From 87e3a02dd558dfca6a9a8f49feb34f47d516cbf7 Mon Sep 17 00:00:00 2001 From: "Lo, Chi (cl566n)" Date: Fri, 5 Feb 2021 20:47:23 -0800 Subject: [PATCH] Enable TLS for grafana This patchset updates grafana chart manifests to enable TLS with osh-infra mariadb. TLS for osh-infra mariadb is completed as part of TLS phase 1, no additional mariadb chart work is required to work with this patch. Change-Id: Ic01e7c012ab2167d59b2117eb985386666f2bb2a --- grafana/Chart.yaml | 2 +- grafana/templates/certificates.yaml | 17 +++++++++++++++++ grafana/templates/configmap-etc.yaml | 9 ++++++++- grafana/templates/deployment.yaml | 2 ++ grafana/templates/job-db-init-session.yaml | 6 ++++++ grafana/templates/job-db-init.yaml | 6 ++++++ grafana/templates/job-db-session-sync.yaml | 6 ++++++ grafana/templates/secret-db-session.yaml | 7 ++++++- grafana/templates/secret-db.yaml | 7 ++++++- grafana/values.yaml | 8 ++++++++ grafana/values_overrides/tls.yaml | 20 ++++++++++++++++++++ releasenotes/notes/grafana.yaml | 1 + 12 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 grafana/templates/certificates.yaml create mode 100644 grafana/values_overrides/tls.yaml diff --git a/grafana/Chart.yaml b/grafana/Chart.yaml index e9431e786..78286a195 100644 --- a/grafana/Chart.yaml +++ b/grafana/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v7.3.6 description: OpenStack-Helm Grafana name: grafana -version: 0.1.3 +version: 0.1.4 home: https://grafana.com/ sources: - https://github.com/grafana/grafana diff --git a/grafana/templates/certificates.yaml b/grafana/templates/certificates.yaml new file mode 100644 index 000000000..9af197df4 --- /dev/null +++ b/grafana/templates/certificates.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.certificates -}} +{{ dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +{{- end -}} diff --git a/grafana/templates/configmap-etc.yaml b/grafana/templates/configmap-etc.yaml index 608502c56..4ce4f3469 100644 --- a/grafana/templates/configmap-etc.yaml +++ b/grafana/templates/configmap-etc.yaml @@ -16,7 +16,14 @@ limitations under the License. {{- $envAll := . }} {{- if and (empty .Values.conf.grafana.database.url) (not (eq .Values.conf.grafana.database.type "sqlite3") ) -}} -{{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | replace "mysql+pymysql://" "mysql://" | set .Values.conf.grafana.database "url" }} + +{{- $url := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | replace "mysql+pymysql://" "mysql://" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8" $url ) | set .Values.conf.grafana.database "url" -}} +{{- $_ := tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | set .Values.conf.grafana.database "server_cert_name" -}} +{{- else -}} +{{- $_ := set .Values.conf.grafana.database "url" $url -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.grafana.session.provider_config -}} diff --git a/grafana/templates/deployment.yaml b/grafana/templates/deployment.yaml index 615353350..8f40cb740 100644 --- a/grafana/templates/deployment.yaml +++ b/grafana/templates/deployment.yaml @@ -118,6 +118,7 @@ spec: mountPath: /etc/grafana/dashboards/{{$key}}.json subPath: {{$key}}.json {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_grafana.volumeMounts }}{{ toYaml $mounts_grafana.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -144,5 +145,6 @@ spec: defaultMode: 0555 - name: data emptyDir: {} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_grafana.volumes }}{{ toYaml $mounts_grafana.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/grafana/templates/job-db-init-session.yaml b/grafana/templates/job-db-init-session.yaml index 9e9785f2f..2988b9b0b 100644 --- a/grafana/templates/job-db-init-session.yaml +++ b/grafana/templates/job-db-init-session.yaml @@ -57,6 +57,10 @@ spec: secretKeyRef: name: {{ .Values.secrets.oslo_db_session.user }} key: DB_CONNECTION +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} command: - /tmp/db-init.py volumeMounts: @@ -66,6 +70,7 @@ spec: mountPath: /tmp/db-init.py subPath: db-init.py readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -73,4 +78,5 @@ spec: configMap: name: grafana-bin defaultMode: 0555 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/grafana/templates/job-db-init.yaml b/grafana/templates/job-db-init.yaml index b5ba6e65f..9b87d94f8 100644 --- a/grafana/templates/job-db-init.yaml +++ b/grafana/templates/job-db-init.yaml @@ -57,6 +57,10 @@ spec: secretKeyRef: name: {{ .Values.secrets.oslo_db.user }} key: DB_CONNECTION +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} command: - /tmp/db-init.py volumeMounts: @@ -66,6 +70,7 @@ spec: mountPath: /tmp/db-init.py subPath: db-init.py readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -73,4 +78,5 @@ spec: configMap: name: grafana-bin defaultMode: 0555 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/grafana/templates/job-db-session-sync.yaml b/grafana/templates/job-db-session-sync.yaml index fb086c549..3db6fd013 100644 --- a/grafana/templates/job-db-session-sync.yaml +++ b/grafana/templates/job-db-session-sync.yaml @@ -52,6 +52,10 @@ spec: secretKeyRef: name: {{ .Values.secrets.oslo_db_session.user }} key: DB_CONNECTION +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} command: - /tmp/db-session-sync.py volumeMounts: @@ -61,6 +65,7 @@ spec: mountPath: /tmp/db-session-sync.py subPath: db-session-sync.py readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -68,4 +73,5 @@ spec: configMap: name: grafana-bin defaultMode: 0555 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db_session.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/grafana/templates/secret-db-session.yaml b/grafana/templates/secret-db-session.yaml index beec255ae..82c32ca61 100644 --- a/grafana/templates/secret-db-session.yaml +++ b/grafana/templates/secret-db-session.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "user" }} {{- $secretName := index $envAll.Values.secrets.oslo_db_session $userClass }} +{{- $connection := tuple "oslo_db_session" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -23,6 +24,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db_session" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/grafana/templates/secret-db.yaml b/grafana/templates/secret-db.yaml index 60e948732..a05697e74 100644 --- a/grafana/templates/secret-db.yaml +++ b/grafana/templates/secret-db.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "user" }} {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -23,6 +24,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/grafana/values.yaml b/grafana/values.yaml index 58bcfbcbe..271b495fb 100644 --- a/grafana/values.yaml +++ b/grafana/values.yaml @@ -188,6 +188,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct user: username: grafana password: password @@ -206,6 +209,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct user: username: grafana_session password: password @@ -360,10 +366,12 @@ secrets: grafana: grafana: public: grafana-tls-public + internal: grafana-tls-api prometheus: user: prometheus-user-creds manifests: + certificates: false configmap_bin: true configmap_etc: true configmap_dashboards: true diff --git a/grafana/values_overrides/tls.yaml b/grafana/values_overrides/tls.yaml new file mode 100644 index 000000000..b26fcf15c --- /dev/null +++ b/grafana/values_overrides/tls.yaml @@ -0,0 +1,20 @@ +--- +conf: + grafana: + database: + ssl_mode: true + ca_cert_path: /etc/mysql/certs/ca.crt + client_key_path: /etc/mysql/certs/tls.key + client_cert_path: /etc/mysql/certs/tls.crt +endpoints: + grafana: + host_fqdn_override: + default: + tls: + secretName: grafana-tls-api + issuerRef: + name: ca-issuer + kind: ClusterIssuer +manifests: + certificates: true +... diff --git a/releasenotes/notes/grafana.yaml b/releasenotes/notes/grafana.yaml index 0922fe308..d1b29c1f0 100644 --- a/releasenotes/notes/grafana.yaml +++ b/releasenotes/notes/grafana.yaml @@ -4,4 +4,5 @@ grafana: - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - 0.1.2 Update Grafana version - 0.1.3 Provision any dashboard as homepage + - 0.1.4 Enable TLS for Grafana ...