From 86112314edd19992e3a24c81dad6102eed054220 Mon Sep 17 00:00:00 2001
From: "Lo, Chi (cl566n)" <cl566n@att.com>
Date: Fri, 12 Mar 2021 15:38:52 -0800
Subject: [PATCH] Enable TLS between Prometheus and Grafana

This patchset enables TLS path between Prometheus and Grafana.
Grafana pull data from Prometheus. As such, Prometheus is the
server and Grafana is the client for TLS handshake.

Change-Id: I50cb6f59472155415cff16a81ebaebd192064d65
---
 grafana/Chart.yaml                  |  2 +-
 grafana/templates/certificates.yaml | 17 -----------------
 grafana/templates/deployment.yaml   |  7 +++++++
 grafana/values.yaml                 |  8 --------
 grafana/values_overrides/tls.yaml   | 29 ++++++++++++++++++++---------
 releasenotes/notes/grafana.yaml     |  1 +
 6 files changed, 29 insertions(+), 35 deletions(-)
 delete mode 100644 grafana/templates/certificates.yaml

diff --git a/grafana/Chart.yaml b/grafana/Chart.yaml
index 78286a195..eea3682b9 100644
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.3.6
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.4
+version: 0.1.5
 home: https://grafana.com/
 sources:
   - https://github.com/grafana/grafana
diff --git a/grafana/templates/certificates.yaml b/grafana/templates/certificates.yaml
deleted file mode 100644
index 9af197df4..000000000
--- a/grafana/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{  dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/grafana/templates/deployment.yaml b/grafana/templates/deployment.yaml
index 8f40cb740..c04fff3a0 100644
--- a/grafana/templates/deployment.yaml
+++ b/grafana/templates/deployment.yaml
@@ -81,6 +81,13 @@ spec:
                   key: GRAFANA_ADMIN_PASSWORD
             - name: PROMETHEUS_URL
               value: {{ tuple "monitoring" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+{{- if .Values.manifests.certificates }}
+            - name: CACERT
+              valueFrom:
+                secretKeyRef:
+                  key: ca.crt
+                  name: prometheus-tls-api
+{{- end }}
 {{- if .Values.pod.env.grafana }}
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.grafana | indent 12 }}
 {{- end }}
diff --git a/grafana/values.yaml b/grafana/values.yaml
index 271b495fb..ac57c34e6 100644
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -236,13 +236,6 @@ endpoints:
       public: grafana
     host_fqdn_override:
       default: null
-      # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
-      # endpoints using the following format:
-      # public:
-      #   host: null
-      #   tls:
-      #     crt: null
-      #     key: null
     path:
       default: null
     scheme:
@@ -366,7 +359,6 @@ secrets:
     grafana:
       grafana:
         public: grafana-tls-public
-        internal: grafana-tls-api
   prometheus:
     user: prometheus-user-creds
 
diff --git a/grafana/values_overrides/tls.yaml b/grafana/values_overrides/tls.yaml
index b26fcf15c..eac7e3aa7 100644
--- a/grafana/values_overrides/tls.yaml
+++ b/grafana/values_overrides/tls.yaml
@@ -6,15 +6,26 @@ conf:
       ca_cert_path: /etc/mysql/certs/ca.crt
       client_key_path: /etc/mysql/certs/tls.key
       client_cert_path: /etc/mysql/certs/tls.crt
-endpoints:
-  grafana:
-    host_fqdn_override:
-      default:
-        tls:
-          secretName: grafana-tls-api
-          issuerRef:
-            name: ca-issuer
-            kind: ClusterIssuer
+  provisioning:
+    datasources:
+      template: |
+        {{ $prom_host := tuple "monitoring" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+        {{ $prom_uri := printf "https://%s" $prom_host }}
+        apiVersion: 1
+        datasources:
+        - name: prometheus
+          type: prometheus
+          access: proxy
+          orgId: 1
+          editable: true
+          basicAuth: true
+          basicAuthUser: {{ .Values.endpoints.monitoring.auth.user.username }}
+          jsonData:
+            tlsAuthWithCACert: true
+          secureJsonData:
+            basicAuthPassword: {{ .Values.endpoints.monitoring.auth.user.password }}
+            tlsCACert: $CACERT
+          url: {{ $prom_uri }}
 manifests:
   certificates: true
 ...
diff --git a/releasenotes/notes/grafana.yaml b/releasenotes/notes/grafana.yaml
index d1b29c1f0..52679c6cd 100644
--- a/releasenotes/notes/grafana.yaml
+++ b/releasenotes/notes/grafana.yaml
@@ -5,4 +5,5 @@ grafana:
   - 0.1.2 Update Grafana version
   - 0.1.3 Provision any dashboard as homepage
   - 0.1.4 Enable TLS for Grafana
+  - 0.1.5 Enable TLS between Grafana and Prometheus
 ...