diff --git a/roles/servicetelemetry/tasks/component_grafana.yml b/roles/servicetelemetry/tasks/component_grafana.yml index be90e6517..068507610 100644 --- a/roles/servicetelemetry/tasks/component_grafana.yml +++ b/roles/servicetelemetry/tasks/component_grafana.yml @@ -7,8 +7,43 @@ kind: Route name: 'grafana-route' -- name: Create htpasswd secret for grafana admin +- name: Check for existing grafana htpasswd secret no_log: true + k8s_info: + api_version: v1 + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ansible_operator_meta.name }}-grafana-htpasswd' + register: grafana_htpasswd_secret + +- block: + - name: Parse current Grafana htpasswd salt from secret + no_log: true + set_fact: + grafana_htpasswd_salt: "{{ ((grafana_htpasswd_secret.resources[0].data.auth | b64decode).split('$')[-1])[0:22] }}" + rescue: + - name: Generate initial Grafana htpasswd bcrypt string from grafana.admin_password + no_log: true + set_fact: + init_grafana_htpasswd_bcrypt_string: "{{ (servicetelemetry_vars.graphing.grafana.admin_password | password_hash('bcrypt') | replace('$2b$','$2y$', 1)) }}" + + - name: Read newly generated Grafana htpasswd salt + no_log: true + set_fact: + grafana_htpasswd_salt: "{{ (init_grafana_htpasswd_bcrypt_string.split('$')[-1])[0:22] }}" + always: + - name: Generate Grafana htpasswd bcrypt string from grafana.adminPassword using salt + no_log: true + set_fact: + grafana_htpasswd_bcrypt_string: "{{ (servicetelemetry_vars.graphing.grafana.admin_password | password_hash('bcrypt', grafana_htpasswd_salt) | replace('$2b$','$2y$', 1)) }}" + + - name: Generate Grafana auth string from grafana.adminUser and grafana_htpasswd_bcrypt_string + no_log: true + set_fact: + grafana_htpasswd_auth_string: "{{ servicetelemetry_vars.graphing.grafana.admin_user }}:{{ grafana_htpasswd_bcrypt_string }}" + +- name: Create or patch htpasswd secret for grafana admin + no_log: false k8s: definition: api_version: v1 @@ -18,7 +53,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' type: Opaque stringData: - auth: '{{ servicetelemetry_vars.graphing.grafana.admin_user }}:{{ servicetelemetry_vars.graphing.grafana.admin_password | password_hash("bcrypt") | replace("$2b$","$2y$", 1) }}' + auth: '{{ grafana_htpasswd_auth_string }}' - name: Lookup template debug: @@ -34,49 +69,49 @@ state: '{{ "present" if servicetelemetry_vars.graphing.enabled else "absent" }}' definition: '{{ grafana_manifest }}' - when: servicetelemetry_vars.graphing.enabled - when: servicetelemetry_vars.graphing.enabled block: - - when: servicetelemetry_vars.backends.metrics.prometheus.enabled - block: - - name: Retrieve configmap for OAUTH CA certs - k8s_info: - api_version: v1 - kind: ConfigMap - name: serving-certs-ca-bundle - namespace: '{{ ansible_operator_meta.namespace }}' - register: serving_certs_ca + - when: servicetelemetry_vars.backends.metrics.prometheus.enabled + block: + - name: Retrieve configmap for OAUTH CA certs + k8s_info: + api_version: v1 + kind: ConfigMap + name: serving-certs-ca-bundle + namespace: '{{ ansible_operator_meta.namespace }}' + register: serving_certs_ca - - name: Retrieve prometheus secret - k8s_info: - api_version: v1 - kind: Secret - namespace: '{{ ansible_operator_meta.namespace }}' - name: '{{ ansible_operator_meta.name }}-prometheus-htpasswd' - register: prometheus_secret + - name: Retrieve prometheus secret + k8s_info: + api_version: v1 + kind: Secret + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ ansible_operator_meta.name }}-prometheus-htpasswd' + register: prometheus_secret - - name: Decode prometheus password - no_log: true - set_fact: - prom_basicauth_passwd: '{{ prometheus_secret.resources[0].data.password | b64decode }}' + - name: Decode prometheus password + no_log: true + set_fact: + prom_basicauth_passwd: '{{ prometheus_secret.resources[0].data.password | b64decode }}' - # Lookup existing datasources - - name: Remove legacy datasources - k8s: - api_version: integreatly.org/v1alpha1 - name: '{{ ansible_operator_meta.name }}-ds-prometheus' - kind: GrafanaDataSource - namespace: '{{ ansible_operator_meta.namespace }}' - state: absent + # Lookup existing datasources + - name: Remove legacy datasources + k8s: + api_version: integreatly.org/v1alpha1 + name: '{{ ansible_operator_meta.name }}-ds-prometheus' + kind: GrafanaDataSource + namespace: '{{ ansible_operator_meta.namespace }}' + state: absent - - name: Set datasources - set_fact: - ds_manifest: "{{ lookup('template', './manifest_grafana_ds.j2') | from_yaml }}" - when: ds_manifest is not defined + # NOTE: this can fail if you enable grafana without prometheus due to missing resources referenced in the template + - name: Set datasources + set_fact: + ds_manifest: "{{ lookup('template', './manifest_grafana_ds.j2') | from_yaml }}" + when: ds_manifest is not defined - - name: Create the datasources - k8s: - state: '{{ "present" if servicetelemetry_vars.graphing.enabled else "absent" }}' - definition: - '{{ ds_manifest }}' + - name: Create the datasources + k8s: + state: '{{ "present" if servicetelemetry_vars.graphing.enabled else "absent" }}' + definition: + '{{ ds_manifest }}' diff --git a/roles/servicetelemetry/tasks/main.yml b/roles/servicetelemetry/tasks/main.yml index 11dfc1629..ce615f25b 100644 --- a/roles/servicetelemetry/tasks/main.yml +++ b/roles/servicetelemetry/tasks/main.yml @@ -71,6 +71,7 @@ - has_elasticsearch_api | bool - has_certmanager_api | bool - observability_strategy in ['use_community', 'use_hybrid'] + - servicetelemetry_vars.backends.events.elasticsearch.enabled | bool # --> backends.logs - name: Check if we have loki API @@ -99,17 +100,11 @@ set_fact: has_integreatly_api: "{{ True if 'integreatly.org' in api_groups else False }}" -- name: Deploy graphing - block: - - name: Create Grafana instance - include_tasks: component_grafana.yml - -# TODO -# - name: Create dashboards -# include_tasks: component_dashboards.yml - when: +- when: - has_integreatly_api | bool - observability_strategy in ['use_community', 'use_hybrid'] + name: Start graphing component plays + include_tasks: component_grafana.yml # Post deployment tasks - name: Post-setup diff --git a/roles/servicetelemetry/templates/manifest_grafana.j2 b/roles/servicetelemetry/templates/manifest_grafana.j2 index d2b26eb34..792f7065c 100644 --- a/roles/servicetelemetry/templates/manifest_grafana.j2 +++ b/roles/servicetelemetry/templates/manifest_grafana.j2 @@ -9,7 +9,7 @@ spec: serviceaccounts.openshift.io/oauth-redirectreference.primary: '{{ grafana_oauth_redir_ref | to_json }}' deployment: annotations: - hash-of-creds-to-force-restart-if-changed: {{ (servicetelemetry_vars.graphing.grafana.admin_user + servicetelemetry_vars.graphing.grafana.admin_password) | password_hash('sha256', (session_secret | b64encode)[:16] ) }} + hash-of-creds-to-force-restart-if-changed: {{ grafana_htpasswd_auth_string | b64encode }} baseImage: {{ servicetelemetry_vars.graphing.grafana.base_image }} ingress: enabled: {{ servicetelemetry_vars.graphing.grafana.ingress_enabled }} diff --git a/roles/servicetelemetry/vars/dummy_user_certs.yml b/roles/servicetelemetry/vars/dummy_user_certs.yml index 1ac2c152f..e352309d1 100644 --- a/roles/servicetelemetry/vars/dummy_user_certs.yml +++ b/roles/servicetelemetry/vars/dummy_user_certs.yml @@ -53,4 +53,4 @@ elastic_user_key_dummy: | njxhAQKBgQD0lOpKtL8qz9gmqtkhDRe+EPHSX8rfirqqRrPUiwK7kAJeW2vtU8aa hFT7lEDjb7ERyZfybIkTVVBipKx2yse9nE+1dPGIgZop3E1guDuF9aOAzIUd/+/s CI7s/lIBZsPD3PyxXXRtsvN7iUv5tLvNFhfomB7miTYHE+MC5QHJVQ== - -----END RSA PRIVATE KEY----- \ No newline at end of file + -----END RSA PRIVATE KEY-----