dep: upgrade grafana to 10.1.4

README.md

@@ -27,7 +27,13 @@ The following providers are used by this module:
 
 ## Modules
 
-No modules.
+The following Modules are called:
+
+### <a name="module_grafana_persistance"></a> [grafana\_persistance](#module\_grafana\_persistance)
+
+Source: git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume
+
+Version:
 
 ## Resources
 
@@ -36,8 +42,6 @@ The following resources are used by this module:
 - [aws_cognito_user_pool_client.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) (resource)
 - [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) (resource)
 - [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) (resource)
-- [kubernetes_persistent_volume.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume) (resource)
-- [kubernetes_persistent_volume_claim.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume_claim) (resource)
 - [aws_cognito_user_pools.thomasklein_infra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pools) (data source)
 - [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) (data source)
 

helm.tf

@@ -4,22 +4,29 @@ resource "helm_release" "this" {
 
   repository = "https://grafana.github.io/helm-charts"
   chart      = "grafana"
-  version    = "6.44.8"
+  version    = "10.1.4"
 
   values = [
+    jsonencode({
+      initChownData = {
+        enabled = false
+      }
+    }),
     jsonencode({
       ingress = {
         enabled          = true
         hosts            = [local.ingress_domain]
+        ingressClassName = "traefik"
         annotations = {
-          "kubernetes.io/ingress.class"                             = "traefik"
+          "cert-manager.io/cluster-issuer" = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
-          "traefik.ingress.kubernetes.io/router.tls"                = "true"
-          "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
-          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
-          "traefik.ingress.kubernetes.io/router.middlewares"        = "redirect-metrics@file" # hide /metrics from the internet
         }
         labels = {}
+        tls = [
+          {
+            hosts      = [local.ingress_domain]
+            secretName = "grafana-thomasklein-me-tls"
+          }
+        ]
       }
     }),
 
@@ -27,7 +34,7 @@ resource "helm_release" "this" {
       persistence = {
         enabled       = "true"
         type          = "pvc"
-        existingClaim = kubernetes_persistent_volume_claim.this.metadata.0.name
+        existingClaim = module.grafana_persistance.pvc_name
       }
     }),
 
@@ -41,6 +48,12 @@ resource "helm_release" "this" {
           org_role     = "Viewer"
           hide_version = true
         }
+        "smtp" = {
+          enabled   = true
+          host      = "smtp.lawndale.:25"
+          from      = "noreply@grafana.thomasklein.me"
+          from_name = "Grafana"
+        }
       }
     }),
 
@@ -53,6 +66,10 @@ resource "helm_release" "this" {
         // below, the `?` is necessary to fix a bad assumtion on grafana's side
         GF_AUTH_GENERIC_OAUTH_API_URL = "${local.cognito_userinfo_url}?"
         GF_AUTH_GENERIC_OAUTH_SCOPES  = "email openid profile"
+        // https://github.com/grafana/grafana/issues/70203#issuecomment-1603895013
+        // https://github.com/advisories/GHSA-mpv3-g8m3-3fjc
+        // https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#enable-email-lookup
+        GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP = "true"
       }
     })
   ]

volume.tf

@@ -1,36 +1,8 @@
-locals {
+module "grafana_persistance" {
+  source = "git@git.thomasklein.me:thomasklein/terraform-modules//9p-persistent-volume"
+
+  namespace               = kubernetes_namespace.this.metadata.0.name
+  name                    = "grafana"
   volume_storage_capacity = "1Gi"
 }
 
-resource "kubernetes_persistent_volume" "this" {
-  metadata {
-    name = "pv-p9hostpath-grafana"
-  }
-  spec {
-    capacity = {
-      storage = local.volume_storage_capacity
-    }
-    access_modes = ["ReadWriteMany"]
-    persistent_volume_source {
-      host_path {
-        path = "/mnt/datastore/grafana"
-      }
-    }
-  }
-}
-
-resource "kubernetes_persistent_volume_claim" "this" {
-  metadata {
-    name      = "grafana"
-    namespace = kubernetes_namespace.this.metadata.0.name
-  }
-  spec {
-    access_modes = ["ReadWriteMany"]
-    resources {
-      requests = {
-        storage = local.volume_storage_capacity
-      }
-    }
-    volume_name = kubernetes_persistent_volume.this.metadata.0.name
-  }
-}