Bind Dex static admin user to a Grafana Admin role automatically

CHANGELOG.md

@@ -7,7 +7,12 @@
 version to 1.6.2 (PR [#2575](https://github.com/scality/metalk8s/pull/2575))
 
 - [#2674](https://github.com/scality/metalk8s/issues/2674) - Bump K8S version
-to 1.16.13 (PR [#2363](https://github.com/scality/metalk8s/pull/2679))
+to 1.16.13 (PR [#2679](https://github.com/scality/metalk8s/pull/2679))
+
+### Bug fixes
+- [#2653](https://github.com/scality/metalk8s/issues/2653) - Bind MetalK8s
+OIDC static admin user to a Grafana Admin role
+(PR [#2742](https://github.com/scality/metalk8s/pull/2742))
 
 ## Release 2.5.1
 

charts/prometheus-operator.yaml

@@ -164,6 +164,7 @@ grafana:
       auth_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/auth)'
       token_url:  '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/token)'
       api_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/userinfo)'
+      role_attribute_path: contains(email, '{% endraw -%}{{ dex.spec.localuserstore.userlist[0]['email'] }}{%- raw %}') && 'Admin'
 
   testFramework:
     enabled: false

charts/render.py

@@ -177,23 +177,56 @@ def main():
     )
     parser.add_argument('values', help="Our custom chart values")
 
+    class ActionServiceConfigArgs(argparse.Action):
+        def __call__(self, parser, args, values, option_string=None):
+            if len(values) > 4:
+                raise argparse.ArgumentTypeError(
+                    'Argument "{0}" requires between 1 and 4 arguments'
+                    .format(option_string)
+                )
+
+            name = values.pop(0)
+            try:
+                configmap = values.pop(0)
+            except IndexError:
+                configmap = 'metalk8s-{0}-config'.format(name)
+            try:
+                path = values.pop(0)
+            except IndexError:
+                path = 'metalk8s/addons/{0}/config/{1}.yaml'.format(
+                    args.name, name
+                )
+            service_namespace = values.pop(0)
+
+            option = getattr(args, self.dest)
+            if option is None:
+                setattr(
+                    args,
+                    self.dest,
+                    [[name, configmap, path, service_namespace]]
+                )
+            else:
+                option.append([name, configmap, path, service_namespace])
+
     '''
     To use this argument, follow the format below:
-        --service-config service_name service_configmap_name
+        --service-config service_name service_configmap_name service_namespace
     where service_name is actually the jinja variable which will hold
     ConfigMap contents.
     Note that you can specify multiple service config arguments using:
-        --service-config grafana metalk8s-grafana-config
-        --service-config prometheus metalk8s-prometheus-config
+        --service-config grafana metalk8s-grafana-config metalk8s-monitoring
+        --service-config dex metalk8s-dex-config metalk8s-auth
     '''
     # Todo: Add kind & apiVersion to the service-config nargs
     parser.add_argument(
         '--service-config',
-        action='append',
-        nargs=2,
+        action=ActionServiceConfigArgs,
+        nargs='+',
         required=False,
         dest="service_configs",
-        help="Example: --service-config grafana metalk8s-grafana-config"
+        help="Example: --service-config grafana metalk8s-grafana-config "
+             "metalk8s/addons/prometheus-operator/config/grafana.yaml "
+             "metalk8s-monitoring"
     )
     parser.add_argument('path', help="Path to the chart directory")
     args = parser.parse_args()
@@ -212,27 +245,27 @@ def main():
             doc=fixup_doc(
                 doc=doc
             )
+        ) if doc else None
+
+    import_csc_yaml = []
+    config = []
+    for name, configmap, path, service_namespace in args.service_configs:
+        import_csc_yaml.append(
+            "{{% import_yaml '{0}' as {1}_defaults with context %}}".format(
+                path, name
+            )
         )
-    if args.service_configs:
-        import_csc_yaml = '\n'.join(
-            ("{{% import_yaml 'metalk8s/addons/{0}/config/{1}.yaml' as "
-                "{1}_defaults with context %}}").format(
-                args.name, service_config[0]
-            ) for service_config in args.service_configs
-        )
-
-        config = '\n'.join(
-            ("{{%- set {0} = salt.metalk8s_service_configuration"
-                ".get_service_conf('{1}', '{2}', {0}_defaults) %}}").format(
-                service_config[0], args.namespace, service_config[1]
-            ) for service_config in args.service_configs
+        config.append(
+            "{{%- set {0} = salt.metalk8s_service_configuration"
+            ".get_service_conf('{1}', '{2}', {0}_defaults) %}}".format(
+                name, service_namespace, configmap
+            )
         )
-    else:
-        import_csc_yaml = ''
-        config = ''
 
     sys.stdout.write(START_BLOCK.format(
-        csc_defaults=import_csc_yaml, configlines=config).lstrip()
+            csc_defaults='\n'.join(import_csc_yaml),
+            configlines='\n'.join(config)
+        ).lstrip()
     )
     sys.stdout.write('\n')
 

salt/metalk8s/addons/prometheus-operator/deployed/chart.sls

@@ -4,9 +4,11 @@
 {% import_yaml 'metalk8s/addons/prometheus-operator/config/grafana.yaml' as grafana_defaults with context %}
 {% import_yaml 'metalk8s/addons/prometheus-operator/config/prometheus.yaml' as prometheus_defaults with context %}
 {% import_yaml 'metalk8s/addons/prometheus-operator/config/alertmanager.yaml' as alertmanager_defaults with context %}
+{% import_yaml 'metalk8s/addons/dex/config/dex.yaml' as dex_defaults with context %}
 {%- set grafana = salt.metalk8s_service_configuration.get_service_conf('metalk8s-monitoring', 'metalk8s-grafana-config', grafana_defaults) %}
 {%- set prometheus = salt.metalk8s_service_configuration.get_service_conf('metalk8s-monitoring', 'metalk8s-prometheus-config', prometheus_defaults) %}
 {%- set alertmanager = salt.metalk8s_service_configuration.get_service_conf('metalk8s-monitoring', 'metalk8s-alertmanager-config', alertmanager_defaults) %}
+{%- set dex = salt.metalk8s_service_configuration.get_service_conf('metalk8s-auth', 'metalk8s-dex-config', dex_defaults) %}
 
 {% raw %}
 
@@ -327,6 +329,7 @@ data:
     client_id = grafana-ui
     client_secret = 4lqK98NcsWG5qBRHJUqYM1
     enabled = true
+    role_attribute_path = contains(email, '{% endraw -%}{{ dex.spec.localuserstore.userlist[0]['email'] }}{%- raw %}') && 'Admin'
     scopes = openid profile email groups
     tls_skip_verify_insecure = true
     token_url = "{% endraw -%}https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/token{%- raw %}"
@@ -51232,7 +51235,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 7b469c4cdb154cb1f2987d376bbd99cd9757f2aab45bc90ee521824e329c24d2
+        checksum/config: 99946dc6287166fccab96ec15282aa472c91e332872d5ad4a89dca37ff7f30ee
         checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
         checksum/sc-dashboard-provider-config: d8d82dc736b65dc3ccf0e743a2f7a371fe340cf2874c76f164366f347b23b6b4
         checksum/secret: 0b5d0cba774f73eb434cecec5282d028eb34e57b1ff23bb3aa075519de6d1892