Merge "Enable TLS between Prometheus and Grafana"

grafana/Chart.yaml

@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.3.6
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.4
+version: 0.1.5
 home: https://grafana.com/
 sources:
   - https://github.com/grafana/grafana

grafana/templates/certificates.yaml

@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{  dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}

grafana/templates/deployment.yaml

@@ -81,6 +81,13 @@ spec:
                   key: GRAFANA_ADMIN_PASSWORD
             - name: PROMETHEUS_URL
               value: {{ tuple "monitoring" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+{{- if .Values.manifests.certificates }}
+            - name: CACERT
+              valueFrom:
+                secretKeyRef:
+                  key: ca.crt
+                  name: prometheus-tls-api
+{{- end }}
 {{- if .Values.pod.env.grafana }}
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.grafana | indent 12 }}
 {{- end }}

grafana/values.yaml

@@ -236,13 +236,6 @@ endpoints:
       public: grafana
     host_fqdn_override:
       default: null
-      # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
-      # endpoints using the following format:
-      # public:
-      #   host: null
-      #   tls:
-      #     crt: null
-      #     key: null
     path:
       default: null
     scheme:
@@ -366,7 +359,6 @@ secrets:
     grafana:
       grafana:
         public: grafana-tls-public
-        internal: grafana-tls-api
   prometheus:
     user: prometheus-user-creds
 

grafana/values_overrides/tls.yaml

@@ -6,15 +6,26 @@ conf:
       ca_cert_path: /etc/mysql/certs/ca.crt
       client_key_path: /etc/mysql/certs/tls.key
       client_cert_path: /etc/mysql/certs/tls.crt
-endpoints:
+  provisioning:
-  grafana:
+    datasources:
-    host_fqdn_override:
+      template: |
-      default:
+        {{ $prom_host := tuple "monitoring" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
-        tls:
+        {{ $prom_uri := printf "https://%s" $prom_host }}
-          secretName: grafana-tls-api
+        apiVersion: 1
-          issuerRef:
+        datasources:
-            name: ca-issuer
+        - name: prometheus
-            kind: ClusterIssuer
+          type: prometheus
+          access: proxy
+          orgId: 1
+          editable: true
+          basicAuth: true
+          basicAuthUser: {{ .Values.endpoints.monitoring.auth.user.username }}
+          jsonData:
+            tlsAuthWithCACert: true
+          secureJsonData:
+            basicAuthPassword: {{ .Values.endpoints.monitoring.auth.user.password }}
+            tlsCACert: $CACERT
+          url: {{ $prom_uri }}
 manifests:
   certificates: true
 ...

releasenotes/notes/grafana.yaml

@@ -5,4 +5,5 @@ grafana:
   - 0.1.2 Update Grafana version
   - 0.1.3 Provision any dashboard as homepage
   - 0.1.4 Enable TLS for Grafana
+  - 0.1.5 Enable TLS between Grafana and Prometheus
 ...