PR-108
This Merge Request is associated with A GitHub PR
Please Use caution before running the pipeline.
Created by: AdamJoelNichols
The {{- end }} tag's current placement means that if monitoring: false and istio: true, then a block containing istio data meant to be used by monitoring will still be rendered. However, the accompanying monitoring block within which the istio data should be enclosed is not rendered (please see examples below).
This, at its most benign, leads superfluous data being added to the grafana.ini block. At its most disruptive, like when grafana.sso.enabled: true and grafana.sso.grafana.clientid is set, the issue leads to malformed yaml that can't be converted to json and therefore cannot be deployed to the cluster.
Moving the {{- end }} fixes these issues.
I found that this issue has surfaced previously here: #2426 (closed)
Pre-fix Examples:
Monitoring off, Istio on, SSO off
Note: scheme: https and below renders as part of grafana.ini which it should not
grafana.ini:
server:
root_url: https://grafana.dev.bigbang.mil/
auth.generic_oauth:
enabled: false
name: SSO
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
certFile: /etc/prom-certs/cert-chain.pem
keyFile: /etc/prom-certs/key.pem
insecureSkipVerify: trueMonitoring off, Istio on, SSO on, ClientId set
Note: the scheme block now renders in such a way as to create malformed yaml
grafana.ini:
server:
root_url: https://grafana.dev.bigbang.mil/
auth.generic_oauth:
enabled: true
name: SSO
client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
scopes: monkey_trial
auth_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth
token_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/token
api_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/userinfo
allow_sign_up: true
role_attribute_path: Viewer
extraSecretMounts:
- name: auth-generic-oauth-secret
mountPath: /etc/secrets/auth_generic_oauth
secretName: grafana-sso
defaultMode: 0440
readOnly: true
scheme: https
tlsConfig:
caFile: /etc/prom-certs/root-cert.pem
certFile: /etc/prom-certs/cert-chain.pem
keyFile: /etc/prom-certs/key.pem
insecureSkipVerify: truePost-fix Examples:
Monitoring off, Istio on, SSO off
Note: the monitoring block simply does not render
grafana.ini:
server:
root_url: https://grafana.dev.bigbang.mil/
auth.generic_oauth:
enabled: false
name: SSOMonitoring off, Istio on, SSO on, ClientId set
Note: same as above, the monitoring block does not render
grafana.ini:
server:
root_url: https://grafana.dev.bigbang.mil/
auth.generic_oauth:
enabled: true
name: SSO
client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
scopes: monkey_trial
auth_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth
token_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/token
api_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/userinfo
allow_sign_up: true
role_attribute_path: Viewer
extraSecretMounts:
- name: auth-generic-oauth-secret
mountPath: /etc/secrets/auth_generic_oauth
secretName: grafana-sso
defaultMode: 0440
readOnly: true"