[kube-prometheus-stack] Fix insecure default password in grafana #5679
Conversation
Signed-off-by: alberto ventafridda <[email protected]>
Signed-off-by: alberto ventafridda <[email protected]>
robalb
requested review from
GMartinez-Sisti,
QuentinBisson,
Xtigyro,
andrewgkew,
gianrubio,
gkarthiks,
jkroepke and
scottrigby
as code owners
|
Thanks! Could you please bump the major version instead and add a note in the UPGRADE.md? |
Signed-off-by: alberto ventafridda <[email protected]>
Signed-off-by: alberto ventafridda <[email protected]>
Signed-off-by: alberto ventafridda <[email protected]>
Right, thanks! I documented the changes and included a link to the Grafana documentation on how to retrieve the password |
Signed-off-by: alberto ventafridda <[email protected]>
Signed-off-by: alberto ventafridda <[email protected]>
|
I think a note should be added in the install instructions warning users of gitops tooling that if they don't set a default password manually their gitops tooling is likely to overwrite the secret on next sync, at which point the secret in the cluster will no longer work and they will have to follow a recovery procedure. |
Latest Versions of ArgoCD should support the helm lookup function. |
|
@jkroepke I can only find this enhancement proposal which hasn't been approved: argoproj/argo-cd#21745 Can you link me the relevant page that explains helm lookup working in argocd? That would make my day. |
|
Okay, FluxCD support that and I thought ArgoCD does it as well. My issue. I agree with an warning on UPGRAING. Would be it possible to mimic this as well? |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
Signed-off-by: Jan-Otto Kröpke <[email protected]>
Added instructions to retrieve Grafana admin password. Signed-off-by: Jan-Otto Kröpke <[email protected]>
Signed-off-by: Jan-Otto Kröpke <[email protected]>
Signed-off-by: Jan-Otto Kröpke <[email protected]>
Signed-off-by: Jan-Otto Kröpke <[email protected]>
Signed-off-by: Jan-Otto Kröpke <[email protected]>
Signed-off-by: Jan-Otto Kröpke <[email protected]>
|
@QuentinBisson @GMartinez-Sisti Could you please review it? Tested locally. |
|
@jkroepke Can you fix the typo and we can get this merged? |
Signed-off-by: alberto ventafridda <[email protected]>
|
Hi everyone, nice to see that this is moving ahead.
|
|
@robalb As I know, the
Note sure about this, both ArgoCD and Flux are able to handle this. |
Signed-off-by: Quentin Bisson <[email protected]>
|
@jkroepke Are we fine merging this? We can always update the README if we see failing case but as you said it should be fine :) |
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kube-prometheus-stack](https://github.com/prometheus-operator/kube-prometheus) ([source](https://github.com/prometheus-community/helm-charts)) | major | `78.5.0` -> `79.0.0` | --- ### Release Notes <details> <summary>prometheus-community/helm-charts (kube-prometheus-stack)</summary> ### [`v79.0.0`](https://github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-79.0.0) [Compare Source](prometheus-community/helm-charts@kube-prometheus-stack-78.5.0...kube-prometheus-stack-79.0.0) kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. #### What's Changed - \[kube-prometheus-stack] Fix insecure default password in grafana by [@​robalb](https://github.com/robalb) in [#​5679](prometheus-community/helm-charts#5679) #### New Contributors - [@​robalb](https://github.com/robalb) made their first contribution in [#​5679](prometheus-community/helm-charts#5679) **Full Changelog**: <prometheus-community/helm-charts@prometheus-conntrack-stats-exporter-0.5.28...kube-prometheus-stack-79.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTUuNSIsInVwZGF0ZWRJblZlciI6IjQxLjE1NS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbWFnZSJdfQ==--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1878 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
…metheus-community#5679) Co-authored-by: Jan-Otto Kröpke <[email protected]> Co-authored-by: Quentin Bisson <[email protected]> Signed-off-by: DIERCKXK <[email protected]>
5 participants
What this PR does / why we need it
As of now, the kubeprometheus-stack chart defines a default admin password for Grafana: "prom-operator".
By doing so, it's overriding the more secure default default behavior of the upstream Grafana chart, which simply generates a random password when none is set. 1
It's common practice for both bad actors and security scanners to attempt known default passwords on accidentally exposed instances. For example, see this nuclei template, which demonstrates that this default password is well known in security circles.
This PR removes the default password, aligning the default behaviour with upstream Grafana.
Which issue this PR fixes
Special notes for your reviewer
Checklist
[prometheus-couchdb-exporter])