Add exit code (#12)

* set ldap to use recursive search. Set flags for log level.

* Added helm chart

* bumped chart version

* fxied restart policy

* fixed config file line

* fixd name of yaml file

* fixed viewer, editor -> view, edit

* Added exit code logic

* add dev environment

* formatting

* open file with 'with' keyword

* formatting

* removed unused filter, fixed login, name and email being arrays and thus crashing the script

* updated apiVersion of cronjob

---------

Co-authored-by: Oliver Isaac <[email protected]>
Co-authored-by: Jens Plüddemann <[email protected]>

Author: 3 people

.gitignore

@@ -133,4 +133,9 @@ dmypy.json
 .lock
 .idea
 /shelf/
-/workspace.xml
+/workspace.xml
+
+# Nix
+.devenv
+.direnv
+.envrc

Makefile

@@ -1,5 +1,6 @@
 DOCKER_REPO ?= DOCKERHUB_USER/grafana-ldap-sync-script
 DOCKER_TAG ?= v1.0
+CONFIG_DIR ?= ${PWD}
 
 init:
 	pip install -r requirements.txt
@@ -28,7 +29,7 @@ docker-push: docker-build
 	docker push ${DOCKER_REPO}:${DOCKER_TAG}
 
 docker-run: docker-build
-	docker run --mount 'type=bind,source=${PWD},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} --config /data/config.yml --bind /data/example.csv
+	docker run --mount 'type=bind,source=${CONFIG_DIR},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} --config /data/config.yml --bind /data/example.csv --log-level=debug --dry-run
 
 docker-explore: docker-build
-	docker run -it --entrypoint /bin/bash --mount 'type=bind,source=${PWD},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} -o vi
+	docker run -it --entrypoint /bin/bash --mount 'type=bind,source=${CONFIG_DIR},target=/data' ${DOCKER_REPO}:${DOCKER_TAG} -o vi

README.md

@@ -31,9 +31,9 @@ Before starting the script you need to enter your grafana & ldap credentials in
 path to your .csv file containing the bindings.
 
 ### Binding
-To bind LDAP-groups to grafana-teams and grant these teams access to folders you need to provide a .csv file. Please note 
-that the first row of the csv is recognized as a header-row and is therefore being ignored. 
-The file needs to contain the following information in this exact order: 
+To bind LDAP-groups to grafana-teams and grant these teams access to folders you need to provide a .csv file. Please note
+that the first row of the csv is recognized as a header-row and is therefore being ignored.
+The file needs to contain the following information in this exact order:
 * **LDAP-Group**: The LDAP group which will be used for mapping.
 * **Grafana-Team Name**: The name of the Grafana team which will be created (if not exist) and where the group's users will be added to.
 * **Grafana-Team ID**: The ID of the Grafana team (currently not used).
@@ -65,7 +65,7 @@ Using this CSV mapping will result in the following operations:
 
 #### Removing Bindings
 When a binding is removed in your .csv-file, this binding is also removed by the script. So if there is a team in your grafana instance which
-is not defined by the current binding the team will be deleted. This also applies to users. **This does not apply to folders! 
+is not defined by the current binding the team will be deleted. This also applies to users. **This does not apply to folders!
 Folders need to be deleted manually if not needed anymore!**
 
 

config.yml

@@ -24,6 +24,8 @@ config:
     groupSearchBase: dc=example,dc=com
     # Filter that should be used for the group search.
     groupSearchFilter:
+    # Search recursively through groups
+    searchRecusrively: False
     # Search-Base for user objects on the LDAP-Server.
     userSearchBase: dc=example,dc=com
     # Filter that should be used for user searches.

deploy/helm/grafana-ldap-sync/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/helm/grafana-ldap-sync/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: grafana-ldap-sync
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.4
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.0.0

deploy/helm/grafana-ldap-sync/Makefile

@@ -0,0 +1,2 @@
+template:
+	helm3 template . --values=./values.example.yaml --debug

deploy/helm/grafana-ldap-sync/templates/NOTES.txt

@@ -0,0 +1 @@
+This helm chart deploys a cronjob which runs on, by default, a 30 minute schedule.

deploy/helm/grafana-ldap-sync/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "grafana-ldap-sync.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "grafana-ldap-sync.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "grafana-ldap-sync.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "grafana-ldap-sync.labels" -}}
+helm.sh/chart: {{ include "grafana-ldap-sync.chart" . }}
+{{ include "grafana-ldap-sync.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "grafana-ldap-sync.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "grafana-ldap-sync.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "grafana-ldap-sync.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "grafana-ldap-sync.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deploy/helm/grafana-ldap-sync/templates/config.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "grafana-ldap-sync.fullname" . }}-config
+  labels:
+    {{- include "grafana-ldap-sync.labels" . | nindent 4 }}
+stringData:
+  config.yaml: |
+    config:
+      {{- .Values.config | toYaml | nindent 6 }}
+  {{- if .Values.csvContent }}
+  permissions.csv: {{ .Values.csvContent | quote }}
+  {{- else }}
+  {{- $comment := "In this case we need to generate the CSV usign some crazy logic" }}
+  permissions.csv: |
+    {{- $perms := list ( list "ZBV/LDAP-Gruppe" "Grafana-Team-Name" "Grafana-Team-ID" "Grafana-Folder-Name" "Grafana-Folder-UUID" "Grafana-Folder-Permissions" ) }}
+    {{- $teams := .Values.teams }}
+    {{- $folders := .Values.folders }}
+    {{- $addTeamsToAll := .Values.addTeamsToAll }}
+    {{- range $teamName, $groups := $teams }}
+      {{- $comment := "This is how we default the group list to the team name" }}
+      {{- if not $groups }}
+        {{- $groups = list $teamName }}
+      {{- end }}
+
+      {{- $comment := "Ensure that every permission level exists for every folder" }}
+      {{- range $permLevel, $teamsToAdd := $addTeamsToAll }}
+        {{- range $folderName, $permission := $folders }}
+          {{- if not ( get $permission $permLevel ) }}
+            {{- $permission = set $permission $permLevel ( list ) }}
+            {{- $folders = set $folders $folderName $permission }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      
+      {{- range $folderName, $permission := $folders }}
+        {{- $comment := "This is how we default the permission" }}
+        {{- if not $permission }}
+          {{- $permission = dict "admin" ( list $folderName ) }}
+        {{- end }}
+
+        {{- range $permLevel, $permTeams := $permission }}
+          {{- $comment := "If the user decides to use Admin we must ensure it is lowercase" }}
+          {{- $permLevel = lower $permLevel }}
+
+          {{- $comment := "This is how we use the addTeamsToAll so that a team can be added to all folders" }}
+
+          {{- $teamsToAdd := ( get $addTeamsToAll $permLevel ) }}
+          {{- if $teamsToAdd }}
+            {{- $permTeams = concat $permTeams $teamsToAdd }}
+          {{- end }}
+
+          {{- range $t := $permTeams }}
+            {{- if eq ( toString $t ) $teamName }}
+              {{- range $group := $groups }}
+                {{- $ldapGroup := $group }}
+                {{- $grafanaTeamName := $teamName }}
+                {{- $grafanaTeamID := 1 }}
+                {{- $grafanaFolderName := $folderName }}
+                {{- $grafanaFolderUUID := $folderName | lower | replace " " "-" }}
+                {{- $grafanaFolderPermissions := title $permLevel }}
+
+                {{- $perms = append $perms ( list $ldapGroup $grafanaTeamName $grafanaTeamID $grafanaFolderName $grafanaFolderUUID $grafanaFolderPermissions ) }}
+              {{- end }} {{- $comment := "End range $groups" }}
+            {{- end }} {{- $comment := "end if eq $teamname" }}
+          {{- end }} {{- $comment := "end range $teams" }}
+        {{- end }} {{- $comment := "end range $permission" }}
+      {{- end }} {{- $comment := "end range $folders" }}
+    {{- end }} {{- $comment := "end range $teams" }}
+    {{- range $perm := $perms }}
+      {{- $perm | join "," | nindent 4  }}
+    {{- end }}
+  {{- end }} {{- $comment := "End if .csvContent" }}
+