Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/influxdb non admin token #153

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions Site/ASAB Maestro/Descriptors/influxdb.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,26 @@ nginx:
- rewrite ^/influxdb/(.*) /$1 break
- proxy_pass http://upstream-influxdb

sherpas:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sherpa runs with every UP. so it must be restartable without breaking antyhing or creating bambilion of new tokens.

# Sherpas containers: akin to their namesake mountain guides, these containers provide essential support and guidance throughout the application's lifecycle.
# provide a name to your sherpa and a descriptor for its very own container.
init:
image: infuxdb:{{ VERSIONS["influxdb"] }}
entrypoint: ["bash", "/script/influx-init.sh"]
command: ["echo", "DONE"]
volumes:
- "{{SITE}}/{{INSTANCE_ID}}/script:/script:ro"
depends_on: ["{{INSTANCE_ID}}"]
environment:
INFLUXDB_HOSTNAME: "{{INFLUXDB_HOSTNAME}}"
DOCKER_INFLUXDB_INIT_BUCKET: "{{DOCKER_INFLUXDB_INIT_BUCKET}}"
DOCKER_INFLUXDB_INIT_ORG: "{{DOCKER_INFLUXDB_INIT_ORG}}"
DOCKER_INFLUXDB_INIT_USERNAME: "{{DOCKER_INFLUXDB_INIT_USERNAME}}"

files:
- "script/influx-init.sh"
# - "script/replica-set.json" will be added by ASAB Remote Control / Mongo Tech

# Exposure of InfluxDB on the public HTTPS is disabled b/c there is no authorization introspection available
# https:
# location /influxdb:
Expand Down
36 changes: 36 additions & 0 deletions Site/ASAB Maestro/Files/influxdb/influx-init.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/sh

# Wait for InfluxDB to start
until curl -s http://{{INFLUXDB_HOSTNAME}}:8086/health | grep -q '"status": "pass"'; do
echo "Waiting for InfluxDB to start..."
sleep 1
done

# Get the bucket ID
BUCKET_ID=$(curl -s -X GET http://{{INFLUXDB_HOSTNAME}}:8086/api/v2/buckets -H 'Authorization: Token "{{INFLUXDB_TOKEN}}"' -H "Accept: application/json" | jq -r '.buckets[] | select(.name=="{{DOCKER_INFLUXDB_INIT_BUCKET}}") | .id')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though we create just one bucket, there can be multiple in the influx in the end if created manually by the user.

# Get the org ID
ORG_ID=$(curl -s -X GET http://{{INFLUXDB_HOSTNAME}}:8086/api/v2/orgs -H 'Authorization: Token "{{INFLUXDB_TOKEN}}"' -H "Accept: application/json" | jq -r '.orgs[] | select(.name=="{{DOCKER_INFLUXDB_INIT_ORG}}") | .id')

# Get the user ID
USER_ID=$(curl -s -X GET http://{{INFLUXDB_HOSTNAME}}:8086/api/v2/users -H 'Authorization: Token "{{INFLUXDB_TOKEN}}"' -H "Accept: application/json" | jq -r '.users[] | select(.name=="{{DOCKER_INFLUXDB_INIT_USERNAME}}") | .id')

# Create the non-admin token using the InfluxDB API v2
curl -X POST http://{{INFLUXDB_HOSTNAME}}:8086/api/v2/authorizations \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to get the token itself and send it to vault.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

even if you manage to send the token into vault, I don't know how to effectively distribute it.
but I can probably somehow solve this in the influxdb tech.

-H "Authorization: Token {{INFLUXDB_TOKEN}}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"description": "Non-admin user with write access",
"orgID": "'"$ORG_ID"'",
"permissions": [
{
"action": "write",
"resource": {
"type": "buckets",
"id": "'"$BUCKET_ID"'"
}
}
],
"status": "active",
"userID": "'"$USER_ID"'"
}'