Skip to content

Commit a7128f3

Browse files
authored
Update Grafana role with TLS/HTTPS support (#297)
* Update Grafana role with TLS/HTTPS * Update to latest Exporter dashboard Signed-off-by: rsuplina <[email protected]>
1 parent f0e90de commit a7128f3

File tree

7 files changed

+7942
-15487
lines changed

7 files changed

+7942
-15487
lines changed

roles/grafana/README.md

Lines changed: 53 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,27 @@
1-
# grafana_server
21

3-
Set up Grafana server, connected to a Prometheus server.
2+
# grafana
43

5-
The role will:
6-
- Install the Grafana server package(s).
7-
- Configure Grafana data sources, primarily for Prometheus, based on the provided `prometheus_url`.
8-
- Configure Grafana dashboard providers.
9-
- Provision a default dashboard.
4+
Automates the installation and configuration of a Grafana server, with Prometheus integration for monitoring and observability.
5+
6+
## Features
7+
8+
- Installs Grafana using OS-specific package management for major Linux distributions (Ubuntu, CentOS, RedHat, Rocky).
9+
- Configures core Grafana server settings, including protocol (HTTP/HTTPS), port, domain, and root URL.
10+
- Optionally enables HTTPS/TLS for secure access, with configurable certificate and key paths.
11+
- Allows setting a custom admin password for the Grafana web interface.
12+
- Provisions Prometheus as a data source, with the ability to specify a custom Prometheus endpoint.
13+
- Configures dashboard providers and ensures dashboards are available at startup.
14+
- Supports custom locations for data source and dashboard configuration files.
15+
- Ensures idempotent and secure configuration changes, with sensitive values (like admin password) protected in logs.
16+
- Designed for flexibility and easy extension to other monitoring backends or dashboard sources.
17+
18+
## How it works
19+
20+
1. Installs Grafana using the appropriate package manager for the detected OS.
21+
2. Configures server and security settings in `grafana.ini`, including TLS and admin credentials if specified.
22+
3. Provisions Prometheus as a data source and sets up dashboard providers using Jinja2 templates.
23+
4. Ensures the dashboards directory exists and copies a default dashboard for immediate use.
24+
5. Restarts or reloads the Grafana service as needed to apply configuration changes.
1025

1126
## Requirements
1227

@@ -20,10 +35,24 @@ None.
2035

2136
| Parameter | Type | Default Value | Description |
2237
|----------------------------------|------|-------------------------------------------------|---------------------------------------------------------------------------|
23-
| `grafana_datasource_directory` | `str`| `/etc/grafana/provisioning/datasources/automatic.yml`| Location of the Grafana data sources configuration file. |
24-
| `grafana_providers_configuration`| `str`| `/etc/grafana/provisioning/dashboards/providers.yml` | Location of the Grafana dashboard provider configurations file. |
25-
| `grafana_dashboard_directory` | `str`| `/var/lib/grafana/dashboards` | Location of the Grafana dashboard configurations directory. |
26-
| `prometheus_url` | `str`| `localhost:9090` | URL (host:port) to the Prometheus server that Grafana will connect to. |
38+
| `grafana_datasource_directory` | `str` | `/etc/grafana/provisioning/datasources/automatic.yml` | Location of the Grafana data sources configuration file. |
39+
| `grafana_providers_configuration`| `str` | `/etc/grafana/provisioning/dashboards/providers.yml` | Location of the Grafana dashboard provider configurations file. |
40+
| `grafana_dashboard_directory` | `str` | `/var/lib/grafana/dashboards` | Location of the Grafana dashboard configurations directory. |
41+
| `prometheus_url` | `str` | `http://localhost:9090` | URL (host:port) to the Prometheus server that Grafana will connect to. |
42+
| `prometheus_hostname` | `str` | `localhost` | Hostname of the Prometheus server for TLS server name verification. |
43+
| `grafana_tls_enabled` | `bool`| `false` | Enable or disable TLS/SSL for Grafana (HTTPS support). |
44+
| `grafana_tls_cert_path` | `str` | `/etc/pki/tls/certs/grafana.crt` | Path to the TLS certificate file for Grafana. |
45+
| `grafana_tls_key_path` | `str` | `/etc/pki/tls/private/grafana.key` | Path to the TLS private key file for Grafana. |
46+
| `grafana_domain` | `str` | `localhost` | Domain name for the Grafana server (used in server configuration). |
47+
| `grafana_root_url` | `str` | `http://localhost:3000` | The root URL for accessing Grafana (used in server configuration). |
48+
| `grafana_config_file` | `str` | `/etc/grafana/grafana.ini` | Path to the main Grafana configuration file. |
49+
| `grafana_http_port` | `int` | `3000` | HTTP port for Grafana to listen on. |
50+
| `grafana_security_admin_password`| `str` | `admin` | Admin password for Grafana web interface. |
51+
52+
53+
## TLS/HTTPS Support
54+
55+
If `grafana_tls_enabled` is set to `true`, the role will configure Grafana to use HTTPS. You must provide valid certificate and key files at the specified paths (`grafana_tls_cert_path` and `grafana_tls_key_path`).
2756

2857
## Examples
2958

@@ -33,8 +62,6 @@ Basic installation connecting to a local Prometheus server:
3362
- name: Set up Grafana server with local Prometheus
3463
ansible.builtin.import_role:
3564
name: grafana_server
36-
# No variables needed here as defaults will be used for local Prometheus
37-
3865
- name: Set up Grafana server for a specific Prometheus endpoint
3966
ansible.builtin.import_role:
4067
name: grafana_server
@@ -49,6 +76,19 @@ Basic installation connecting to a local Prometheus server:
4976
grafana_providers_configuration: "/opt/grafana/configs/providers.yml"
5077
grafana_dashboard_directory: "/opt/grafana/dashboards_custom"
5178
prometheus_url: "http://monitoring-cluster.internal:9090"
79+
80+
- name: Set up Grafana server with TLS/HTTPS enabled
81+
ansible.builtin.import_role:
82+
name: grafana_server
83+
vars:
84+
grafana_tls_enabled: true
85+
grafana_security_admin_password: secretpassword
86+
grafana_domain: "grafana.1.1.1.1.pvc.labs.com"
87+
grafana_root_url: "https://grafana.1.1.1.1.pvc.labs.com:3000"
88+
grafana_tls_cert_path: "/etc/grafana/certs/grafana.crt"
89+
grafana_tls_key_path: "/etc/grafana/private/grafana.key"
90+
prometheus_url: "https://prometheus.example.com:9090"
91+
5292
```
5393

5494
## License

roles/grafana/defaults/main.yml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,18 @@
1313
# limitations under the License.
1414

1515
---
16+
grafana_tls_enabled: false
17+
grafana_http_port: 3000
18+
grafana_security_admin_password: admin
19+
grafana_tls_cert_path: /etc/pki/tls/certs/grafana.crt
20+
grafana_tls_key_path: /etc/pki/tls/private/grafana.key
21+
grafana_domain: "localhost"
22+
grafana_root_url: "http://localhost:3000"
23+
grafana_config_file: /etc/grafana/grafana.ini
1624

1725
grafana_datasource_directory: /etc/grafana/provisioning/datasources/automatic.yml
1826
grafana_providers_configuration: /etc/grafana/provisioning/dashboards/providers.yml
1927
grafana_dashboard_directory: /var/lib/grafana/dashboards
2028

21-
prometheus_url: localhost:9090
29+
prometheus_url: http://localhost:9090
30+
prometheus_hostname: localhost

0 commit comments

Comments
 (0)