diff --git a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml index c29fe03ce..37a847303 100644 --- a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml +++ b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml @@ -291,13 +291,6 @@ spec: ingressEnabled: description: Whether to enable ingress access to Grafana type: boolean - adminPassword: - description: Grafana admin password - type: string - format: password - adminUser: - description: Grafana admin user - type: string baseImage: description: Path to the base container image used to instantiate a Grafana instance type: string diff --git a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml index ee728e2f4..dc9ddda59 100644 --- a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml +++ b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml @@ -80,8 +80,6 @@ spec: enabled: false grafana: ingressEnabled: true - adminPassword: secret - adminUser: root disableSignoutMenu: false baseImage: registry.redhat.io/rhel8/grafana:7 dashboards: diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml index 545ffd994..23efd2236 100644 --- a/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml +++ b/deploy/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml @@ -385,13 +385,6 @@ spec: grafana: description: Grafana related configuration properties: - adminPassword: - description: Grafana admin password - format: password - type: string - adminUser: - description: Grafana admin user - type: string baseImage: description: Path to the base container image used to instantiate a Grafana instance diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml index 1052f8ba3..6e758b6f3 100644 --- a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml @@ -117,8 +117,6 @@ metadata: "graphing": { "enabled": false, "grafana": { - "adminPassword": "secret", - "adminUser": "root", "baseImage": "registry.redhat.io/rhel8/grafana:7", "dashboards": { "enabled": true diff --git a/roles/servicetelemetry/defaults/main.yml b/roles/servicetelemetry/defaults/main.yml index 263480e00..fc1cd8a91 100644 --- a/roles/servicetelemetry/defaults/main.yml +++ b/roles/servicetelemetry/defaults/main.yml @@ -83,8 +83,6 @@ servicetelemetry_defaults: enabled: false grafana: ingress_enabled: true - admin_password: secret - admin_user: root disable_signout_menu: false base_image: registry.redhat.io/rhel8/grafana:7 dashboards: diff --git a/roles/servicetelemetry/tasks/component_grafana.yml b/roles/servicetelemetry/tasks/component_grafana.yml index df012b70a..7eff9174f 100644 --- a/roles/servicetelemetry/tasks/component_grafana.yml +++ b/roles/servicetelemetry/tasks/component_grafana.yml @@ -7,54 +7,6 @@ kind: Route name: 'grafana-route' -- name: Check for existing grafana htpasswd secret - no_log: true - k8s_info: - api_version: v1 - kind: Secret - namespace: '{{ ansible_operator_meta.namespace }}' - name: '{{ ansible_operator_meta.name }}-grafana-htpasswd' - register: grafana_htpasswd_secret - -- block: - - name: Parse current Grafana htpasswd salt from secret - no_log: true - set_fact: - grafana_htpasswd_salt: "{{ ((grafana_htpasswd_secret.resources[0].data.auth | b64decode).split('$')[-1])[0:22] }}" - rescue: - - name: Generate initial Grafana htpasswd bcrypt string from grafana.admin_password - no_log: true - set_fact: - init_grafana_htpasswd_bcrypt_string: "{{ (servicetelemetry_vars.graphing.grafana.admin_password | password_hash('bcrypt') | replace('$2b$','$2y$', 1)) }}" - - - name: Read newly generated Grafana htpasswd salt - no_log: true - set_fact: - grafana_htpasswd_salt: "{{ (init_grafana_htpasswd_bcrypt_string.split('$')[-1])[0:22] }}" - always: - - name: Generate Grafana htpasswd bcrypt string from grafana.adminPassword using salt - no_log: true - set_fact: - grafana_htpasswd_bcrypt_string: "{{ (servicetelemetry_vars.graphing.grafana.admin_password | password_hash('bcrypt', grafana_htpasswd_salt) | replace('$2b$','$2y$', 1)) }}" - - - name: Generate Grafana auth string from grafana.adminUser and grafana_htpasswd_bcrypt_string - no_log: true - set_fact: - grafana_htpasswd_auth_string: "{{ servicetelemetry_vars.graphing.grafana.admin_user }}:{{ grafana_htpasswd_bcrypt_string }}" - -- name: Create or patch htpasswd secret for grafana admin - no_log: false - k8s: - definition: - api_version: v1 - kind: Secret - metadata: - name: '{{ ansible_operator_meta.name }}-grafana-htpasswd' - namespace: '{{ ansible_operator_meta.namespace }}' - type: Opaque - stringData: - auth: '{{ grafana_htpasswd_auth_string }}' - - name: Lookup template debug: msg: "{{ lookup('template', './manifest_grafana.j2') | from_yaml }}" diff --git a/roles/servicetelemetry/templates/manifest_grafana.j2 b/roles/servicetelemetry/templates/manifest_grafana.j2 index 792f7065c..8b176b103 100644 --- a/roles/servicetelemetry/templates/manifest_grafana.j2 +++ b/roles/servicetelemetry/templates/manifest_grafana.j2 @@ -7,9 +7,6 @@ spec: serviceAccount: annotations: serviceaccounts.openshift.io/oauth-redirectreference.primary: '{{ grafana_oauth_redir_ref | to_json }}' - deployment: - annotations: - hash-of-creds-to-force-restart-if-changed: {{ grafana_htpasswd_auth_string | b64encode }} baseImage: {{ servicetelemetry_vars.graphing.grafana.base_image }} ingress: enabled: {{ servicetelemetry_vars.graphing.grafana.ingress_enabled }} @@ -40,13 +37,12 @@ spec: - -provider=openshift - -pass-basic-auth=false - -https-address=:3002 - - -htpasswd-file=/etc/proxy/htpasswd/auth - -tls-cert=/etc/tls/private/tls.crt - -tls-key=/etc/tls/private/tls.key - -upstream=http://localhost:3000 - -cookie-secret-file=/etc/proxy/secrets/session_secret - -openshift-service-account=grafana-serviceaccount - - '-openshift-sar={"resource": "namespaces", "verb": "get"}' + - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "grafana", "group":"integreatly.org", "verb":"get"}' - -openshift-ca=/etc/pki/tls/cert.pem - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt ports: @@ -58,12 +54,9 @@ spec: name: secret-{{ ansible_operator_meta.name }}-grafana-proxy-tls - mountPath: /etc/proxy/secrets name: secret-{{ ansible_operator_meta.name }}-session-secret - - mountPath: /etc/proxy/htpasswd - name: secret-{{ ansible_operator_meta.name }}-grafana-htpasswd secrets: - '{{ ansible_operator_meta.name }}-grafana-proxy-tls' - '{{ ansible_operator_meta.name }}-session-secret' - - '{{ ansible_operator_meta.name }}-grafana-htpasswd' service: ports: - name: web