Closed gemagomez closed 5 years ago
Exposing Grafana via an ingress is straightforward. However, to add authentication, the credentials shouldn't be hard-coded to a particular value as everyone using the profile would have Grafana exposed using the same credentials.
We could generate the password during profile generation and output it. The Grafana Helm chart supports specifying a Kubernetes secret as credentials but it's not good practice to add secrets to Git. To avoid adding the secret to Git, the profile generation would have to generate the secret and profile application would need to apply the secret to Kubernetes but not commit it to Git. This logic is too specific to include in profile generation and application.
Implementation details aside, I'm not in favour of exposing Grafana or any other sensitive service without TLS and authentication.
There is not clear path forward without taking responsibility for the security of the user's cluster. We shall document how to proceed instead of code it for users.
Let's make this task a documentation one.
Add authentication to grafana and expose it via ALB ingress.
This is a simple step and it needs to be documented that it is for demonstration purposes only, the production setup will require TLS and a properly secured endpoint.