How to specify TLS client certificate and key for GrafanaDatasource CRs?

[psy-q]

I'm trying to connect to a datasource that requires client certs. This can be done in the GUI in Authentication -> TLS Client Authentication -> Client Certificate and Client Key. I haven't found a way to specificy these, e.g. as secret refs, via the GrafanaDatasource CR.

I checked the GrafanaDatasource spec but no luck there. Is this not possible or is there a non-obvious way to do it?

[theSuess]

These settings are usually part of the data source spec itself. You can find the required settings here: https://grafana.com/docs/grafana/next/administration/provisioning/#json-data

[psy-q]

Thanks a lot, that was exactly the non-obvious way I was looking for ☺️

For future reference or anyone else interested, here's an example of a GrafanaDatasource accessing a Loki endpoint in another namespace on OpenShift, with the endpoint requiring TLS cert authentication:

kind: GrafanaDatasource
apiVersion: grafana.integreatly.org/v1beta1
metadata:
  name: grafanadatasource-loki-application
  namespace: grafana
spec:
  valuesFrom:
    - targetPath: "secureJsonData.tlsClientCert"
      valueFrom:
        secretKeyRef:
          name: "logging-loki-gateway-client-http-manual-copy"
          key: "tls.crt"
    - targetPath: "secureJsonData.tlsClientKey"
      valueFrom:
        secretKeyRef:
          name: "logging-loki-gateway-client-http-manual-copy"
          key: "tls.key"
  datasource:
    access: proxy
    isDefault: false
    jsonData:
      httpHeaderName1: X-Scope-OrgId
      timeInterval: 5s
      tlsSkipVerify: true
      tlsAuth: true
      serverName: logging-loki-query-frontend-http
    secureJsonData:
      tlsClientCert: '${tls.crt}'
      tlsClientKey: '${tls.key}'
      httpHeaderValue1: application
    name: Loki (application)
    type: loki
    url:  https://logging-loki-query-frontend-http.openshift-logging:3100
  instanceSelector:
    matchLabels:
      dashboards: grafana

The cert secret needs to be copied from the original namespace where Loki lives, but this can be automated via e.g. Reflector.

Note that this particular configuration will sidestep any per-user scoping done on OpenShift's end, effectively working around multi-tenancy. So anyone with access to this datasource can see logs from all namespaces. In our case this is what we want.

If you instead need to limit access to only a particular user's logs, you'd have to somehow pass through the user token to Loki (?) and I believe the only way to do that is via OAuth Proxy. We didn't need/want the additional overhead of that sidecar and we also never managed to get it to work properly with a Grafana Operator-managed Grafana (it chokes on the required extra env vars).

OpenShift doesn't really like (or even support) sharing its Grafana so setting up a separate one via Grafana Operator gives you one way to achieve your own Grafana while still using OpenShift's datasources.