refactor: [#272] Replace tls with domain+use_tls_proxy for Grafana

Step 7.5.4 of configuration restructuring:

- Replace tls: Option<TlsSection> with domain: Option<String> + use_tls_proxy
- Update GrafanaSection DTO with new fields and validation
- Update GrafanaConfig domain type with new constructor signature
- Update docker compose context builder to use use_tls_proxy()
- Update show command tests for Grafana
- Update envs/manual-https-test.json to use new configuration format
- Update spec document marking Step 7.5.4 complete

This change simplifies the configuration model for Grafana, making
TLS proxy enablement explicit rather than inferred from the presence
of a tls section. Note: Grafana has no configurable bind address, so
no localhost+TLS validation is needed.

Author: josecelano

docs/issues/272-add-https-support-with-caddy.md

@@ -1467,15 +1467,15 @@ The implementation is split into incremental steps, one service type at a time,
 
 ##### Step 7.5.4: Grafana
 
-- [ ] Add `domain: Option<String>` and `use_tls_proxy: Option<bool>` to `GrafanaSection` DTO
-- [ ] Update `GrafanaConfig` domain type
-- [ ] Add validation rules (note: Grafana has no configurable bind address, so localhost validation not needed)
-- [ ] Update Caddy template for Grafana
-- [ ] Update show command `ServiceInfo` for Grafana
-- [ ] Update `envs/manual-https-test.json` for Grafana
-- [ ] Remove `TlsSection` from Grafana
-- [ ] Add unit tests
-- [ ] Run E2E tests
+- [x] Add `domain: Option<String>` and `use_tls_proxy: Option<bool>` to `GrafanaSection` DTO
+- [x] Update `GrafanaConfig` domain type
+- [x] Add validation rules (note: Grafana has no configurable bind address, so localhost validation not needed)
+- [x] Update Caddy template for Grafana
+- [x] Update show command `ServiceInfo` for Grafana
+- [x] Update `envs/manual-https-test.json` for Grafana
+- [x] Remove `TlsSection` from Grafana
+- [x] Add unit tests
+- [x] Run E2E tests
 
 ##### Step 7.5.5: Cleanup and Final Verification
 

src/application/command_handlers/create/config/environment_config.rs

@@ -410,7 +410,7 @@ impl EnvironmentCreationConfig {
 
         // Check Grafana
         if let Some(ref grafana) = self.grafana {
-            if grafana.tls.is_some() {
+            if grafana.use_tls_proxy == Some(true) {
                 return true;
             }
         }

src/application/command_handlers/create/config/grafana.rs

@@ -8,9 +8,7 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use crate::application::command_handlers::create::config::errors::CreateConfigError;
-use crate::application::command_handlers::create::config::https::TlsSection;
 use crate::domain::grafana::GrafanaConfig;
-use crate::domain::tls::TlsConfig;
 use crate::shared::secrets::PlainPassword;
 
 use crate::shared::DomainName;
@@ -35,14 +33,13 @@ use crate::shared::DomainName;
 /// }
 /// ```
 ///
-/// With TLS configuration:
+/// With TLS proxy configuration:
 /// ```json
 /// {
 ///     "admin_user": "admin",
 ///     "admin_password": "admin",
-///     "tls": {
-///         "domain": "grafana.example.com"
-///     }
+///     "domain": "grafana.example.com",
+///     "use_tls_proxy": true
 /// }
 /// ```
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
@@ -56,12 +53,21 @@ pub struct GrafanaSection {
     /// to prevent accidental exposure in logs or debug output.
     pub admin_password: PlainPassword,
 
-    /// Optional TLS configuration for HTTPS
+    /// Domain name for external HTTPS access (optional)
     ///
-    /// When present, Grafana will be proxied through Caddy with HTTPS enabled.
-    /// The domain specified will be used for Let's Encrypt certificate acquisition.
+    /// When present, defines the domain at which Grafana will be accessible.
+    /// Caddy uses this for automatic certificate management.
     #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub tls: Option<TlsSection>,
+    pub domain: Option<String>,
+
+    /// Whether to use TLS proxy via Caddy (default: false)
+    ///
+    /// When true:
+    /// - Caddy handles HTTPS termination with automatic certificates
+    /// - Requires a domain to be configured
+    /// - Grafana is accessed via HTTPS through Caddy
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub use_tls_proxy: Option<bool>,
 }
 
 impl Default for GrafanaSection {
@@ -70,7 +76,8 @@ impl Default for GrafanaSection {
         Self {
             admin_user: default_config.admin_user().to_string(),
             admin_password: default_config.admin_password().expose_secret().to_string(),
-            tls: None,
+            domain: None,
+            use_tls_proxy: None,
         }
     }
 }
@@ -84,26 +91,38 @@ impl GrafanaSection {
     ///
     /// # Errors
     ///
-    /// Returns `CreateConfigError::InvalidDomain` if the TLS domain is invalid.
+    /// Returns `CreateConfigError::InvalidDomain` if the domain is invalid.
+    /// Returns `CreateConfigError::TlsProxyWithoutDomain` if `use_tls_proxy`
+    /// is true but no domain is provided.
     pub fn to_grafana_config(&self) -> Result<GrafanaConfig, CreateConfigError> {
-        let config = match &self.tls {
-            Some(tls_section) => {
-                tls_section.validate()?;
-                let domain = DomainName::new(&tls_section.domain).map_err(|e| {
+        let use_tls_proxy = self.use_tls_proxy.unwrap_or(false);
+
+        // Validate: use_tls_proxy requires domain
+        if use_tls_proxy && self.domain.is_none() {
+            return Err(CreateConfigError::TlsProxyWithoutDomain {
+                service_type: "Grafana".to_string(),
+                bind_address: "N/A (hardcoded port 3000)".to_string(),
+            });
+        }
+
+        // Parse domain if present
+        let domain =
+            match &self.domain {
+                Some(domain_str) => Some(DomainName::new(domain_str).map_err(|e| {
                     CreateConfigError::InvalidDomain {
-                        domain: tls_section.domain.clone(),
+                        domain: domain_str.clone(),
                         reason: e.to_string(),
                     }
-                })?;
-                GrafanaConfig::with_tls(
-                    self.admin_user.clone(),
-                    self.admin_password.clone(),
-                    TlsConfig::new(domain),
-                )
-            }
-            None => GrafanaConfig::new(self.admin_user.clone(), self.admin_password.clone()),
-        };
-        Ok(config)
+                })?),
+                None => None,
+            };
+
+        Ok(GrafanaConfig::new(
+            self.admin_user.clone(),
+            self.admin_password.clone(),
+            domain,
+            use_tls_proxy,
+        ))
     }
 }
 
@@ -116,15 +135,17 @@ mod tests {
         let section = GrafanaSection::default();
         assert_eq!(section.admin_user, "admin");
         assert_eq!(section.admin_password, "admin");
-        assert!(section.tls.is_none());
+        assert!(section.domain.is_none());
+        assert!(section.use_tls_proxy.is_none());
     }
 
     #[test]
     fn it_should_convert_to_grafana_config() {
         let section = GrafanaSection {
             admin_user: "custom_admin".to_string(),
             admin_password: "secure_password".to_string(),
-            tls: None,
+            domain: None,
+            use_tls_proxy: None,
         };
 
         let result = section.to_grafana_config();
@@ -150,7 +171,8 @@ mod tests {
         let section = GrafanaSection {
             admin_user: "admin".to_string(),
             admin_password: "secret_password".to_string(),
-            tls: None,
+            domain: None,
+            use_tls_proxy: None,
         };
 
         let config = section.to_grafana_config().unwrap();
@@ -160,4 +182,76 @@ mod tests {
         assert!(debug_output.contains("[REDACTED]"));
         assert!(!debug_output.contains("secret_password"));
     }
+
+    #[test]
+    fn it_should_convert_with_domain_and_tls_proxy() {
+        let section = GrafanaSection {
+            admin_user: "admin".to_string(),
+            admin_password: "password".to_string(),
+            domain: Some("grafana.example.com".to_string()),
+            use_tls_proxy: Some(true),
+        };
+
+        let result = section.to_grafana_config();
+        assert!(result.is_ok());
+
+        let config = result.unwrap();
+        assert_eq!(config.tls_domain(), Some("grafana.example.com"));
+        assert!(config.use_tls_proxy());
+    }
+
+    #[test]
+    fn it_should_convert_with_domain_without_tls_proxy() {
+        let section = GrafanaSection {
+            admin_user: "admin".to_string(),
+            admin_password: "password".to_string(),
+            domain: Some("grafana.example.com".to_string()),
+            use_tls_proxy: Some(false),
+        };
+
+        let result = section.to_grafana_config();
+        assert!(result.is_ok());
+
+        let config = result.unwrap();
+        assert_eq!(
+            config.domain(),
+            Some(&DomainName::new("grafana.example.com").unwrap())
+        );
+        assert!(!config.use_tls_proxy());
+    }
+
+    #[test]
+    fn it_should_return_error_when_tls_proxy_enabled_without_domain() {
+        let section = GrafanaSection {
+            admin_user: "admin".to_string(),
+            admin_password: "password".to_string(),
+            domain: None,
+            use_tls_proxy: Some(true),
+        };
+
+        let result = section.to_grafana_config();
+        assert!(result.is_err());
+
+        let err = result.unwrap_err();
+        assert!(matches!(
+            err,
+            CreateConfigError::TlsProxyWithoutDomain { .. }
+        ));
+    }
+
+    #[test]
+    fn it_should_return_error_for_invalid_domain() {
+        let section = GrafanaSection {
+            admin_user: "admin".to_string(),
+            admin_password: "password".to_string(),
+            domain: Some(String::new()),
+            use_tls_proxy: Some(true),
+        };
+
+        let result = section.to_grafana_config();
+        assert!(result.is_err());
+
+        let err = result.unwrap_err();
+        assert!(matches!(err, CreateConfigError::InvalidDomain { .. }));
+    }
 }

src/application/command_handlers/show/info/grafana.rs

@@ -91,15 +91,11 @@ mod tests {
     #[test]
     fn it_should_create_grafana_info_with_https_from_config() {
         use crate::domain::grafana::GrafanaConfig;
-        use crate::domain::tls::TlsConfig;
         use crate::shared::domain_name::DomainName;
 
         let domain = DomainName::new("grafana.tracker.local").unwrap();
-        let config = GrafanaConfig::with_tls(
-            "admin".to_string(),
-            "pass".to_string(),
-            TlsConfig::new(domain),
-        );
+        let config =
+            GrafanaConfig::new("admin".to_string(), "pass".to_string(), Some(domain), true);
         let ip = IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1));
 
         let info = GrafanaInfo::from_config(&config, ip);
@@ -111,7 +107,7 @@ mod tests {
 
     #[test]
     fn it_should_create_grafana_info_with_http_from_config_without_tls() {
-        let config = GrafanaConfig::new("admin".to_string(), "pass".to_string());
+        let config = GrafanaConfig::new("admin".to_string(), "pass".to_string(), None, false);
         let ip = IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1));
 
         let info = GrafanaInfo::from_config(&config, ip);