Merge pull request #731 from sassoftware/grafana-service-monitor

Add service monitor TLS settings to helm and remove patch

Author: ceelias

CHANGELOG.md

@@ -7,13 +7,15 @@ be installed.  Specifically, a recent version (4.32+) of the [Golang-based (Mike
 needs to be installed.
   * [EXPERIMENTAL] The auto-generation of Ingress resources for the web applications is now available on an *experimental*
 basis.  Users are **only** required to provide a BASE_DOMAIN (e.g. cluster.example.com).  Host-based ingress is configured
-by default although path-based ingress can be requested.  This *experimental* feature requires `yq` (Mike Farah) version 
+by default although path-based ingress can be requested.  This *experimental* feature requires `yq` (Mike Farah) version
 4.32.2+ be installed.  See [Autogenerated Ingress Definitions and Storage Class References](autogenerate.md) for more information.
 * **Metrics**
   * [FIX] Corrected bug preventing the `create_logging_datasource.sh` script from being run on OpenShift clusters.
   * [CHANGE] As part of making the above fix, obsolete functionality related to running the `create_logging_datasource.sh`
 script to deploy datasource within namespace/tenant-level instances of Grafana was removed.
   * [FIX] Corrected timing of call to `create_logging_datasource.sh` script within `deploy_monitoring_openshift.sh` script.
+  * [CHANGE] The v4m-grafana service monitor was previously patched when TLS was enabled to defind the tlsConfig section. This is now
+defined in `values-prom-operator-tls.yaml` to be consistent with the other services and is no longer patched.
 * **Logging**
   * [FIX] Corrected a bug preventing requested container image details, inc. registry info, from being honored
   * [CHANGE]  The pod labels assigned to the OpenSearch Dashboards pod changed as part of the upgrade (see below).

monitoring/bin/deploy_monitoring_cluster.sh

@@ -110,7 +110,7 @@ if [ "$PROM_OPERATOR_CRD_UPDATE" == "true" ]; then
   log_verbose "Updating Prometheus Operator custom resource definitions"
   crds=( alertmanagerconfigs alertmanagers prometheuses prometheusrules podmonitors servicemonitors thanosrulers probes )
   for crd in "${crds[@]}"; do
-    
+
     ## Determine CRD URL - if in an airgap environment, look for them in USER_DIR.
     if [ "$AIRGAP_DEPLOYMENT" == "true" ]; then
       crdURL=$USER_DIR/monitoring/prometheus-operator-crd/$PROM_OPERATOR_CRD_VERSION/monitoring.coreos.com_$crd.yaml
@@ -124,7 +124,7 @@ if [ "$PROM_OPERATOR_CRD_UPDATE" == "true" ]; then
       fi
     else
       crdURL="https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/$PROM_OPERATOR_CRD_VERSION/example/prometheus-operator-crd/monitoring.coreos.com_$crd.yaml"
-    fi 
+    fi
 
     if kubectl get crd $crd.monitoring.coreos.com 1>/dev/null 2>&1; then
       kubectl replace -f $crdURL
@@ -390,12 +390,6 @@ helm $helmDebug upgrade --install $promRelease \
 
 sleep 2
 
-if [ "$TLS_ENABLE" == "true" ]; then
-  log_verbose "Patching Grafana ServiceMonitor for TLS"
-  kubectl patch servicemonitor -n $MON_NS $promName-grafana --type=json \
-    -p='[{"op": "replace", "path": "/spec/endpoints/0/scheme", "value":"https"},{"op": "replace", "path": "/spec/endpoints/0/tlsConfig", "value":{}},{"op": "replace", "path": "/spec/endpoints/0/tlsConfig/insecureSkipVerify", "value":true}]'
-fi
-
 #Container Security: Disable serviceAccount Token Automounting
 disable_sa_token_automount $MON_NS v4m-grafana
 disable_sa_token_automount $MON_NS sas-ops-acct      #Used w/Prometheus
@@ -543,13 +537,11 @@ fi
 
 if [ "$showPass" == "true" ]; then
   # Find the grafana pod
- 
+
   log_notice " Generated Grafana admin password is: $grafanaPwd"
   log_notice " To change the password, run the following script (replace myNewPassword with an updated password):"
   log_notice " monitoring/bin/change_grafana_admin_password.sh -p myNewPassword"
 fi
 
 log_message ""
 log_notice " Successfully deployed components to the [$MON_NS] namespace"
-
-

monitoring/tls/values-prom-operator-tls.yaml

@@ -40,10 +40,10 @@ alertmanager:
 
 prometheus-node-exporter:
   extraArgs:
-  - '--web.config.file=/opt/node-exporter/node-exporter-web.yaml'
+    - "--web.config.file=/opt/node-exporter/node-exporter-web.yaml"
   configmaps:
-  - name: node-exporter-tls-web-config
-    mountPath: /opt/node-exporter
+    - name: node-exporter-tls-web-config
+      mountPath: /opt/node-exporter
 
 # node-exporter helm chart does not yet support HTTPS
 # node-exporter:
@@ -62,11 +62,11 @@ grafana:
       scheme: HTTPS
       port: 3000
   extraSecretMounts:
-  - name: grafana-tls
-    mountPath: /cert
-    secretName: grafana-tls-secret
-    readOnly: true
-    subPath: ""
+    - name: grafana-tls
+      mountPath: /cert
+      secretName: grafana-tls-secret
+      readOnly: true
+      subPath: ""
   service:
     port: 3000
     targetPort: 3000
@@ -80,6 +80,10 @@ grafana:
       reloadURL: "https://localhost:3000/api/admin/provisioning/datasources/reload"
       env:
         REQ_SKIP_TLS_VERIFY: true
+  serviceMonitor:
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
   "grafana.ini":
     server:
       protocol: https