diff --git a/grafana_monitoring/roles/grafana/templates/cloud_datasource.yaml.j2 b/grafana_monitoring/roles/grafana/templates/cloud_datasource.yaml.j2 index 7fd0e4ab..a0dbb9c3 100644 --- a/grafana_monitoring/roles/grafana/templates/cloud_datasource.yaml.j2 +++ b/grafana_monitoring/roles/grafana/templates/cloud_datasource.yaml.j2 @@ -1,6 +1,35 @@ apiVersion: 1 prune: true datasources: +# These are our datasources safe for public query + - name: RemoteWritePrometheus + type: prometheus + uid: "remote_write_prometheus" + access: proxy + url: http://130.246.83.213:9090 + isDefault: false + basicAuth: true + basicAuthUser: {{ remote_write_prometheus_username }} + secureJsonData: + basicAuthPassword: {{ remote_write_prometheus_password }} + + - name: DevCloudInfluxDB + type: influxdb + access: proxy + uid: "dev_openstack_grafana" + user: {{ dev_influx_username }} + url: "http://172.16.110.169:8086" + jsonData: + dbName : "cloud" + httpMode: POST + timeInterval: "60" + maxSeries: 200 + secureJsonData: + password: {{ dev_influx_password }} + +# These datasources should not be queried by the public. +# That's why they are only on the dev instance +{% if inventory_hostname.startswith("dev") %} - name: CloudInfluxDB type: influxdb access: proxy @@ -58,20 +87,6 @@ datasources: secureJsonData: basicAuthPassword: {{ meerkat_db_password }} - - name: DevCloudInfluxDB - type: influxdb - access: proxy - uid: "dev_openstack_grafana" - user: {{ dev_influx_username }} - url: "http://172.16.110.169:8086" - jsonData: - dbName : "cloud" - httpMode: POST - timeInterval: "60" - maxSeries: 200 - secureJsonData: - password: {{ dev_influx_password }} - - name: DevChatOps type: prometheus uid: "dev-chatops" @@ -102,13 +117,4 @@ datasources: isDefault: false basicAuth: false - - name: RemoteWritePrometheus - type: prometheus - uid: "remote_write_prometheus" - access: proxy - url: http://130.246.83.213:9090 - isDefault: false - basicAuth: true - basicAuthUser: {{ remote_write_prometheus_username }} - secureJsonData: - basicAuthPassword: {{ remote_write_prometheus_password }} +{% endif %} diff --git a/grafana_monitoring/roles/grafana/templates/grafana.ini.j2 b/grafana_monitoring/roles/grafana/templates/grafana.ini.j2 index 800d9989..3593a1b7 100644 --- a/grafana_monitoring/roles/grafana/templates/grafana.ini.j2 +++ b/grafana_monitoring/roles/grafana/templates/grafana.ini.j2 @@ -17,15 +17,10 @@ auth_url = https://iris-iam.stfc.ac.uk/authorize token_url = https://iris-iam.stfc.ac.uk/token api_url = https://iris-iam.stfc.ac.uk/userinfo groups_attribute_path = groups[*] -allowed_groups = "stfc-cloud/team,stfc-cloud/admins" +allowed_groups = "stfc-cloud/team,stfc-cloud/admins,stfc-cloud/users" -# Only apply role changes on dev so we can edit datasources and dashboards before pushing changes to prod. -{% if inventory_hostname.startswith("dev") %} role_attribute_path=contains(groups[*], 'stfc-cloud/admins') && 'Admin' || contains(groups[*], 'stfc-cloud/team') && 'Editor' || 'Viewer' -{% else %} -# Keep role for all users as Viewer on production. -role_attribute_path='Viewer' -{% endif %} + [log] # Raise the log level as the default is "info" diff --git a/grafana_monitoring/roles/grafana/templates/provision_dashboards.sh.j2 b/grafana_monitoring/roles/grafana/templates/provision_dashboards.sh.j2 index cebd8197..f9abc1af 100644 --- a/grafana_monitoring/roles/grafana/templates/provision_dashboards.sh.j2 +++ b/grafana_monitoring/roles/grafana/templates/provision_dashboards.sh.j2 @@ -15,3 +15,9 @@ BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD) if [[ "$BRANCH_NAME" == "{{ grafana_dashboards_branch }}" ]]; then git fetch && git reset --h origin/{{ grafana_dashboards_branch }} fi + +{% if inventory_hostname.startswith("grafana") %} +for DIR in $(ls -l | grep -v cloud_dashboard.yaml | grep -v Slots-Available | grep -v total | awk -F' ' '{ print $NF }'); do rm -r $DIR; done +mv Slots-Available/openstack_slots_available.json . +rm -r Slots-Available +{% endif %}