Add exit code (#12)

* set ldap to use recursive search. Set flags for log level.

* Added helm chart

* bumped chart version

* fxied restart policy

* fixed config file line

* fixd name of yaml file

* fixed viewer, editor -> view, edit

* Added exit code logic

* add dev environment

* formatting

* open file with 'with' keyword

* formatting

* removed unused filter, fixed login, name and email being arrays and thus crashing the script

* updated apiVersion of cronjob

---------

Co-authored-by: Oliver Isaac <[email protected]>
Co-authored-by: Jens Plüddemann <[email protected]>

Author: 3 people

.gitignore

@@ -133,4 +133,9 @@ dmypy.json
 .lock
 .idea
 /shelf/
-/workspace.xml
+/workspace.xml
+
+# Nix
+.devenv
+.direnv
+.envrc

Makefile

@@ -1,5 +1,6 @@
 DOCKER_REPO ?= DOCKERHUB_USER/grafana-ldap-sync-script
 DOCKER_TAG ?= v1.0
+CONFIG_DIR ?= ${PWD}
 
 init:
 	pip install -r requirements.txt
@@ -28,7 +29,7 @@ docker-push: docker-build
 	docker push ${DOCKER_REPO}:${DOCKER_TAG}
 
 docker-run: docker-build
-	docker run --mount 'type=bind,source=${PWD},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} --config /data/config.yml --bind /data/example.csv
+	docker run --mount 'type=bind,source=${CONFIG_DIR},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} --config /data/config.yml --bind /data/example.csv --log-level=debug --dry-run
 
 docker-explore: docker-build
-	docker run -it --entrypoint /bin/bash --mount 'type=bind,source=${PWD},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} -o vi
+	docker run -it --entrypoint /bin/bash --mount 'type=bind,source=${CONFIG_DIR},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} -o vi

README.md

@@ -31,9 +31,9 @@ Before starting the script you need to enter your grafana & ldap credentials in
 path to your .csv file containing the bindings.
 
 ### Binding
-To bind LDAP-groups to grafana-teams and grant these teams access to folders you need to provide a .csv file. Please note 
-that the first row of the csv is recognized as a header-row and is therefore being ignored. 
-The file needs to contain the following information in this exact order: 
+To bind LDAP-groups to grafana-teams and grant these teams access to folders you need to provide a .csv file. Please note
+that the first row of the csv is recognized as a header-row and is therefore being ignored.
+The file needs to contain the following information in this exact order:
 * **LDAP-Group**: The LDAP group which will be used for mapping.
 * **Grafana-Team Name**: The name of the Grafana team which will be created (if not exist) and where the group's users will be added to.
 * **Grafana-Team ID**: The ID of the Grafana team (currently not used).
@@ -65,7 +65,7 @@ Using this CSV mapping will result in the following operations:
 
 #### Removing Bindings
 When a binding is removed in your .csv-file, this binding is also removed by the script. So if there is a team in your grafana instance which
-is not defined by the current binding the team will be deleted. This also applies to users. **This does not apply to folders! 
+is not defined by the current binding the team will be deleted. This also applies to users. **This does not apply to folders!
 Folders need to be deleted manually if not needed anymore!**
 
 

config.yml

@@ -24,6 +24,8 @@ config:
     groupSearchBase: dc=example,dc=com
     # Filter that should be used for the group search.
     groupSearchFilter:
+    # Search recursively through groups
+    searchRecusrively: False
     # Search-Base for user objects on the LDAP-Server.
     userSearchBase: dc=example,dc=com
     # Filter that should be used for user searches.

deploy/helm/grafana-ldap-sync/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/helm/grafana-ldap-sync/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: grafana-ldap-sync
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.4
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.0.0

deploy/helm/grafana-ldap-sync/Makefile

@@ -0,0 +1,2 @@
+template:
+	helm3 template . --values=./values.example.yaml --debug

deploy/helm/grafana-ldap-sync/templates/NOTES.txt

@@ -0,0 +1 @@
+This helm chart deploys a cronjob which runs on, by default, a 30 minute schedule.

deploy/helm/grafana-ldap-sync/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "grafana-ldap-sync.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "grafana-ldap-sync.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "grafana-ldap-sync.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "grafana-ldap-sync.labels" -}}
+helm.sh/chart: {{ include "grafana-ldap-sync.chart" . }}
+{{ include "grafana-ldap-sync.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "grafana-ldap-sync.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "grafana-ldap-sync.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "grafana-ldap-sync.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "grafana-ldap-sync.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deploy/helm/grafana-ldap-sync/templates/config.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "grafana-ldap-sync.fullname" . }}-config
+  labels:
+    {{- include "grafana-ldap-sync.labels" . | nindent 4 }}
+stringData:
+  config.yaml: |
+    config:
+      {{- .Values.config | toYaml | nindent 6 }}
+  {{- if .Values.csvContent }}
+  permissions.csv: {{ .Values.csvContent | quote }}
+  {{- else }}
+  {{- $comment := "In this case we need to generate the CSV usign some crazy logic" }}
+  permissions.csv: |
+    {{- $perms := list ( list "ZBV/LDAP-Gruppe" "Grafana-Team-Name" "Grafana-Team-ID" "Grafana-Folder-Name" "Grafana-Folder-UUID" "Grafana-Folder-Permissions" ) }}
+    {{- $teams := .Values.teams }}
+    {{- $folders := .Values.folders }}
+    {{- $addTeamsToAll := .Values.addTeamsToAll }}
+    {{- range $teamName, $groups := $teams }}
+      {{- $comment := "This is how we default the group list to the team name" }}
+      {{- if not $groups }}
+        {{- $groups = list $teamName }}
+      {{- end }}
+
+      {{- $comment := "Ensure that every permission level exists for every folder" }}
+      {{- range $permLevel, $teamsToAdd := $addTeamsToAll }}
+        {{- range $folderName, $permission := $folders }}
+          {{- if not ( get $permission $permLevel ) }}
+            {{- $permission = set $permission $permLevel ( list ) }}
+            {{- $folders = set $folders $folderName $permission }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      
+      {{- range $folderName, $permission := $folders }}
+        {{- $comment := "This is how we default the permission" }}
+        {{- if not $permission }}
+          {{- $permission = dict "admin" ( list $folderName ) }}
+        {{- end }}
+
+        {{- range $permLevel, $permTeams := $permission }}
+          {{- $comment := "If the user decides to use Admin we must ensure it is lowercase" }}
+          {{- $permLevel = lower $permLevel }}
+
+          {{- $comment := "This is how we use the addTeamsToAll so that a team can be added to all folders" }}
+
+          {{- $teamsToAdd := ( get $addTeamsToAll $permLevel ) }}
+          {{- if $teamsToAdd }}
+            {{- $permTeams = concat $permTeams $teamsToAdd }}
+          {{- end }}
+
+          {{- range $t := $permTeams }}
+            {{- if eq ( toString $t ) $teamName }}
+              {{- range $group := $groups }}
+                {{- $ldapGroup := $group }}
+                {{- $grafanaTeamName := $teamName }}
+                {{- $grafanaTeamID := 1 }}
+                {{- $grafanaFolderName := $folderName }}
+                {{- $grafanaFolderUUID := $folderName | lower | replace " " "-" }}
+                {{- $grafanaFolderPermissions := title $permLevel }}
+
+                {{- $perms = append $perms ( list $ldapGroup $grafanaTeamName $grafanaTeamID $grafanaFolderName $grafanaFolderUUID $grafanaFolderPermissions ) }}
+              {{- end }} {{- $comment := "End range $groups" }}
+            {{- end }} {{- $comment := "end if eq $teamname" }}
+          {{- end }} {{- $comment := "end range $teams" }}
+        {{- end }} {{- $comment := "end range $permission" }}
+      {{- end }} {{- $comment := "end range $folders" }}
+    {{- end }} {{- $comment := "end range $teams" }}
+    {{- range $perm := $perms }}
+      {{- $perm | join "," | nindent 4  }}
+    {{- end }}
+  {{- end }} {{- $comment := "End if .csvContent" }}
+

deploy/helm/grafana-ldap-sync/templates/cronjob.yaml

@@ -0,0 +1,102 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "grafana-ldap-sync.fullname" . }}
+  labels:
+    {{- include "grafana-ldap-sync.labels" . | nindent 4 }}
+spec:
+  startingDeadlineSeconds: {{ .Values.cronJob.startingDeadlineSeconds }}
+  schedule: {{ .Values.cronJob.schedule | quote }}
+  successfulJobsHistoryLimit: {{ .Values.cronJob.successfulJobsHistoryLimit }}
+  suspend: {{ .Values.cronJob.suspend }}
+  concurrencyPolicy: {{ .Values.cronJob.concurrencyPolicy }}
+  failedJobsHistoryLimit: {{ .Values.cronJob.failedJobsHistoryLimit }}
+  jobTemplate:
+    metadata:
+      labels:
+        {{- include "grafana-ldap-sync.labels" . | nindent 8 }}
+    spec:
+      activeDeadlineSeconds: 120
+      template:
+        metadata:
+        {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+        {{- end }}
+          labels:
+            {{- include "grafana-ldap-sync.selectorLabels" . | nindent 12 }}
+        spec:
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          serviceAccountName: {{ include "grafana-ldap-sync.serviceAccountName" . }}
+          restartPolicy: {{ .Values.restartPolicy }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.extraInitContainers }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          containers:
+            {{- with .Values.extraContainers }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            - name: {{ .Chart.Name }}
+              {{- with .Values.securityContext }}
+              securityContext:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              args:
+              - --config=/config/config.yaml
+              - --bind=/config/permissions.csv
+              - --log-level={{ .Values.logLevel }}
+              {{- if .Values.dryRun }}
+              - --dry-run
+              {{- end }}
+              {{- with .Values.extraArgs }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+
+              {{- with .Values.resources }}
+              resources:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
+              volumeMounts:
+              - name: config
+                mountPath: /config
+                readOnly: true
+              {{- with .Values.extraVolumeMounts }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+              {{- with .Values.extraContainerConfig }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumes:
+            - name: config
+              secret:
+                secretName: {{ include "grafana-ldap-sync.fullname" . }}-config
+            {{- with .Values.extraVolumes }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+---
+{{- range $man := .Values.extraManifests }}
+{{- toYaml $man }}
+---
+{{- end }}
+

deploy/helm/grafana-ldap-sync/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "grafana-ldap-sync.serviceAccountName" . }}
+  labels:
+    {{- include "grafana-ldap-sync.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}