Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] CRDS not working when Grafana running under protocol https #642

Closed
mohan-nagandlla opened this issue Dec 3, 2021 · 6 comments · Fixed by #772
Closed

[Bug] CRDS not working when Grafana running under protocol https #642

mohan-nagandlla opened this issue Dec 3, 2021 · 6 comments · Fixed by #772
Labels
bug Something isn't working help wanted Extra attention is needed triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@mohan-nagandlla
Copy link

When I was running the Grafana with HTTPS protocol the Grafana pod logs is saying like

server.go:3139: http: TLS handshake error from x.x.x.x:52193: remote error: tls: unknown certificate

when deployed the dashboard resource file to upload dashobard its showing like

Warning  ProcessingError  2m56s (x101 over 38m)  controller_grafanadashboard  error getting folders, expected status 200 but got 400

I have enabled the tls for grafana by using below config

spec:
  baseImage: grafana/grafana:8.0.3
  client:
    preferService: true
  config:
    auth:
      disable_login_form: false
      disable_signout_menu: true
    auth.anonymous:
      enabled: true
    log:
      level: warn
      mode: console
    server:
      cert_file: /etc/grafana/secrets/tls/tls.crt
      cert_key: /etc/grafana/secrets/tls/tls.key
      protocol: https
  dashboardLabelSelector:
  - matchExpressions:
    - key: app
      operator: In
      values:
      - grafana
  deployment:
    extraVolumeMounts:
    - mountPath: /etc/grafana/secrets/tls
      name: tls
    extraVolumes:
    - name: tls
      secret:
        secretName: root-secret
  livenessProbeSpec:
    scheme: HTTPS
  readinessProbeSpec:
    scheme: HTTPS
@mohan-nagandlla mohan-nagandlla added bug Something isn't working needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 3, 2021
@NissesSenap
Copy link
Collaborator

That makes sense, no where in https://github.com/grafana-operator/grafana-operator/blob/d86b5191c5f1ee0a8d495d536ca17eee46e1531d/controllers/grafanadashboard/grafana_client.go#L86 we take tls in to account.

We need to take make use of TLS and get the secrets that is being applied in the grafana server config.
Same goes for grafananotificationchannel.

Shouldn't be to hard and it would be good to write some tests to verify this at the same time.

@NissesSenap NissesSenap added triage/accepted Indicates an issue or PR is ready to be actively worked on. help wanted Extra attention is needed and removed needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 5, 2021
@pb82
Copy link
Collaborator

pb82 commented Dec 7, 2021

@NissesSenap we disable cert check for the client though: https://github.com/grafana-operator/grafana-operator/blob/d86b5191c5f1ee0a8d495d536ca17eee46e1531d/controllers/grafanadashboard/grafanadashboard_controller.go#L150

@pb82
Copy link
Collaborator

pb82 commented Dec 7, 2021
edited

Possible fix:

if one of those field is overridden, we need top import the certificate into our client:

    server:
      cert_file: /etc/grafana/secrets/tls/tls.crt
      cert_key: /etc/grafana/secrets/tls/tls.key

One remaining question is how we would discover the certificate secret. We could use predictable naming (needs to be documented, easy to miss, hard to find). Or another config property, e.g. podCertSecretName?

@mohan-nagandlla
Copy link
Author

Any Updates on this

@mohan-nagandlla
Copy link
Author

mohan-nagandlla commented Jan 24, 2022
edited

HI @pb82 we can able to use the extra mounts facility to decide where the secrets or config maps can store Please be concentrate on like if we enabled the HTTPS the scheme of both liveness and readiness have to change to HTTPS and the internal communication also would be HTTPS only then only the CRDS communication will work fine

@mohan-nagandlla
Copy link
Author

Any updates on this

@anushanagireddy0430 anushanagireddy0430 mentioned this issue May 22, 2022
Closed
@weisdd weisdd mentioned this issue Jun 6, 2022
Merged
5 tasks
@HVBE HVBE closed this as completed in #772 Jun 12, 2022
@weisdd weisdd mentioned this issue Jul 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add support for API served via HTTPS when preferService: true weisdd/grafana-operator
3 participants
@pb82 @NissesSenap @mohan-nagandlla