From da52757010a514581651d6c2499aac2494ae7d8c Mon Sep 17 00:00:00 2001 From: Chris Elias Date: Thu, 29 Feb 2024 13:22:57 -0500 Subject: [PATCH 1/4] remove ghosttunnel from grafana and use default tls config --- monitoring/tls/values-prom-operator-tls.yaml | 140 +++++++++---------- 1 file changed, 70 insertions(+), 70 deletions(-) diff --git a/monitoring/tls/values-prom-operator-tls.yaml b/monitoring/tls/values-prom-operator-tls.yaml index db8d2220..4a8aa319 100644 --- a/monitoring/tls/values-prom-operator-tls.yaml +++ b/monitoring/tls/values-prom-operator-tls.yaml @@ -52,86 +52,86 @@ prometheus-node-exporter: # mountPath: /cert # readOnly: true +# grafana: +# readinessProbe: +# httpGet: +# scheme: HTTPS +# port: 443 +# livenessProbe: +# httpGet: +# scheme: HTTPS +# port: 443 + # extraContainers: | + # # Add square/ghosttunnel TLS proxy + # - name: tls-proxy + # args: + # - server + # - --listen=:443 + # - --target=127.0.0.1:3000 + # - --key=/cert/tls.key + # - --cert=/cert/tls.crt + # - --disable-authentication + # image: ghostunnel/ghostunnel:v1.7.1 + # imagePullPolicy: IfNotPresent + # ports: + # - name: https + # containerPort: 443 + # protocol: TCP + # resources: {} + # securityContext: + # allowPrivilegeEscalation: true + # privileged: true + # readOnlyRootFilesystem: true + # runAsNonRoot: false + # runAsUser: 0 + # terminationMessagePath: /dev/termination-log + # terminationMessagePolicy: File + # volumeMounts: + # - mountPath: /cert + # name: tls-proxy-secret + # readOnly: true + # extraContainerVolumes: + # - name: tls-proxy-secret + # secret: + # defaultMode: 420 + # secretName: grafana-tls-secret + # service: + # port: 443 + # targetPort: 443 + # sidecar: + # datasources: + # defaultDatasourceEnabled: false + # "grafana.ini": + # server: + # # Bind to localhost so https (tls-proxy) is the only way in + # http_addr: 127.0.0.1 + +# Commenting out for future reference with issue encountered when attempting to replace +# ghostunnel with Grafanas native TLS. +# Related GH Issue: https://github.com/prometheus-community/helm-charts/issues/3100 grafana: readinessProbe: httpGet: scheme: HTTPS - port: 443 + port: 3000 livenessProbe: httpGet: scheme: HTTPS - port: 443 - extraContainers: | - # Add square/ghosttunnel TLS proxy - - name: tls-proxy - args: - - server - - --listen=:443 - - --target=127.0.0.1:3000 - - --key=/cert/tls.key - - --cert=/cert/tls.crt - - --disable-authentication - image: ghostunnel/ghostunnel:v1.7.1 - imagePullPolicy: IfNotPresent - ports: - - name: https - containerPort: 443 - protocol: TCP - resources: {} - securityContext: - allowPrivilegeEscalation: true - privileged: true - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /cert - name: tls-proxy-secret - readOnly: true - extraContainerVolumes: - - name: tls-proxy-secret - secret: - defaultMode: 420 - secretName: grafana-tls-secret + port: 3000 + extraSecretMounts: + - name: grafana-tls + mountPath: /cert + secretName: grafana-tls-secret + readOnly: true + subPath: "" service: - port: 443 - targetPort: 443 + port: 3000 + targetPort: 3000 sidecar: datasources: defaultDatasourceEnabled: false "grafana.ini": server: - # Bind to localhost so https (tls-proxy) is the only way in - http_addr: 127.0.0.1 - -# Commenting out for future reference with issue encountered when attempting to replace -# ghostunnel with Grafanas native TLS. -# Related GH Issue: https://github.com/prometheus-community/helm-charts/issues/3100 -# grafana: -# readinessProbe: -# httpGet: -# scheme: HTTPS -# port: 3000 -# livenessProbe: -# httpGet: -# scheme: HTTPS -# port: 3000 -# extraSecretMounts: -# - name: grafana-tls -# mountPath: /cert -# secretName: grafana-tls-secret -# readOnly: true -# subPath: "" -# service: -# port: 3000 -# targetPort: 3000 -# sidecar: -# datasources: -# defaultDatasourceEnabled: false -# "grafana.ini": -# server: -# protocol: https -# cert_file: /cert/tls.crt -# cert_key: /cert/tls.key + protocol: https + cert_file: /cert/tls.crt + cert_key: /cert/tls.key From 6fa298912d85415dba9b33ee48e09bd5c5ad7d92 Mon Sep 17 00:00:00 2001 From: Chris Elias Date: Thu, 29 Feb 2024 14:42:46 -0500 Subject: [PATCH 2/4] clean up old ghosttunel refs --- monitoring/tls/values-prom-operator-tls.yaml | 57 -------------------- 1 file changed, 57 deletions(-) diff --git a/monitoring/tls/values-prom-operator-tls.yaml b/monitoring/tls/values-prom-operator-tls.yaml index 4a8aa319..8f34cf06 100644 --- a/monitoring/tls/values-prom-operator-tls.yaml +++ b/monitoring/tls/values-prom-operator-tls.yaml @@ -52,63 +52,6 @@ prometheus-node-exporter: # mountPath: /cert # readOnly: true -# grafana: -# readinessProbe: -# httpGet: -# scheme: HTTPS -# port: 443 -# livenessProbe: -# httpGet: -# scheme: HTTPS -# port: 443 - # extraContainers: | - # # Add square/ghosttunnel TLS proxy - # - name: tls-proxy - # args: - # - server - # - --listen=:443 - # - --target=127.0.0.1:3000 - # - --key=/cert/tls.key - # - --cert=/cert/tls.crt - # - --disable-authentication - # image: ghostunnel/ghostunnel:v1.7.1 - # imagePullPolicy: IfNotPresent - # ports: - # - name: https - # containerPort: 443 - # protocol: TCP - # resources: {} - # securityContext: - # allowPrivilegeEscalation: true - # privileged: true - # readOnlyRootFilesystem: true - # runAsNonRoot: false - # runAsUser: 0 - # terminationMessagePath: /dev/termination-log - # terminationMessagePolicy: File - # volumeMounts: - # - mountPath: /cert - # name: tls-proxy-secret - # readOnly: true - # extraContainerVolumes: - # - name: tls-proxy-secret - # secret: - # defaultMode: 420 - # secretName: grafana-tls-secret - # service: - # port: 443 - # targetPort: 443 - # sidecar: - # datasources: - # defaultDatasourceEnabled: false - # "grafana.ini": - # server: - # # Bind to localhost so https (tls-proxy) is the only way in - # http_addr: 127.0.0.1 - -# Commenting out for future reference with issue encountered when attempting to replace -# ghostunnel with Grafanas native TLS. -# Related GH Issue: https://github.com/prometheus-community/helm-charts/issues/3100 grafana: readinessProbe: httpGet: From 4a5b42d9e38fd2f776e93fbb3e5460d6b4fb0427 Mon Sep 17 00:00:00 2001 From: Chris Elias Date: Wed, 6 Mar 2024 06:40:11 -0500 Subject: [PATCH 3/4] update the changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fff3a3d0..2d5f768a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ * **Metrics** * [FIX] Set environment variable `MON_TLS_PATH_INGRESS` to ensure correct datasource connection between Grafana and Promethues in [Azure Deployment sample](samples/azure-deployment). (Fixes #614) + * [CHANGE] Ghostunnel proxy has been removed from project. This was originally done for both Prometheus and Alertmanager. It has +now been removed from Grafana. * **Logging** * [FIX] Corrected comments referencing OpenSearch connection information in `samples/generic-base/logging/user-values-es-exporter.yaml` From 80471892091c57fdb9b6d0757090dccf6464d289 Mon Sep 17 00:00:00 2001 From: Chris Elias Date: Wed, 6 Mar 2024 12:55:46 -0500 Subject: [PATCH 4/4] change the changelog msg --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d5f768a..2c6bb706 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,7 @@ * **Metrics** * [FIX] Set environment variable `MON_TLS_PATH_INGRESS` to ensure correct datasource connection between Grafana and Promethues in [Azure Deployment sample](samples/azure-deployment). (Fixes #614) - * [CHANGE] Ghostunnel proxy has been removed from project. This was originally done for both Prometheus and Alertmanager. It has -now been removed from Grafana. + * [CHANGE] Replaced the ghostunnel sidecar proxy with Grafana's native TLS capabilities and eliminated ghostunnel from the project. * **Logging** * [FIX] Corrected comments referencing OpenSearch connection information in `samples/generic-base/logging/user-values-es-exporter.yaml`