Enable TLS for grafana

This patchset updates grafana chart manifests to enable TLS with osh-infra mariadb. TLS for osh-infra mariadb is completed as part of TLS phase 1, no additional mariadb chart work is required to work with this patch. Change-Id: Ic01e7c012ab2167d59b2117eb985386666f2bb2a
2021-02-05 20:47:23 -08:00 · 2021-02-05 20:47:23 -08:00 · 87e3a02dd5
parent ee5482e9ed
commit 87e3a02dd5
12 changed files with 87 additions and 4 deletions
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.3.6
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.3
+version: 0.1.4
 home: https://grafana.com/
 sources:
  - https://github.com/grafana/grafana
--- a/grafana/templates/certificates.yaml
+++ b/grafana/templates/certificates.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
--- a/grafana/templates/configmap-etc.yaml
+++ b/grafana/templates/configmap-etc.yaml
@ -16,7 +16,14 @@ limitations under the License.
 {{- $envAll := . }}

 {{- if and (empty .Values.conf.grafana.database.url) (not (eq .Values.conf.grafana.database.type "sqlite3") ) -}}
-{{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | replace "mysql+pymysql://" "mysql://" | set .Values.conf.grafana.database "url" }}
+
+{{- $url := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | replace "mysql+pymysql://" "mysql://" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8" $url ) | set .Values.conf.grafana.database "url" -}}
+{{- $_ := tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | set .Values.conf.grafana.database "server_cert_name" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.grafana.database "url" $url -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.grafana.session.provider_config -}}
--- a/grafana/templates/deployment.yaml
+++ b/grafana/templates/deployment.yaml
@ -118,6 +118,7 @@ spec:
              mountPath: /etc/grafana/dashboards/{{$key}}.json
              subPath: {{$key}}.json
            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_grafana.volumeMounts }}{{ toYaml $mounts_grafana.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -144,5 +145,6 @@ spec:
            defaultMode: 0555
        - name: data
          emptyDir: {}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_grafana.volumes }}{{ toYaml $mounts_grafana.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/grafana/templates/job-db-init-session.yaml
+++ b/grafana/templates/job-db-init-session.yaml
@ -57,6 +57,10 @@ spec:
                secretKeyRef:
                  name: {{ .Values.secrets.oslo_db_session.user }}
                  key: DB_CONNECTION
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
          command:
            - /tmp/db-init.py
          volumeMounts:
@ -66,6 +70,7 @@ spec:
              mountPath: /tmp/db-init.py
              subPath: db-init.py
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
@ -73,4 +78,5 @@ spec:
          configMap:
            name: grafana-bin
            defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
--- a/grafana/templates/job-db-init.yaml
+++ b/grafana/templates/job-db-init.yaml
@ -57,6 +57,10 @@ spec:
                secretKeyRef:
                  name: {{ .Values.secrets.oslo_db.user }}
                  key: DB_CONNECTION
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
          command:
            - /tmp/db-init.py
          volumeMounts:
@ -66,6 +70,7 @@ spec:
              mountPath: /tmp/db-init.py
              subPath: db-init.py
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
@ -73,4 +78,5 @@ spec:
          configMap:
            name: grafana-bin
            defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
--- a/grafana/templates/job-db-session-sync.yaml
+++ b/grafana/templates/job-db-session-sync.yaml
@ -52,6 +52,10 @@ spec:
                secretKeyRef:
                  name: {{ .Values.secrets.oslo_db_session.user }}
                  key: DB_CONNECTION
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
          command:
            - /tmp/db-session-sync.py
          volumeMounts:
@ -61,6 +65,7 @@ spec:
              mountPath: /tmp/db-session-sync.py
              subPath: db-session-sync.py
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
@ -68,4 +73,5 @@ spec:
          configMap:
            name: grafana-bin
            defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
--- a/grafana/templates/secret-db-session.yaml
+++ b/grafana/templates/secret-db-session.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "user" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db_session $userClass }}
+{{- $connection := tuple "oslo_db_session" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db_session" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/grafana/templates/secret-db.yaml
+++ b/grafana/templates/secret-db.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "user" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@ -188,6 +188,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      user:
        username: grafana
        password: password
@ -206,6 +209,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      user:
        username: grafana_session
        password: password
@ -360,10 +366,12 @@ secrets:
    grafana:
      grafana:
        public: grafana-tls-public
+        internal: grafana-tls-api
  prometheus:
    user: prometheus-user-creds

 manifests:
+  certificates: false
  configmap_bin: true
  configmap_etc: true
  configmap_dashboards: true
--- a/grafana/values_overrides/tls.yaml
+++ b/grafana/values_overrides/tls.yaml
@ -0,0 +1,20 @@
+---
+conf:
+  grafana:
+    database:
+      ssl_mode: true
+      ca_cert_path: /etc/mysql/certs/ca.crt
+      client_key_path: /etc/mysql/certs/tls.key
+      client_cert_path: /etc/mysql/certs/tls.crt
+endpoints:
+  grafana:
+    host_fqdn_override:
+      default:
+        tls:
+          secretName: grafana-tls-api
+          issuerRef:
+            name: ca-issuer
+            kind: ClusterIssuer
+manifests:
+  certificates: true
+...
--- a/releasenotes/notes/grafana.yaml
+++ b/releasenotes/notes/grafana.yaml
@ -4,4 +4,5 @@ grafana:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Update Grafana version
  - 0.1.3 Provision any dashboard as homepage
+  - 0.1.4 Enable TLS for Grafana
 ...