Merge "Enable TLS between Prometheus and Grafana"

2021-03-18 15:28:34 +00:00 · 2021-03-18 15:28:34 +00:00 · 43226de6e3
commit 43226de6e3
parent f78cbde672 86112314ed
6 changed files with 29 additions and 35 deletions
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.3.6
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.4
+version: 0.1.5
 home: https://grafana.com/
 sources:
  - https://github.com/grafana/grafana
--- a/grafana/templates/certificates.yaml
+++ b/grafana/templates/certificates.yaml
@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{  dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
--- a/grafana/templates/deployment.yaml
+++ b/grafana/templates/deployment.yaml
@ -81,6 +81,13 @@ spec:
                  key: GRAFANA_ADMIN_PASSWORD
            - name: PROMETHEUS_URL
              value: {{ tuple "monitoring" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+{{- if .Values.manifests.certificates }}
+            - name: CACERT
+              valueFrom:
+                secretKeyRef:
+                  key: ca.crt
+                  name: prometheus-tls-api
+{{- end }}
 {{- if .Values.pod.env.grafana }}
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.grafana | indent 12 }}
 {{- end }}
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@ -236,13 +236,6 @@ endpoints:
      public: grafana
    host_fqdn_override:
      default: null
-      # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
-      # endpoints using the following format:
-      # public:
-      #   host: null
-      #   tls:
-      #     crt: null
-      #     key: null
    path:
      default: null
    scheme:
@ -366,7 +359,6 @@ secrets:
    grafana:
      grafana:
        public: grafana-tls-public
-        internal: grafana-tls-api
  prometheus:
    user: prometheus-user-creds

--- a/grafana/values_overrides/tls.yaml
+++ b/grafana/values_overrides/tls.yaml
@ -6,15 +6,26 @@ conf:
      ca_cert_path: /etc/mysql/certs/ca.crt
      client_key_path: /etc/mysql/certs/tls.key
      client_cert_path: /etc/mysql/certs/tls.crt
-endpoints:
-  grafana:
-    host_fqdn_override:
-      default:
-        tls:
-          secretName: grafana-tls-api
-          issuerRef:
-            name: ca-issuer
-            kind: ClusterIssuer
+  provisioning:
+    datasources:
+      template: |
+        {{ $prom_host := tuple "monitoring" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+        {{ $prom_uri := printf "https://%s" $prom_host }}
+        apiVersion: 1
+        datasources:
+        - name: prometheus
+          type: prometheus
+          access: proxy
+          orgId: 1
+          editable: true
+          basicAuth: true
+          basicAuthUser: {{ .Values.endpoints.monitoring.auth.user.username }}
+          jsonData:
+            tlsAuthWithCACert: true
+          secureJsonData:
+            basicAuthPassword: {{ .Values.endpoints.monitoring.auth.user.password }}
+            tlsCACert: $CACERT
+          url: {{ $prom_uri }}
 manifests:
  certificates: true
 ...
--- a/releasenotes/notes/grafana.yaml
+++ b/releasenotes/notes/grafana.yaml
@ -5,4 +5,5 @@ grafana:
  - 0.1.2 Update Grafana version
  - 0.1.3 Provision any dashboard as homepage
  - 0.1.4 Enable TLS for Grafana
+  - 0.1.5 Enable TLS between Grafana and Prometheus
 ...