Merge pull request #602 from openshift-cherrypick-robot/cherry-pick-5…

…30-to-release-4.2 Bug 1788477: trustedCA bundle support for grafana oauth proxy
openshift · Jan 8, 2020 · b57610e · b57610e
2 parents b60c223 + 89906fc
commit b57610e
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 11 deletions.
diff --git a/assets/grafana/trusted-ca-bundle.yaml b/assets/grafana/trusted-ca-bundle.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  ca-bundle.crt: ""
+kind: ConfigMap
+metadata:
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+  name: grafana-trusted-ca-bundle
+  namespace: openshift-monitoring
diff --git a/jsonnet/grafana.jsonnet b/jsonnet/grafana.jsonnet
@@ -88,6 +88,10 @@ local authorizationRole = policyRule.new() +
   },
 
   grafana+:: {
+    trustedCaBundle:
+      configmap.new('grafana-trusted-ca-bundle', { 'ca-bundle.crt': '' }) +
+      configmap.mixin.metadata.withNamespace($._config.namespace) +
+      configmap.mixin.metadata.withLabels({ 'config.openshift.io/inject-trusted-cabundle': 'true' }),
 
     // OpenShift route to access the Grafana UI.
 

diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -129,6 +129,7 @@ var (
 	GrafanaServiceAccount       = "assets/grafana/service-account.yaml"
 	GrafanaService              = "assets/grafana/service.yaml"
 	GrafanaServiceMonitor       = "assets/grafana/service-monitor.yaml"
+	GrafanaTrustedCABundle      = "assets/grafana/trusted-ca-bundle.yaml"
 
 	ClusterMonitoringOperatorService        = "assets/cluster-monitoring-operator/service.yaml"
 	ClusterMonitoringOperatorServiceMonitor = "assets/cluster-monitoring-operator/service-monitor.yaml"
@@ -1326,7 +1327,19 @@ func (f *Factory) GrafanaDashboardSources() (*v1.ConfigMap, error) {
 	return c, nil
 }
 
-func (f *Factory) GrafanaDeployment() (*appsv1.Deployment, error) {
+func (f *Factory) GrafanaTrustedCABundle() (*v1.ConfigMap, error) {
+	cm, err := f.NewConfigMap(MustAssetReader(GrafanaTrustedCABundle))
+	if err != nil {
+		return nil, err
+	}
+
+	return cm, nil
+}
+
+// GrafanaDeployment generates a new Deployment for Grafana.
+// If the passed ConfigMap is not empty it mounts the Trusted CA Bundle as a VolumeMount to
+// /etc/pki/ca-trust/extracted/pem/ location.
+func (f *Factory) GrafanaDeployment(proxyCABundleCM *v1.ConfigMap) (*appsv1.Deployment, error) {
 	d, err := f.NewDeployment(MustAssetReader(GrafanaDeployment))
 	if err != nil {
 		return nil, err
@@ -1380,6 +1393,17 @@ func (f *Factory) GrafanaDeployment() (*appsv1.Deployment, error) {
 		d.Spec.Template.Spec.Tolerations = f.config.GrafanaConfig.Tolerations
 	}
 
+	if proxyCABundleCM != nil {
+		volumeName := "grafana-trusted-ca-bundle"
+		d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, trustedCABundleVolumeMount(volumeName, "/etc/pki/ca-trust/extracted/pem/"))
+		volume := trustedCABundleVolume(proxyCABundleCM.Name, volumeName)
+		volume.VolumeSource.ConfigMap.Items = append(volume.VolumeSource.ConfigMap.Items, v1.KeyToPath{
+			Key:  "ca-bundle.crt",
+			Path: "tls-ca-bundle.pem",
+		})
+		d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, volume)
+	}
+
 	d.Namespace = f.namespace
 
 	return d, nil

diff --git a/pkg/manifests/manifests_test.go b/pkg/manifests/manifests_test.go
@@ -323,7 +323,12 @@ func TestUnconfiguredManifests(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, err = f.GrafanaDeployment()
+	_, err = f.GrafanaTrustedCABundle()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = f.GrafanaDeployment(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -368,6 +373,11 @@ func TestUnconfiguredManifests(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	_, err = f.TelemeterClientDeployment(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	_, err = f.TelemeterTrustedCABundle()
 	if err != nil {
 		t.Fatal(err)

diff --git a/pkg/tasks/grafana.go b/pkg/tasks/grafana.go
@@ -137,15 +137,45 @@ func (t *GrafanaTask) Run() error {
 	if err != nil {
 		return errors.Wrap(err, "reconciling Grafana Service failed")
 	}
-
-	d, err := t.factory.GrafanaDeployment()
-	if err != nil {
-		return errors.Wrap(err, "initializing Grafana Deployment failed")
-	}
-
-	err = t.client.CreateOrUpdateDeployment(d)
-	if err != nil {
-		return errors.Wrap(err, "reconciling Grafana Deployment failed")
+	{
+		// Create trusted CA bundle ConfigMap.
+		trustedCA, err := t.factory.GrafanaTrustedCABundle()
+		if err != nil {
+			return errors.Wrap(err, "initializing Grafana CA bundle ConfigMap failed")
+		}
+
+		trustedCA, err = t.client.CreateIfNotExistConfigMap(trustedCA)
+		if err != nil {
+			return errors.Wrap(err, " creating Grafana CA bundle ConfigMap failed")
+		}
+
+		// In the case when there is no data but the ConfigMap is there, we just continue.
+		// We will catch this on the next loop.
+		trustedCA = t.factory.HashTrustedCA(trustedCA, "grafana")
+		if trustedCA != nil {
+			err = t.client.CreateOrUpdateConfigMap(trustedCA)
+			if err != nil {
+				return errors.Wrap(err, "reconciling Grafana CA bundle ConfigMap failed")
+			}
+
+			err = t.client.DeleteHashedConfigMap(
+				string(trustedCA.Labels["monitoring.openshift.io/hash"]),
+				"grafana",
+			)
+			if err != nil {
+				return errors.Wrap(err, "deleting old Grafana configmaps failed")
+			}
+		}
+
+		d, err := t.factory.GrafanaDeployment(trustedCA)
+		if err != nil {
+			return errors.Wrap(err, "initializing Grafana Deployment failed")
+		}
+
+		err = t.client.CreateOrUpdateDeployment(d)
+		if err != nil {
+			return errors.Wrap(err, "reconciling Grafana Deployment failed")
+		}
 	}
 
 	sm, err := t.factory.GrafanaServiceMonitor()