From 86112314edd19992e3a24c81dad6102eed054220 Mon Sep 17 00:00:00 2001
From: "Lo, Chi (cl566n)" <cl566n@att.com>
Date: Fri, 12 Mar 2021 15:38:52 -0800
Subject: [PATCH] Enable TLS between Prometheus and Grafana

This patchset enables TLS path between Prometheus and Grafana.
Grafana pull data from Prometheus. As such, Prometheus is the
server and Grafana is the client for TLS handshake.

Change-Id: I50cb6f59472155415cff16a81ebaebd192064d65
---
 grafana/Chart.yaml                  |  2 +-
 grafana/templates/certificates.yaml | 17 -----------------
 grafana/templates/deployment.yaml   |  7 +++++++
 grafana/values.yaml                 |  8 --------
 grafana/values_overrides/tls.yaml   | 29 ++++++++++++++++++++---------
 releasenotes/notes/grafana.yaml     |  1 +
 6 files changed, 29 insertions(+), 35 deletions(-)
 delete mode 100644 grafana/templates/certificates.yaml

diff --git a/grafana/Chart.yaml b/grafana/Chart.yaml
index 78286a1958..eea3682b92 100644
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.3.6
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.4
+version: 0.1.5
 home: https://grafana.com/
 sources:
   - https://github.com/grafana/grafana
diff --git a/grafana/templates/certificates.yaml b/grafana/templates/certificates.yaml
deleted file mode 100644
index 9af197df4d..0000000000
--- a/grafana/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{  dict "envAll" . "service" "grafana" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/grafana/templates/deployment.yaml b/grafana/templates/deployment.yaml
index 8f40cb740c..c04fff3a03 100644
--- a/grafana/templates/deployment.yaml
+++ b/grafana/templates/deployment.yaml
@@ -81,6 +81,13 @@ spec:
                   key: GRAFANA_ADMIN_PASSWORD
             - name: PROMETHEUS_URL
               value: {{ tuple "monitoring" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+{{- if .Values.manifests.certificates }}
+            - name: CACERT
+              valueFrom:
+                secretKeyRef:
+                  key: ca.crt
+                  name: prometheus-tls-api
+{{- end }}
 {{- if .Values.pod.env.grafana }}
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.grafana | indent 12 }}
 {{- end }}
diff --git a/grafana/values.yaml b/grafana/values.yaml
index 271b495fbb..ac57c34e6e 100644
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -236,13 +236,6 @@ endpoints:
       public: grafana
     host_fqdn_override:
       default: null
-      # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
-      # endpoints using the following format:
-      # public:
-      #   host: null
-      #   tls:
-      #     crt: null
-      #     key: null
     path:
       default: null
     scheme:
@@ -366,7 +359,6 @@ secrets:
     grafana:
       grafana:
         public: grafana-tls-public
-        internal: grafana-tls-api
   prometheus:
     user: prometheus-user-creds
 
diff --git a/grafana/values_overrides/tls.yaml b/grafana/values_overrides/tls.yaml
index b26fcf15c5..eac7e3aa79 100644
--- a/grafana/values_overrides/tls.yaml
+++ b/grafana/values_overrides/tls.yaml
@@ -6,15 +6,26 @@ conf:
       ca_cert_path: /etc/mysql/certs/ca.crt
       client_key_path: /etc/mysql/certs/tls.key
       client_cert_path: /etc/mysql/certs/tls.crt
-endpoints:
-  grafana:
-    host_fqdn_override:
-      default:
-        tls:
-          secretName: grafana-tls-api
-          issuerRef:
-            name: ca-issuer
-            kind: ClusterIssuer
+  provisioning:
+    datasources:
+      template: |
+        {{ $prom_host := tuple "monitoring" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+        {{ $prom_uri := printf "https://%s" $prom_host }}
+        apiVersion: 1
+        datasources:
+        - name: prometheus
+          type: prometheus
+          access: proxy
+          orgId: 1
+          editable: true
+          basicAuth: true
+          basicAuthUser: {{ .Values.endpoints.monitoring.auth.user.username }}
+          jsonData:
+            tlsAuthWithCACert: true
+          secureJsonData:
+            basicAuthPassword: {{ .Values.endpoints.monitoring.auth.user.password }}
+            tlsCACert: $CACERT
+          url: {{ $prom_uri }}
 manifests:
   certificates: true
 ...
diff --git a/releasenotes/notes/grafana.yaml b/releasenotes/notes/grafana.yaml
index d1b29c1f0c..52679c6cde 100644
--- a/releasenotes/notes/grafana.yaml
+++ b/releasenotes/notes/grafana.yaml
@@ -5,4 +5,5 @@ grafana:
   - 0.1.2 Update Grafana version
   - 0.1.3 Provision any dashboard as homepage
   - 0.1.4 Enable TLS for Grafana
+  - 0.1.5 Enable TLS between Grafana and Prometheus
 ...