infrawatch · csibbitt · Dec 7, 2023 · Dec 5, 2023 · Dec 5, 2023 · Dec 7, 2023
diff --git a/deploy/crds/infra.watch_servicetelemetrys_crd.yaml b/deploy/crds/infra.watch_servicetelemetrys_crd.yaml
@@ -291,13 +291,6 @@ spec:
  ingressEnabled:
  description: Whether to enable ingress access to Grafana
  type: boolean
- adminPassword:
- description: Grafana admin password
- type: string
- format: password
- adminUser:
- description: Grafana admin user
- type: string
  baseImage:
  description: Path to the base container image used to instantiate a Grafana instance
  type: string

diff --git a/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml b/deploy/crds/infra.watch_v1beta1_servicetelemetry_cr.yaml
@@ -80,8 +80,6 @@ spec:
  enabled: false
  grafana:
  ingressEnabled: true
- adminPassword: secret
- adminUser: root
  disableSignoutMenu: false
  baseImage: registry.redhat.io/rhel8/grafana:7
  dashboards:

diff --git a/...y/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml b/...y/olm-catalog/service-telemetry-operator/manifests/infra.watch_servicetelemetrys_crd.yaml
@@ -385,13 +385,6 @@ spec:
  grafana:
  description: Grafana related configuration
  properties:
- adminPassword:
- description: Grafana admin password
- format: password
- type: string
- adminUser:
- description: Grafana admin user
- type: string
  baseImage:
  description: Path to the base container image used to instantiate
  a Grafana instance

diff --git a/...ervice-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml b/...ervice-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml
@@ -117,8 +117,6 @@ metadata:
  "graphing": {
  "enabled": false,
  "grafana": {
- "adminPassword": "secret",
- "adminUser": "root",
  "baseImage": "registry.redhat.io/rhel8/grafana:7",
  "dashboards": {
  "enabled": true

diff --git a/roles/servicetelemetry/defaults/main.yml b/roles/servicetelemetry/defaults/main.yml
@@ -83,8 +83,6 @@ servicetelemetry_defaults:
  enabled: false
  grafana:
  ingress_enabled: true
- admin_password: secret
- admin_user: root
  disable_signout_menu: false
  base_image: registry.redhat.io/rhel8/grafana:7
  dashboards:

diff --git a/roles/servicetelemetry/tasks/component_grafana.yml b/roles/servicetelemetry/tasks/component_grafana.yml
@@ -7,54 +7,6 @@
  kind: Route
  name: 'grafana-route'
 
-- name: Check for existing grafana htpasswd secret
- no_log: true
- k8s_info:
- api_version: v1
- kind: Secret
- namespace: '{{ ansible_operator_meta.namespace }}'
- name: '{{ ansible_operator_meta.name }}-grafana-htpasswd'
- register: grafana_htpasswd_secret
-
-- block:
- - name: Parse current Grafana htpasswd salt from secret
- no_log: true
- set_fact:
- grafana_htpasswd_salt: "{{ ((grafana_htpasswd_secret.resources[0].data.auth | b64decode).split('$')[-1])[0:22] }}"
- rescue:
- - name: Generate initial Grafana htpasswd bcrypt string from grafana.admin_password
- no_log: true
- set_fact:
- init_grafana_htpasswd_bcrypt_string: "{{ (servicetelemetry_vars.graphing.grafana.admin_password | password_hash('bcrypt') | replace('$2b$','$2y$', 1)) }}"
-
- - name: Read newly generated Grafana htpasswd salt
- no_log: true
- set_fact:
- grafana_htpasswd_salt: "{{ (init_grafana_htpasswd_bcrypt_string.split('$')[-1])[0:22] }}"
- always:
- - name: Generate Grafana htpasswd bcrypt string from grafana.adminPassword using salt
- no_log: true
- set_fact:
- grafana_htpasswd_bcrypt_string: "{{ (servicetelemetry_vars.graphing.grafana.admin_password | password_hash('bcrypt', grafana_htpasswd_salt) | replace('$2b$','$2y$', 1)) }}"
-
- - name: Generate Grafana auth string from grafana.adminUser and grafana_htpasswd_bcrypt_string
- no_log: true
- set_fact:
- grafana_htpasswd_auth_string: "{{ servicetelemetry_vars.graphing.grafana.admin_user }}:{{ grafana_htpasswd_bcrypt_string }}"
-
-- name: Create or patch htpasswd secret for grafana admin
- no_log: false
- k8s:
- definition:
- api_version: v1
- kind: Secret
- metadata:
- name: '{{ ansible_operator_meta.name }}-grafana-htpasswd'
- namespace: '{{ ansible_operator_meta.namespace }}'
- type: Opaque
- stringData:
- auth: '{{ grafana_htpasswd_auth_string }}'
-
 - name: Lookup template
  debug:
  msg: "{{ lookup('template', './manifest_grafana.j2') | from_yaml }}"

diff --git a/roles/servicetelemetry/templates/manifest_grafana.j2 b/roles/servicetelemetry/templates/manifest_grafana.j2
@@ -7,9 +7,6 @@ spec:
  serviceAccount:
  annotations:
  serviceaccounts.openshift.io/oauth-redirectreference.primary: '{{ grafana_oauth_redir_ref | to_json }}'
- deployment:
- annotations:
- hash-of-creds-to-force-restart-if-changed: {{ grafana_htpasswd_auth_string | b64encode }}
  baseImage: {{ servicetelemetry_vars.graphing.grafana.base_image }}
  ingress:
  enabled: {{ servicetelemetry_vars.graphing.grafana.ingress_enabled }}
@@ -40,13 +37,12 @@ spec:
  - -provider=openshift
  - -pass-basic-auth=false
  - -https-address=:3002
- - -htpasswd-file=/etc/proxy/htpasswd/auth
  - -tls-cert=/etc/tls/private/tls.crt
  - -tls-key=/etc/tls/private/tls.key
  - -upstream=http://localhost:3000
  - -cookie-secret-file=/etc/proxy/secrets/session_secret
  - -openshift-service-account=grafana-serviceaccount
- - '-openshift-sar={"resource": "namespaces", "verb": "get"}'
+ - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "grafana", "group":"integreatly.org", "verb":"get"}'
  - -openshift-ca=/etc/pki/tls/cert.pem
  - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  ports:
@@ -58,12 +54,9 @@ spec:
  name: secret-{{ ansible_operator_meta.name }}-grafana-proxy-tls
  - mountPath: /etc/proxy/secrets
  name: secret-{{ ansible_operator_meta.name }}-session-secret
- - mountPath: /etc/proxy/htpasswd
- name: secret-{{ ansible_operator_meta.name }}-grafana-htpasswd
  secrets:
  - '{{ ansible_operator_meta.name }}-grafana-proxy-tls'
  - '{{ ansible_operator_meta.name }}-session-secret'
- - '{{ ansible_operator_meta.name }}-grafana-htpasswd'
  service:
  ports:
  - name: web