added basic authentication (if enabled) for nginx ingress of tempo se…

…rvice
interTwin-eu · Sep 3, 2024 · 9327293 · 9327293
1 parent 9da6511
commit 9327293
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 123 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -5,4 +5,6 @@ description: A helm chart to deploy a Grafana dashboard for monitoring VK
 type: application
 
 version: 0.1.0
-appVersion: "0.1.0"
+appVersion: "0.1.0"
+
+maintainer: "[email protected]"
diff --git a/templates/configmaps/cfg-grafana.yaml b/templates/configmaps/cfg-grafana.yaml
@@ -27,6 +27,7 @@ data:
       "editable": true,
       "fiscalYearStartMonth": 0,
       "graphTooltip": 0,
+      "id": 2,
       "links": [],
       "liveNow": true,
       "panels": [
@@ -1986,6 +1987,7 @@ data:
         },
         {
           "datasource": {
+            "default": true,
             "type": "tempo",
             "uid": "1"
           },
@@ -2050,7 +2052,7 @@ data:
                   "scope": "span",
                   "tag": "name",
                   "value": [
-                    "StatusHttpCall"
+                    "LogHttpCall"
                   ],
                   "valueType": "string"
                 },
@@ -2071,8 +2073,8 @@ data:
                 }
               ],
               "limit": 100000,
-              "query": "{name=\"CreateHttpCall\" && resource.service.name=\"InterLink-service\" && .exit.code=200 }",
-              "queryType": "traceqlSearch",
+              "query": "{name=\"LogHttpCall\" && resource.service.name=\"InterLink-service\" && .exit.code=200 }",
+              "queryType": "traceql",
               "refId": "A",
               "tableType": "spans"
             }

diff --git a/templates/ingresses/ing-tempo.yaml b/templates/ingresses/ing-tempo.yaml
@@ -1,10 +1,49 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: {{ .Release.Namespace }}
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.maintainerEmail }}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: example-certificate
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: tempo-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: {{ .Values.ingresses.tempo.host }}
+  dnsNames:
+  - {{ .Values.ingresses.tempo.host }}
+
+---
+
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
-      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-      nginx.ingress.kubernetes.io/ssl-redirect: "true" 
+    kubernetes.io/ingress.class: nginx
+    {{- if .Values.ingresses.tempo.auth_enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: basic-auth
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+    {{- end }}
+    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+
   name: tempo-ingress
   namespace: {{ .Release.Namespace }}
 spec:
@@ -18,9 +57,9 @@ spec:
               service:
                 name:  {{ .Values.services.tempo.name }}
                 port:
-                  number: 443
+                  number: {{ .Values.ingresses.tempo.port }}
       host: {{ .Values.ingresses.tempo.host }}
   tls:
   - hosts:
     - {{ .Values.ingresses.tempo.host }}
-    secretName: tempo-tls-secret
+    secretName: tempo-tls
diff --git a/templates/secrets/basicauth.yaml b/templates/secrets/basicauth.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth
+  namespace: {{ .Release.Namespace }}  # This will automatically use the namespace where the Helm release is deployed
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+type: Opaque
+data:
+  auth: {{ printf "%s:%s" .Values.auth.tempo.username .Values.auth.tempo.password | b64enc | quote }}
diff --git a/templates/secrets/scttls.yaml b/templates/secrets/scttls.yaml
diff --git a/templates/services/svctempo.yaml b/templates/services/svctempo.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   ports:
     - name: {{ .Values.services.tempo.name }}
-      port: 4317
+      port: {{ .Values.ingresses.tempo.port }}
       protocol: TCP
       targetPort: {{ .Values.services.tempo.port }}
   selector:

diff --git a/values.yaml b/values.yaml
@@ -13,13 +13,22 @@ app:
 ingresses:
   tempo:
     host: tempo.131.154.98.206.myip.cloud.infn.it # change this to your desired hostname
+    port: 443 # external port where the service is exposed
+    auth_enabled: false
 
   grafana:
     host: grafanavk.131.154.98.206.myip.cloud.infn.it # change this to your desired hostname
 
 config:
   grafana:
     admin_user: admin # change this to your desired username
-    admin_password: admin # change this to your desired password
+    admin_password: password # change this to your desired password
     http_port: 3000 # do not change if you don't know what you are doing
-    http_addr: 0.0.0.0 # do not change if you don't know what you are doing
+    http_addr: 0.0.0.0 # do not change if you don't know what you are doing
+
+auth:
+  tempo:
+    username: username # change this to your desired username
+    password: $apr1$6BZqNMcL$ITbyluYyeslJuxVTUyd4v0 # change this to your desired passwor; to generate a new password use htpasswd -c auth username
+
+maintainerEmail: "[email protected]"