Grafana Agent

  • Canonical Observability
Channel Revision Published Runs on
latest/stable 260 10 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/stable 225 03 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/stable 223 03 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/stable 226 03 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/stable 224 03 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/candidate 319 10 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/candidate 224 01 Aug 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/candidate 226 01 Aug 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/candidate 225 01 Aug 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/candidate 223 01 Aug 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/beta 335 03 Dec 2024
Ubuntu 22.04 Ubuntu 20.04
latest/beta 332 03 Dec 2024
Ubuntu 22.04 Ubuntu 20.04
latest/beta 334 03 Dec 2024
Ubuntu 22.04 Ubuntu 20.04
latest/beta 333 03 Dec 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 364 17 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/edge 363 17 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/edge 362 17 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/edge 361 17 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
latest/edge 356 10 Dec 2024
Ubuntu 24.04 Ubuntu 22.04 Ubuntu 20.04
juju deploy grafana-agent --channel edge
Show information

Platform:

Ubuntu
24.04 22.04 20.04

This document provides cryptographic documentation for the COS-Lite bundle. Its purpose is to track the exposure of charm code to cryptographic attack vectors.

What is not included in this document and regarded as out of scope:

  • Workload code (refer to the workloads’ cryptographic documentation)
  • Data at rest encryption

The COS-Lite charms have a very similar exposure. Unless specified otherwise in the charm’s own documentation, this cryptographic documentation applies to all.

Usage of cryptographic technology

COS-Lite charm code uses cryptographic technology for mainly two purposes:

  • enabling TLS communication between their workloads
  • securing admin login to their workloads

Cryptographic use internal to cos-lite

COS-Lite charm code can use cryptographic technology to generate a private key to sign their TLS certificate requests. They do so via the tls-certificates-interface which in turn uses the cryptography python library and Juju secrets to exchange data with the CA.

Also, charms that deal with large configuration files use sha256 to efficiently detect diffs in them.

Cryptographic use in how cos-lite communicates externally

COS-Lite charm users use passwords generated by charm code that depends on python’s secrets module. No configuration is exposed to the user. These passwords secure admin login to the user-facing server provided by the workload. For example, in grafana-k8s.

Additionally, charms supporting BasicAuth such as traefik accept a <username>:<hashed-password> config option by which the user can configure basic authentication. The supported hashing algorithm are MD5, SHA1, or BCrypt, as per official documentation. Also following the official guidelines, we recommend cloud admins to use htpasswd for hashing the password and formatting the configuration string.

List of packages and cryptographic tech used

  • to generate private keys for setting up TLS communication: the rsa.generate_private_key function from the rsa package. They use the following parameters (hardcoded, not user-configurable):
    • key_size = 2048
    • public_exponent = 65537
  • to generate admin passwords for user admin login: the secrets module from the python standard library. See for example: usage in grafana.

Help improve this document in the forum (guidelines). Last updated 3 months ago.