Generate random password for Grafana (#2289)

nebari-dev · Mar 13, 2024 · ff38679 · ff38679
2 parents a60d008 + a034756
commit ff38679
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/...nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf b/...nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf
@@ -1,3 +1,8 @@
+resource "random_password" "grafana_admin_password" {
+  length  = 32
+  special = false
+}
+
 resource "helm_release" "prometheus-grafana" {
   name       = "nebari"
   namespace  = var.namespace
@@ -176,6 +181,9 @@ resource "helm_release" "prometheus-grafana" {
           "${var.node-group.key}" = var.node-group.value
         }
 
+        # Avoid using the default password, as that's a security risk
+        adminPassword : random_password.grafana_admin_password.result
+
         sidecar = {
           dashboards = {
             annotations = {

diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py
@@ -0,0 +1,18 @@
+import base64
+
+import pytest
+import requests
+
+from tests.tests_deployment import constants
+
+
+@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
+def test_grafana_api_not_accessible_with_default_credentials():
+    """Making sure that Grafana's API is not accessible on default user/pass"""
+    user_pass_b64_encoded = base64.b64encode(b"admin:prom-operator").decode()
+    response = requests.get(
+        f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources",
+        headers={"Authorization": f"Basic {user_pass_b64_encoded}"},
+        verify=False,
+    )
+    assert response.status_code == 401