite-credentials
              mountPath: /app/credentials
              subPath: credentials.json
              readOnly: true

Which would look for the credentials in the folder /app/credentials specifically. I'm not sure if this is possible currently but just not documented but when I try the above I get the following error:

"msg":"unable to create google directory service","error":"open /app/credentials.json: no such file or directory"
Nosmoht commented 3 years ago

Hi all,

i got it working using env variable GOOGLE_APPLICATION_CREDENTIALS. Here's the code i'm using right now. Not finalized but at least working

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana-permission-sync
  labels:
    app: grafana-permission-snyc
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana-permission-sync
  template:
    metadata:
      labels:
        app: grafana-permission-sync
    spec:
      containers:
        - name: grafana-permission-sync
          image: quay.io/google-cloud-tools/grafana-permission-sync:v1.0.9
          args:
            - --configPath=/app/config/config.yaml
          env:
            - name: GRAFANA_PASS
              valueFrom:
                secretKeyRef:
                  name: grafana-permission-sync-grafana-admin
                  key: GRAFANA_PASS
            - name: GOOGLE_APPLICATION_CREDENTIALS
              value: /app/credentials/credentials.json
          volumeMounts:
            - mountPath: /app/config
              name: config
            - mountPath: /app/credentials
              name: google-credentials
              readOnly: true
      volumes:
        - name: config
          configMap:
            name: grafana-permission-sync
        - name: google-credentials
          secret:
            secretName: grafana-permission-sync-google-credentials
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-permission-sync
data:
  config.yaml: |
    grafana:
      url: http://grafana.example.com
      user: admin
    google:
      credentialsPath: /app/credentials/credentials.json
      adminEmail: admin@example.com
      domain: example.com
    rules:
      - groups:
          - devops@example.com
        orgs:
          - "Example Org. "
        role: Admin
      - groups:
          - staff@example.com
        orgs:
          - "Example Org."
        role: Viewer
---
apiVersion: v1
data:
  GRAFANA_PASS: ...
kind: Secret
metadata:
  name: grafana-permission-sync-grafana-admin
---
apiVersion: v1
data:
  credentials.json: ...
kind: Secret
metadata:
  name: grafana-permission-sync-google-credentials