openstack/openstack-helm-infra
Code Issues Proposed changes

Enable TLS for grafana

Browse Source 
This patchset updates grafana chart manifests to enable TLS with
osh-infra mariadb.  TLS for osh-infra mariadb is completed as part
of TLS phase 1, no additional mariadb chart work is required to
work with this patch.

Change-Id: Ic01e7c012ab2167d59b2117eb985386666f2bb2a
This commit is contained in:
Lo, Chi (cl566n) 2021-02-05 20:47:23 -08:00
parent ee5482e9ed
commit 87e3a02dd5
12 changed files with 87 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
grafana/Chart.yaml
View File

@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v7.3.6 appVersion: v7.3.6
description: OpenStack-Helm Grafana description: OpenStack-Helm Grafana
name: grafana name: grafana
version: 0.1.3 version: 0.1.4
home: https://grafana.com/ home: https://grafana.com/
sources: sources:
- https://github.com/grafana/grafana - https://github.com/grafana/grafana

17
grafana/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

9
grafana/templates/configmap-etc.yaml
View File

@ -16,7 +16,14 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- if and (empty .Values.conf.grafana.database.url) (not (eq .Values.conf.grafana.database.type "sqlite3") ) -}} {{- if and (empty .Values.conf.grafana.database.url) (not (eq .Values.conf.grafana.database.type "sqlite3") ) -}}
{{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | replace "mysql+pymysql://" "mysql://" | set .Values.conf.grafana.database "url" }}
{{- $url := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | replace "mysql+pymysql://" "mysql://" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := (printf "%s?charset=utf8" $url ) | set .Values.conf.grafana.database "url" -}}
{{- $_ := tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | set .Values.conf.grafana.database "server_cert_name" -}}
{{- else -}}
{{- $_ := set .Values.conf.grafana.database "url" $url -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.grafana.session.provider_config -}} {{- if empty .Values.conf.grafana.session.provider_config -}}

2
grafana/templates/deployment.yaml
View File

@ -118,6 +118,7 @@ spec:
mountPath: /etc/grafana/dashboards/{{$key}}.json mountPath: /etc/grafana/dashboards/{{$key}}.json
subPath: {{$key}}.json subPath: {{$key}}.json
{{- end }} {{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_grafana.volumeMounts }}{{ toYaml $mounts_grafana.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_grafana.volumeMounts }}{{ toYaml $mounts_grafana.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -144,5 +145,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
- name: data - name: data
emptyDir: {} emptyDir: {}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_grafana.volumes }}{{ toYaml $mounts_grafana.volumes | indent 8 }}{{ end }} {{ if $mounts_grafana.volumes }}{{ toYaml $mounts_grafana.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

6
grafana/templates/job-db-init-session.yaml
View File

@ -57,6 +57,10 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.oslo_db_session.user }} name: {{ .Values.secrets.oslo_db_session.user }}
key: DB_CONNECTION key: DB_CONNECTION
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
command: command:
- /tmp/db-init.py - /tmp/db-init.py
volumeMounts: volumeMounts:
@ -66,6 +70,7 @@ spec:
mountPath: /tmp/db-init.py mountPath: /tmp/db-init.py
subPath: db-init.py subPath: db-init.py
readOnly: true readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -73,4 +78,5 @@ spec:
configMap: configMap:
name: grafana-bin name: grafana-bin
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

6
grafana/templates/job-db-init.yaml
View File

@ -57,6 +57,10 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.oslo_db.user }} name: {{ .Values.secrets.oslo_db.user }}
key: DB_CONNECTION key: DB_CONNECTION
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
command: command:
- /tmp/db-init.py - /tmp/db-init.py
volumeMounts: volumeMounts:
@ -66,6 +70,7 @@ spec:
mountPath: /tmp/db-init.py mountPath: /tmp/db-init.py
subPath: db-init.py subPath: db-init.py
readOnly: true readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -73,4 +78,5 @@ spec:
configMap: configMap:
name: grafana-bin name: grafana-bin
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

6
grafana/templates/job-db-session-sync.yaml
View File

@ -52,6 +52,10 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.oslo_db_session.user }} name: {{ .Values.secrets.oslo_db_session.user }}
key: DB_CONNECTION key: DB_CONNECTION
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
command: command:
- /tmp/db-session-sync.py - /tmp/db-session-sync.py
volumeMounts: volumeMounts:
@ -61,6 +65,7 @@ spec:
mountPath: /tmp/db-session-sync.py mountPath: /tmp/db-session-sync.py
subPath: db-session-sync.py subPath: db-session-sync.py
readOnly: true readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -68,4 +73,5 @@ spec:
configMap: configMap:
name: grafana-bin name: grafana-bin
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

7
grafana/templates/secret-db-session.yaml
View File

@ -16,6 +16,7 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "user" }} {{- range $key1, $userClass := tuple "admin" "user" }}
{{- $secretName := index $envAll.Values.secrets.oslo_db_session $userClass }} {{- $secretName := index $envAll.Values.secrets.oslo_db_session $userClass }}
{{- $connection := tuple "oslo_db_session" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -23,6 +24,10 @@ metadata:
name: {{ $secretName }} name: {{ $secretName }}
type: Opaque type: Opaque
data: data:
DB_CONNECTION: {{ tuple "oslo_db_session" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} {{- if $envAll.Values.manifests.certificates }}
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
{{- else }}
DB_CONNECTION: {{ $connection | b64enc -}}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

7
grafana/templates/secret-db.yaml
View File

@ -16,6 +16,7 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "user" }} {{- range $key1, $userClass := tuple "admin" "user" }}
{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -23,6 +24,10 @@ metadata:
name: {{ $secretName }} name: {{ $secretName }}
type: Opaque type: Opaque
data: data:
DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} {{- if $envAll.Values.manifests.certificates }}
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
{{- else }}
DB_CONNECTION: {{ $connection | b64enc -}}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

8
grafana/values.yaml
View File

@ -188,6 +188,9 @@ endpoints:
admin: admin:
username: root username: root
password: password password: password
secret:
tls:
internal: mariadb-tls-direct
user: user:
username: grafana username: grafana
password: password password: password
@ -206,6 +209,9 @@ endpoints:
admin: admin:
username: root username: root
password: password password: password
secret:
tls:
internal: mariadb-tls-direct
user: user:
username: grafana_session username: grafana_session
password: password password: password
@ -360,10 +366,12 @@ secrets:
grafana: grafana:
grafana: grafana:
public: grafana-tls-public public: grafana-tls-public
internal: grafana-tls-api
prometheus: prometheus:
user: prometheus-user-creds user: prometheus-user-creds
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
configmap_dashboards: true configmap_dashboards: true

20
grafana/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,20 @@
---
conf:
grafana:
database:
ssl_mode: true
ca_cert_path: /etc/mysql/certs/ca.crt
client_key_path: /etc/mysql/certs/tls.key
client_cert_path: /etc/mysql/certs/tls.crt
endpoints:
grafana:
host_fqdn_override:
default:
tls:
secretName: grafana-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
manifests:
certificates: true
...

1
releasenotes/notes/grafana.yaml
View File

@ -4,4 +4,5 @@ grafana:
- 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
- 0.1.2 Update Grafana version - 0.1.2 Update Grafana version
- 0.1.3 Provision any dashboard as homepage - 0.1.3 Provision any dashboard as homepage
- 0.1.4 Enable TLS for Grafana
... ...