Alexandros Kosiaris has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/404320 )
Change subject: grafana: Allow to modify the config in hiera
......................................................................
grafana: Allow to modify the config in hiera
Allow overriding the base configuration from hiera
Bug: T170150
Change-Id: Ieea0796420412e5e95e0b1ad96ee5115dbffc5f4
---
M modules/profile/manifests/grafana.pp
1 file changed, 76 insertions(+), 72 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/20/404320/1
diff --git a/modules/profile/manifests/grafana.pp
b/modules/profile/manifests/grafana.pp
index 6374a00..cf7a462 100644
--- a/modules/profile/manifests/grafana.pp
+++ b/modules/profile/manifests/grafana.pp
@@ -9,6 +9,7 @@
$admin_password=hiera('profile::grafana::admin_password'),
$ldap_editor_description=hiera('profile::grafana::ldap_editor_description'),
$ldap_editor_groups=hiera('profile::grafana::ldap_edit_groups'),
+ $config=hiera('profile::grafana::config', {}),
) {
include ::apache::mod::authnz_ldap
include ::apache::mod::headers
@@ -22,80 +23,83 @@
include ::base::firewall
- class { '::grafana':
- config => {
- # Configuration settings for /etc/grafana/grafana.ini.
- # See <http://docs.grafana.org/installation/configuration/>.
+ $base_config = {
+ # Configuration settings for /etc/grafana/grafana.ini.
+ # See <http://docs.grafana.org/installation/configuration/>.
- # Only listen on loopback, because we'll have a local Apache
- # instance acting as a reverse-proxy.
- 'server' => {
- http_addr => '127.0.0.1',
- domain => $readonly_domain,
- protocol => 'http',
- enable_gzip => true,
- },
-
- # Grafana needs a database to store users and dashboards.
- # sqlite3 is the default, and it's perfectly adequate.
- 'database' => {
- 'type' => 'sqlite3',
- 'path' => 'grafana.db',
- },
-
- 'security' => {
- secret_key => $secret_key,
- admin_password => $admin_password,
- disable_gravatar => true,
- },
-
- # Disabled auth.basic, because it conflicts with auth.proxy.
- # See <https://github.com/grafana/grafana/issues/2357>
- 'auth.basic' => {
- enabled => false,
- },
-
- # Automatically create an account for users and authenticate
- # them based on the X-WEBAUTH-USER. We use mod_rewrite to
- # rewrite the REMOTE_USER env var set by mod_authnz_ldap into
- # X-WEBAUTH-USER.
- 'auth.proxy' => {
- enabled => true,
- header_name => 'X-WEBAUTH-USER',
- auto_sign_up => true,
- },
-
- # Since we require users to be members of a trusted LDAP group
- # membership to log in to Grafana, we can assume all users are
- # trusted, and can assign to them the 'Editor' role (rather
- # than 'Viewer', the default).
- 'users' => {
- auto_assign_org_role => 'Editor',
- allow_org_create => false,
- allow_sign_up => false,
- },
-
- # Because we enable `auth.proxy` (see above), if session data
- # is lost, Grafana will simply create a new session on the next
- # request, so it's OK for session storage to be volatile.
- 'session' => {
- provider => 'memory',
- cookie_secure => true,
- },
-
- # We don't like it when software phones home.
- # Don't send anonymous usage stats to stats.grafana.org,
- # and don't check for updates automatically.
- 'analytics' => {
- reporting_enabled => false,
- check_for_updates => false,
- },
-
- # Also, don't allow publishing to raintank.io.
- 'snapshots' => {
- external_enabled => false,
- },
+ # Only listen on loopback, because we'll have a local Apache
+ # instance acting as a reverse-proxy.
+ 'server' => {
+ http_addr => '127.0.0.1',
+ domain => $readonly_domain,
+ protocol => 'http',
+ enable_gzip => true,
},
+
+ # Grafana needs a database to store users and dashboards.
+ # sqlite3 is the default, and it's perfectly adequate.
+ 'database' => {
+ 'type' => 'sqlite3',
+ 'path' => 'grafana.db',
+ },
+
+ 'security' => {
+ secret_key => $secret_key,
+ admin_password => $admin_password,
+ disable_gravatar => true,
+ },
+
+ # Disabled auth.basic, because it conflicts with auth.proxy.
+ # See <https://github.com/grafana/grafana/issues/2357>
+ 'auth.basic' => {
+ enabled => false,
+ },
+
+ # Automatically create an account for users and authenticate
+ # them based on the X-WEBAUTH-USER. We use mod_rewrite to
+ # rewrite the REMOTE_USER env var set by mod_authnz_ldap into
+ # X-WEBAUTH-USER.
+ 'auth.proxy' => {
+ enabled => true,
+ header_name => 'X-WEBAUTH-USER',
+ auto_sign_up => true,
+ },
+
+ # Since we require users to be members of a trusted LDAP group
+ # membership to log in to Grafana, we can assume all users are
+ # trusted, and can assign to them the 'Editor' role (rather
+ # than 'Viewer', the default).
+ 'users' => {
+ auto_assign_org_role => 'Editor',
+ allow_org_create => false,
+ allow_sign_up => false,
+ },
+
+ # Because we enable `auth.proxy` (see above), if session data
+ # is lost, Grafana will simply create a new session on the next
+ # request, so it's OK for session storage to be volatile.
+ 'session' => {
+ provider => 'memory',
+ cookie_secure => true,
+ },
+
+ # We don't like it when software phones home.
+ # Don't send anonymous usage stats to stats.grafana.org,
+ # and don't check for updates automatically.
+ 'analytics' => {
+ reporting_enabled => false,
+ check_for_updates => false,
+ },
+
+ # Also, don't allow publishing to raintank.io.
+ 'snapshots' => {
+ external_enabled => false,
+ },
+ }
+ $end_config = deep_merge($base_config, $config)
+
+ class { '::grafana':
+ config => $end_config,
}
ferm::service { 'grafana_http':
--
To view, visit https://gerrit.wikimedia.org/r/404320
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ieea0796420412e5e95e0b1ad96ee5115dbffc5f4
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
