Grafana

  • By Canonical Observability
Channel Revision Published Runs on
latest/stable 82 11 Sep 2023
Ubuntu 20.04
latest/candidate 92 11 Sep 2023
Ubuntu 20.04
latest/beta 92 11 Sep 2023
Ubuntu 20.04
latest/edge 92 08 Sep 2023
Ubuntu 20.04
1.0/stable 82 11 Sep 2023
Ubuntu 20.04
1.0/candidate 92 11 Sep 2023
Ubuntu 20.04
1.0/beta 92 11 Sep 2023
Ubuntu 20.04
1.0/edge 92 11 Sep 2023
Ubuntu 20.04
juju deploy grafana-k8s
Show information

Platform:

Enable TLS

There are two alternative approaches to enabling TLS: TLS termination and end-to-end TLS.

For testing purposes, you could use the self-signed-certificates operator as a stand-in for a local/external ca.

TLS termination

You can deploy grafana together with traefik, and enable TLS in traefik rather than in grafana. This way, when grafana is reached via the ingress URL, communication is TLS-encrypted to traefik, and the communication between traefik and grafana is plain HTTP. Moreover, in-cluster communication with related charms would also be unencrypted.

graph LR

external-ca ---|tls-certificates| traefik
subgraph your-model
  traefik ---|ingress| grafana
end

Deploy the following bundle:

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  grafana:
    charm: grafana-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
  traefik:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
relations:
- - ca:certificates
  - traefik:certificates
- - grafana:ingress
  - traefik:traefik-route
- - traefik:grafana-dashboard
  - grafana:grafana-dashboard

End-to-end TLS

By relating grafana to a certificates provider, this operator ensures all communications are behind TLS: both in-cluster and via ingress.

graph LR

external-ca ---|tls-certificates| traefik
subgraph your-model
  traefik ---|ingress| grafana
  grafana ---|tls-certificates| local-ca
  traefik ---|send-ca-cert| local-ca
end

Deploy the following bundle:

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  external-ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  grafana:
    charm: grafana-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
  traefik:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
relations:
- - traefik:traefik-route
  - grafana:ingress
- - ca:send-ca-cert
  - traefik:receive-ca-cert
- - ca:certificates
  - grafana:certificates
- - traefik:certificates
  - external-ca:certificates

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated 18 days ago. Help improve this document in the forum.