From 928865ca1d3d2c9a0129e5518e06fc47e637f0ae Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 14:26:14 +0000 Subject: [PATCH 01/13] generate random pass for grafana --- .../modules/kubernetes/services/monitoring/main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf index 7ba919ec5..01fe42b23 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf @@ -1,3 +1,9 @@ +resource "random_password" "grafana_admin_password" { + length = 32 + special = false +} + + resource "helm_release" "prometheus-grafana" { name = "nebari" namespace = var.namespace @@ -176,6 +182,9 @@ resource "helm_release" "prometheus-grafana" { "${var.node-group.key}" = var.node-group.value } + # Avoid using the default + adminPassword: random_password.grafana_admin_password.result + sidecar = { dashboards = { annotations = { From 6477b6316bb0a1ef1dd0f51aa685fbbe14451bfa Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 14:28:01 +0000 Subject: [PATCH 02/13] Trigger ci run --- .github/workflows/test_local_integration.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test_local_integration.yaml b/.github/workflows/test_local_integration.yaml index ac5ff87b4..bcabe99eb 100644 --- a/.github/workflows/test_local_integration.yaml +++ b/.github/workflows/test_local_integration.yaml @@ -17,6 +17,7 @@ on: - ".cirun.yml" push: branches: + - grafana-security - main - develop - release/\d{4}.\d{1,2}.\d{1,2} From 89df6953376f46ca4da3201593878870138f2e52 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 14:56:06 +0000 Subject: [PATCH 03/13] add test for grafana API 401 --- tests/tests_deployment/test_grafana_api.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 tests/tests_deployment/test_grafana_api.py diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py new file mode 100644 index 000000000..164ae43e6 --- /dev/null +++ b/tests/tests_deployment/test_grafana_api.py @@ -0,0 +1,17 @@ +import base64 + +import requests + +from tests.tests_deployment import constants + + +def test_grafana_api_not_accessible_with_default_credentials(): + """Making sure that Grafana's API is not accessible on default user/pass""" + user_pass_b64_encoded = base64.b64encode(b'admin:prom-operator').decode() + response = requests.get( + f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", + headers={ + 'Authorization': f"Basic {user_pass_b64_encoded}" + } + ) + assert response.status_code == 401 From aee7fb7995ba3082e33741db43662fabc2dbd6be Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 14:57:56 +0000 Subject: [PATCH 04/13] undo branch add --- .github/workflows/test_local_integration.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test_local_integration.yaml b/.github/workflows/test_local_integration.yaml index bcabe99eb..ac5ff87b4 100644 --- a/.github/workflows/test_local_integration.yaml +++ b/.github/workflows/test_local_integration.yaml @@ -17,7 +17,6 @@ on: - ".cirun.yml" push: branches: - - grafana-security - main - develop - release/\d{4}.\d{1,2}.\d{1,2} From d1a59ea037a14df81d412c418218737dd9548afa Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 14:58:55 +0000 Subject: [PATCH 05/13] add note about pass generation --- .../template/modules/kubernetes/services/monitoring/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf index 01fe42b23..26e93e551 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf @@ -182,7 +182,7 @@ resource "helm_release" "prometheus-grafana" { "${var.node-group.key}" = var.node-group.value } - # Avoid using the default + # Avoid using the default password, as that's a security risk adminPassword: random_password.grafana_admin_password.result sidecar = { From 029098addc6e566768ce8071648dfb4d2e36f429 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 15:01:24 +0000 Subject: [PATCH 06/13] remove extra line --- .../template/modules/kubernetes/services/monitoring/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf index 26e93e551..fd1380136 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf @@ -3,7 +3,6 @@ resource "random_password" "grafana_admin_password" { special = false } - resource "helm_release" "prometheus-grafana" { name = "nebari" namespace = var.namespace From bb298e5a2240f74e150aae29859a51f05a49028a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 5 Mar 2024 15:02:27 +0000 Subject: [PATCH 07/13] [pre-commit.ci] Apply automatic pre-commit fixes --- tests/tests_deployment/test_grafana_api.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py index 164ae43e6..80a9dea49 100644 --- a/tests/tests_deployment/test_grafana_api.py +++ b/tests/tests_deployment/test_grafana_api.py @@ -7,11 +7,9 @@ def test_grafana_api_not_accessible_with_default_credentials(): """Making sure that Grafana's API is not accessible on default user/pass""" - user_pass_b64_encoded = base64.b64encode(b'admin:prom-operator').decode() + user_pass_b64_encoded = base64.b64encode(b"admin:prom-operator").decode() response = requests.get( f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", - headers={ - 'Authorization': f"Basic {user_pass_b64_encoded}" - } + headers={"Authorization": f"Basic {user_pass_b64_encoded}"}, ) assert response.status_code == 401 From fb76fd6fb6a46ac78218ad313621e2860831409f Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 15:11:13 +0000 Subject: [PATCH 08/13] make precommit happy --- .../template/modules/kubernetes/services/monitoring/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf index fd1380136..413a9e08d 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf @@ -182,7 +182,7 @@ resource "helm_release" "prometheus-grafana" { } # Avoid using the default password, as that's a security risk - adminPassword: random_password.grafana_admin_password.result + adminPassword : random_password.grafana_admin_password.result sidecar = { dashboards = { From 273d51f26dbbf066bcdb3bbfe6312a66f025e19e Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 15:43:06 +0000 Subject: [PATCH 09/13] disable ssl verification --- tests/tests_deployment/test_grafana_api.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py index 80a9dea49..97e4fb0d3 100644 --- a/tests/tests_deployment/test_grafana_api.py +++ b/tests/tests_deployment/test_grafana_api.py @@ -11,5 +11,6 @@ def test_grafana_api_not_accessible_with_default_credentials(): response = requests.get( f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", headers={"Authorization": f"Basic {user_pass_b64_encoded}"}, + verify=False ) assert response.status_code == 401 From 7c99d4f2f6a3ba26e0b6507aeeb3760afa741256 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 5 Mar 2024 15:43:20 +0000 Subject: [PATCH 10/13] [pre-commit.ci] Apply automatic pre-commit fixes --- tests/tests_deployment/test_grafana_api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py index 97e4fb0d3..99665503a 100644 --- a/tests/tests_deployment/test_grafana_api.py +++ b/tests/tests_deployment/test_grafana_api.py @@ -11,6 +11,6 @@ def test_grafana_api_not_accessible_with_default_credentials(): response = requests.get( f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", headers={"Authorization": f"Basic {user_pass_b64_encoded}"}, - verify=False + verify=False, ) assert response.status_code == 401 From e821a108003239a2f5bb7749bedbe893d35730f8 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 18:02:29 +0000 Subject: [PATCH 11/13] use http --- tests/tests_deployment/test_grafana_api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py index 99665503a..850fd6634 100644 --- a/tests/tests_deployment/test_grafana_api.py +++ b/tests/tests_deployment/test_grafana_api.py @@ -9,7 +9,7 @@ def test_grafana_api_not_accessible_with_default_credentials(): """Making sure that Grafana's API is not accessible on default user/pass""" user_pass_b64_encoded = base64.b64encode(b"admin:prom-operator").decode() response = requests.get( - f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", + f"http://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", headers={"Authorization": f"Basic {user_pass_b64_encoded}"}, verify=False, ) From 1dcc5698b0878d99e10297133629405ce5bbf32e Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Tue, 5 Mar 2024 18:28:17 +0000 Subject: [PATCH 12/13] ignore insecure request warning --- tests/tests_deployment/test_grafana_api.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/tests_deployment/test_grafana_api.py b/tests/tests_deployment/test_grafana_api.py index 850fd6634..cdb489f34 100644 --- a/tests/tests_deployment/test_grafana_api.py +++ b/tests/tests_deployment/test_grafana_api.py @@ -1,15 +1,17 @@ import base64 +import pytest import requests from tests.tests_deployment import constants +@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning") def test_grafana_api_not_accessible_with_default_credentials(): """Making sure that Grafana's API is not accessible on default user/pass""" user_pass_b64_encoded = base64.b64encode(b"admin:prom-operator").decode() response = requests.get( - f"http://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", + f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources", headers={"Authorization": f"Basic {user_pass_b64_encoded}"}, verify=False, ) From a0347568c80786af839fdf8defc8e388215ea4bb Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 20:08:07 +0000 Subject: [PATCH 13/13] [pre-commit.ci] Apply automatic pre-commit fixes --- src/_nebari/stages/kubernetes_services/__init__.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/_nebari/stages/kubernetes_services/__init__.py b/src/_nebari/stages/kubernetes_services/__init__.py index a9124f41a..9c47fee6e 100644 --- a/src/_nebari/stages/kubernetes_services/__init__.py +++ b/src/_nebari/stages/kubernetes_services/__init__.py @@ -51,9 +51,15 @@ class Storage(schema.Base): class JupyterHubTheme(schema.Base): hub_title: str = "Nebari" hub_subtitle: str = "Your open source data science platform" - welcome: str = """Welcome! Learn about Nebari's features and configurations in the documentation. If you have any questions or feedback, reach the team on Nebari's support forums.""" - logo: str = "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/logo-mark/horizontal/Nebari-Logo-Horizontal-Lockup-White-text.svg" - favicon: str = "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/symbol/favicon.ico" + welcome: str = ( + """Welcome! Learn about Nebari's features and configurations in the documentation. If you have any questions or feedback, reach the team on Nebari's support forums.""" + ) + logo: str = ( + "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/logo-mark/horizontal/Nebari-Logo-Horizontal-Lockup-White-text.svg" + ) + favicon: str = ( + "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/symbol/favicon.ico" + ) primary_color: str = "#4f4173" primary_color_dark: str = "#4f4173" secondary_color: str = "#957da6"