grafana: update to 7.4.2

This includes a fix for I216528a76307189d8d87bd2fcfeff95c6ceb53cc.
Now it's released we can be a bit more explicit about why we added the
workaround.

Change-Id: Ibaf1850549b5e7ec3622418b650bc5e59a289ab6

docker/grafana/Dockerfile

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM docker.io/grafana/grafana:7.4.1-ubuntu
+FROM docker.io/grafana/grafana:7.4.2-ubuntu
 
 LABEL maintainer="infra-root@openstack.org"
 

playbooks/roles/grafana/templates/grafana.vhost.j2

@@ -34,6 +34,13 @@
   SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
   SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
 
+  # NOTE(ianw) 2021-02-19
+  # This was for a security issue fixed in 7.4.2
+  # where anonymous users could cause a write to disk, fixed
+  # with
+  #  https://github.com/grafana/grafana/pull/31263/
+  # We leave it because we don't use the API, but if we need
+  # it, we can remove this.
   RewriteEngine on
   RewriteRule "^/api/snapshots(.*?)$" "-" [F]