Spent some time looking at Helm templates and other configuration to understand what was missing and able to make it work with below configuration for Grafana in custom-values.yaml created from the operator.

Pay special attention to the indentation since that has caused some issues when I was trying to copy n paste from Grafana chart’s values.yaml.

  enabled: true
  namespaceOverride: ""
    pspUseAppArmor: false
    # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
      mode: console
      #level: debug
      # to enable debug level for ldap calls only
      #filters: ldap:debug
      domain: sbgrafana.mysite.com
      #root_url: "%(protocol)s://%(domain)s/"
      root_url: https://sbgrafana.mysite.com/grafana/
      serve_from_sub_path: true
      enabled: true
      allow_sign_up: true
      config_file: /etc/grafana/ldap.toml

    enabled: true
    # `existingSecret` is a reference to an existing secret containing the ldap configuration
    # for Grafana in a key `ldap-toml`.
    existingSecret: ""
    # `config` is the content of `ldap.toml` that will be stored in the created secret
    config: |-
      verbose_logging = true

      host = "my.ldap.com"
      # Default port is 389 or 636 if use_ssl = true
      # port = 389
      # use_ssl = false
      port = 636
      use_ssl = true
      # CA cert is mapped as certs-configmap in extraConfigmapMounts section below -- path in Grafana container
      root_ca_cert = "/etc/grafana/ssl/CACert.pem"
      start_tls = false
      ssl_skip_verify = false
      bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
      bind_password = "${LDAP_BIND_PASSWORD}"
      search_filter = "(uid=%s)"
      group_search_filter = "(&(objectClass=groupOfUniqueNames) 
      group_search_base_dns = ["uid=%s,ou=users,dc=myorg,dc=com"]
      group_search_filter_user_attribute = "uid"
      name = "givenName"
      surname = "sn"
      username = "cn"
      email = "mail"

      group_dn = "cn=admins,dc=grafana,dc=org"
      org_role = "Admin"

      group_dn = "cn=users,dc=grafana,dc=org"
      org_role = "Editor"

      group_dn = "*"
      org_role = "Viewer"

    - name: certs-configmap
      mountPath: /etc/grafana/ssl/
      configMap: certs-configmap
      readOnly: true

Steps for creating configmap referenced above for LDAP SSL/HTTPS communication. At least I couldn’t find clear information, so adding here for others.

kubectl -n monitoring create configmap certs-configmap --from-file=my-ca-cert.pem

Create a custom secret in the monitoring namespace with key as LDAP_BIND_PASSWORD and LDAP bind password as the value. Now we no longer need to have it in plain text in the custom values.yaml file.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top