From 81ad9769fad0deadf37e71324973f733adc8ead1 Mon Sep 17 00:00:00 2001 From: Sergey Kostrukov Date: Wed, 12 May 2021 07:23:37 -0700 Subject: [PATCH] AzureMonitor: Azure settings in Grafana server config (#33728) * Azure cloud settings * Fix typos * Grouped Azure settings * Doc fixes * Some settings are not needed * Updated cloud name aliases --- conf/defaults.ini | 16 +++++ conf/sample.ini | 16 +++++ docs/sources/administration/configuration.md | 25 ++++++++ packages/grafana-runtime/src/config.ts | 8 +++ pkg/api/frontendsettings.go | 4 ++ pkg/setting/setting.go | 4 ++ pkg/setting/setting_azure.go | 62 ++++++++++++++++++++ 7 files changed, 135 insertions(+) create mode 100644 pkg/setting/setting_azure.go diff --git a/conf/defaults.ini b/conf/defaults.ini index 3209651dd43..ac000daa2f0 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -546,6 +546,22 @@ assume_role_enabled = true # Specify max no of pages to be returned by the ListMetricPages API list_metrics_page_limit = 500 +#################################### Azure ############################### +[azure] +# Azure cloud environment where Grafana is hosted +# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud +# Default value is AzureCloud (i.e. public cloud) +cloud = AzureCloud + +# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance) +# If enabled, the managed identity can be used for authentication of Grafana in Azure services +# Disabled by default, needs to be explicitly enabled +managed_identity_enabled = false + +# Client ID to use for user-assigned managed identity +# Should be set for user-assigned identity and should be empty for system-assigned identity +managed_identity_client_id = + #################################### SMTP / Emailing ##################### [smtp] enabled = false diff --git a/conf/sample.ini b/conf/sample.ini index e547b8f5422..357a682a4da 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -533,6 +533,22 @@ # If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers ; assume_role_enabled = true +#################################### Azure ############################### +[azure] +# Azure cloud environment where Grafana is hosted +# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud +# Default value is AzureCloud (i.e. public cloud) +;cloud = AzureCloud + +# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance) +# If enabled, the managed identity can be used for authentication of Grafana in Azure services +# Disabled by default, needs to be explicitly enabled +;managed_identity_enabled = false + +# Client ID to use for user-assigned managed identity +# Should be set for user-assigned identity and should be empty for system-assigned identity +;managed_identity_client_id = + #################################### SMTP / Emailing ########################## [smtp] ;enabled = false diff --git a/docs/sources/administration/configuration.md b/docs/sources/administration/configuration.md index e8a808f4607..8bf45053b0a 100644 --- a/docs/sources/administration/configuration.md +++ b/docs/sources/administration/configuration.md @@ -807,6 +807,31 @@ Use the [List Metrics API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/A
+## [azure] + +Grafana supports additional integration with Azure services when hosted in the Azure Cloud. + +### cloud + +Azure cloud environment where Grafana is hosted: + +| Azure Cloud | Value | +| ------------------------------------------------ | ---------------------- | +| Microsoft Azure public cloud | AzureCloud (*default*) | +| Microsoft Chinese national cloud | AzureChinaCloud | +| US Government cloud | AzureUSGovernment | +| Microsoft German national cloud ("Black Forest") | AzureGermanCloud | + +### managed_identity_enabled + +Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance). Disabled by default, needs to be explicitly enabled. + +### managed_identity_client_id + +The client ID to use for user-assigned managed identity. + +Should be set for user-assigned identity and should be empty for system-assigned identity. + ## [auth.jwt] Refer to [JWT authentication]({{< relref "../auth/jwt.md" >}}) for more information. diff --git a/packages/grafana-runtime/src/config.ts b/packages/grafana-runtime/src/config.ts index 68d8feeb02d..1ec1f830827 100644 --- a/packages/grafana-runtime/src/config.ts +++ b/packages/grafana-runtime/src/config.ts @@ -13,6 +13,11 @@ import { SystemDateFormatSettings, } from '@grafana/data'; +export interface AzureSettings { + cloud?: string; + managedIdentityEnabled: boolean; +} + export class GrafanaBootConfig implements GrafanaConfig { datasources: { [str: string]: DataSourceInstanceSettings } = {}; panels: { [key: string]: PanelPluginMeta } = {}; @@ -74,6 +79,9 @@ export class GrafanaBootConfig implements GrafanaConfig { customTheme?: any; awsAllowedAuthProviders: string[] = []; awsAssumeRoleEnabled = false; + azure: AzureSettings = { + managedIdentityEnabled: false, + }; constructor(options: GrafanaBootConfig) { const mode = options.bootData.user.lightTheme ? 'light' : 'dark'; diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go index bc94e5e3b95..1c8f813532b 100644 --- a/pkg/api/frontendsettings.go +++ b/pkg/api/frontendsettings.go @@ -246,6 +246,10 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i "expressionsEnabled": hs.Cfg.ExpressionsEnabled, "awsAllowedAuthProviders": hs.Cfg.AWSAllowedAuthProviders, "awsAssumeRoleEnabled": hs.Cfg.AWSAssumeRoleEnabled, + "azure": map[string]interface{}{ + "cloud": hs.Cfg.Azure.Cloud, + "managedIdentityEnabled": hs.Cfg.Azure.ManagedIdentityEnabled, + }, } return jsonObj, nil diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index bd3bc6bd0b8..42f6a535a0a 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -284,6 +284,9 @@ type Cfg struct { AWSAssumeRoleEnabled bool AWSListMetricsPageLimit int + // Azure Cloud settings + Azure AzureSettings + // Auth proxy settings AuthProxyEnabled bool AuthProxyHeaderName string @@ -900,6 +903,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error { cfg.readLDAPConfig() cfg.handleAWSConfig() + cfg.readAzureSettings() cfg.readSessionConfig() cfg.readSmtpSettings() cfg.readQuotaSettings() diff --git a/pkg/setting/setting_azure.go b/pkg/setting/setting_azure.go new file mode 100644 index 00000000000..1ec0a805164 --- /dev/null +++ b/pkg/setting/setting_azure.go @@ -0,0 +1,62 @@ +package setting + +import "strings" + +const ( + AzurePublic = "AzureCloud" + AzureChina = "AzureChinaCloud" + AzureUSGovernment = "AzureUSGovernment" + AzureGermany = "AzureGermanCloud" +) + +type AzureSettings struct { + Cloud string + ManagedIdentityEnabled bool + ManagedIdentityClientId string +} + +func (cfg *Cfg) readAzureSettings() { + azureSection := cfg.Raw.Section("azure") + + // Cloud + cloudName := azureSection.Key("cloud").MustString(AzurePublic) + cfg.Azure.Cloud = normalizeAzureCloud(cloudName) + + // Managed Identity + cfg.Azure.ManagedIdentityEnabled = azureSection.Key("managed_identity_enabled").MustBool(false) + cfg.Azure.ManagedIdentityClientId = azureSection.Key("managed_identity_client_id").String() +} + +func normalizeAzureCloud(cloudName string) string { + switch strings.ToLower(cloudName) { + // Public + case "azurecloud": + case "azurepublic": + case "azurepubliccloud": + case "public": + return AzurePublic + + // China + case "azurechina": + case "azurechinacloud": + case "china": + return AzureChina + + // US Government + case "azureusgovernment": + case "azureusgovernmentcloud": + case "usgov": + case "usgovernment": + return AzureUSGovernment + + // Germany + case "azuregermancloud": + case "azuregermany": + case "german": + case "germany": + return AzureGermany + } + + // Pass the name unchanged if it's not known + return cloudName +}