UNCLASSIFIED - NO CUI

Skip to content

PR-108

REPO_SYNC_BOT_DEVELOPERrequested to merge
PR-108 into master

This Merge Request is associated with A GitHub PR

Please Use caution before running the pipeline.

Created by: AdamJoelNichols

The {{- end }} tag's current placement means that if monitoring: false and istio: true, then a block containing istio data meant to be used by monitoring will still be rendered. However, the accompanying monitoring block within which the istio data should be enclosed is not rendered (please see examples below).

This, at its most benign, leads superfluous data being added to the grafana.ini block. At its most disruptive, like when grafana.sso.enabled: true and grafana.sso.grafana.clientid is set, the issue leads to malformed yaml that can't be converted to json and therefore cannot be deployed to the cluster.

Moving the {{- end }} fixes these issues.

I found that this issue has surfaced previously here: #2426 (closed)

Pre-fix Examples:

Monitoring off, Istio on, SSO off Note: scheme: https and below renders as part of grafana.ini which it should not

  grafana.ini:
    server:
      root_url: https://grafana.dev.bigbang.mil/

    auth.generic_oauth:
      enabled: false
      name: SSO                    
    scheme:      https
    tlsConfig:
      caFile: /etc/prom-certs/root-cert.pem
      certFile: /etc/prom-certs/cert-chain.pem
      keyFile: /etc/prom-certs/key.pem
      insecureSkipVerify: true

Monitoring off, Istio on, SSO on, ClientId set Note: the scheme block now renders in such a way as to create malformed yaml

grafana.ini:
    server:
      root_url: https://grafana.dev.bigbang.mil/

    auth.generic_oauth:
      enabled: true
      name: SSO
      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
      scopes:      monkey_trial
      auth_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth
      token_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/token
      api_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/userinfo
      allow_sign_up: true
      role_attribute_path: Viewer                    
  extraSecretMounts:
    - name: auth-generic-oauth-secret
      mountPath: /etc/secrets/auth_generic_oauth
      secretName: grafana-sso
      defaultMode: 0440    
      readOnly: true
    scheme:      https
    tlsConfig:
      caFile: /etc/prom-certs/root-cert.pem
      certFile: /etc/prom-certs/cert-chain.pem
      keyFile: /etc/prom-certs/key.pem
      insecureSkipVerify: true

Post-fix Examples:

Monitoring off, Istio on, SSO off Note: the monitoring block simply does not render

  grafana.ini:
    server:
      root_url: https://grafana.dev.bigbang.mil/

    auth.generic_oauth:
      enabled: false
      name: SSO

Monitoring off, Istio on, SSO on, ClientId set Note: same as above, the monitoring block does not render

  grafana.ini:
    server:
      root_url: https://grafana.dev.bigbang.mil/

    auth.generic_oauth:
      enabled: true
      name: SSO
      client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
      client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
      scopes:      monkey_trial
      auth_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth
      token_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/token
      api_url: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/userinfo
      allow_sign_up: true
      role_attribute_path: Viewer                    
  extraSecretMounts:
    - name: auth-generic-oauth-secret
      mountPath: /etc/secrets/auth_generic_oauth
      secretName: grafana-sso
      defaultMode: 0440    
      readOnly: true"

Merge request reports

UNCLASSIFIED - NO CUI