Grafana

  • By Canonical Observability
Channel Revision Published Runs on
latest/stable 106 10 Apr 2024
Ubuntu 20.04
latest/candidate 107 10 Apr 2024
Ubuntu 20.04
latest/beta 110 10 Apr 2024
Ubuntu 20.04
latest/edge 111 12 Apr 2024
Ubuntu 20.04
1.0/stable 93 12 Dec 2023
Ubuntu 20.04
1.0/candidate 93 22 Nov 2023
Ubuntu 20.04
1.0/beta 93 22 Nov 2023
Ubuntu 20.04
1.0/edge 93 22 Nov 2023
Ubuntu 20.04
juju deploy grafana-k8s
Show information

Platform:

Enable TLS

There are two alternative approaches to enabling TLS: TLS termination and end-to-end TLS.

For testing purposes, you could use the self-signed-certificates operator as a stand-in for a local/external ca.

TLS termination

You can deploy grafana together with traefik, and enable TLS in traefik rather than in grafana. This way, when grafana is reached via the ingress URL, communication is TLS-encrypted to traefik, and the communication between traefik and grafana is plain HTTP. Moreover, in-cluster communication with related charms would also be unencrypted.

graph LR

external-ca ---|tls-certificates| traefik
subgraph your-model
  traefik ---|ingress| grafana
end

Deploy the following bundle:

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  grafana:
    charm: grafana-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
  traefik:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
relations:
- - ca:certificates
  - traefik:certificates
- - grafana:ingress
  - traefik:traefik-route
- - traefik:grafana-dashboard
  - grafana:grafana-dashboard

End-to-end TLS

By relating grafana to a certificates provider, this operator ensures all communications are behind TLS: both in-cluster and via ingress.

graph LR

external-ca ---|tls-certificates| traefik
subgraph your-model
  traefik ---|ingress| grafana
  grafana ---|tls-certificates| local-ca
  traefik ---|send-ca-cert| local-ca
end

Deploy the following bundle:

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  external-ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  grafana:
    charm: grafana-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
  traefik:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
relations:
- - traefik:traefik-route
  - grafana:ingress
- - ca:send-ca-cert
  - traefik:receive-ca-cert
- - ca:certificates
  - grafana:certificates
- - traefik:certificates
  - external-ca:certificates

Help improve this document in the forum (guidelines). Last updated 7 months ago.