Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove ghosttunnel from grafana and use default tls config #618

Merged
merged 5 commits into from
Mar 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
* **Metrics**
* [FIX] Set environment variable `MON_TLS_PATH_INGRESS` to ensure correct datasource connection between Grafana
and Promethues in [Azure Deployment sample](samples/azure-deployment). (Fixes #614)
* [CHANGE] Replaced the ghostunnel sidecar proxy with Grafana's native TLS capabilities and eliminated ghostunnel from the project.
* [UPGRADE] Kube-prometheus-stack Helm chart has been upgraded from version 54.0.1 to 56.6.2
* [UPGRADE] Prometheus Operator has been upgraded from version 0.69.1 to 0.71.2
* [UPGRADE] Prometheus has been upgraded from version 2.47.1 to 2.49.1
Expand Down
83 changes: 13 additions & 70 deletions monitoring/tls/values-prom-operator-tls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,82 +56,25 @@ grafana:
readinessProbe:
httpGet:
scheme: HTTPS
port: 443
port: 3000
livenessProbe:
httpGet:
scheme: HTTPS
port: 443
extraContainers: |
# Add square/ghosttunnel TLS proxy
- name: tls-proxy
args:
- server
- --listen=:443
- --target=127.0.0.1:3000
- --key=/cert/tls.key
- --cert=/cert/tls.crt
- --disable-authentication
image: ghostunnel/ghostunnel:v1.7.1
imagePullPolicy: IfNotPresent
ports:
- name: https
containerPort: 443
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /cert
name: tls-proxy-secret
readOnly: true
extraContainerVolumes:
- name: tls-proxy-secret
secret:
defaultMode: 420
secretName: grafana-tls-secret
port: 3000
extraSecretMounts:
- name: grafana-tls
mountPath: /cert
secretName: grafana-tls-secret
readOnly: true
subPath: ""
service:
port: 443
targetPort: 443
port: 3000
targetPort: 3000
sidecar:
datasources:
defaultDatasourceEnabled: false
"grafana.ini":
server:
# Bind to localhost so https (tls-proxy) is the only way in
http_addr: 127.0.0.1

# Commenting out for future reference with issue encountered when attempting to replace
# ghostunnel with Grafanas native TLS.
# Related GH Issue: https://github.com/prometheus-community/helm-charts/issues/3100
# grafana:
# readinessProbe:
# httpGet:
# scheme: HTTPS
# port: 3000
# livenessProbe:
# httpGet:
# scheme: HTTPS
# port: 3000
# extraSecretMounts:
# - name: grafana-tls
# mountPath: /cert
# secretName: grafana-tls-secret
# readOnly: true
# subPath: ""
# service:
# port: 3000
# targetPort: 3000
# sidecar:
# datasources:
# defaultDatasourceEnabled: false
# "grafana.ini":
# server:
# protocol: https
# cert_file: /cert/tls.crt
# cert_key: /cert/tls.key
protocol: https
cert_file: /cert/tls.crt
cert_key: /cert/tls.key
Loading