Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Secret cleanup: Grafana custom.ini and grafana.ini #128

New Issue
Closed
opened 2024-06-25 12:20:32 -07:00 by Jafner · 3 comments
Jafner commented 2024-06-25 12:20:32 -07:00
Owner
Copy Link

The files custom.ini and grafana.ini contain plaintext secrets for Keycloak OAuth, SMTP, and some other signing keys whose purpose I don't fully understand.

Actions taken:

  1. Stop and remove Grafana container.
  2. Revoke and rotate Keycloak OAuth client secret.
The files [custom.ini](https://gitea.jafner.tools/Jafner/homelab/src/branch/main/fighter/config/monitoring/custom.ini) and [grafana.ini](https://gitea.jafner.tools/Jafner/homelab/src/branch/main/fighter/config/monitoring/grafana.ini) contain plaintext secrets for Keycloak OAuth, SMTP, and some other signing keys whose purpose I don't fully understand. Actions taken: 1. Stop and remove Grafana container. 2. Revoke and rotate Keycloak OAuth client secret.
Jafner commented 2024-06-25 12:22:38 -07:00
Author
Owner
Copy Link

Per 993c23a995 we have moved configuration of Grafana's custom.ini out of version control and documented the new process.

The Keycloak client secret has been rotated and tested.

Good to go.

Per 993c23a995 we have moved configuration of Grafana's `custom.ini` out of version control and documented the new process. The Keycloak client secret has been rotated and tested. Good to go.
Jafner commented 2024-06-25 12:25:57 -07:00
Author
Owner
Copy Link

Per docs:

secret_key

Used for signing some data source settings like secrets and passwords, the encryption format used is AES-256 in CFB mode. Cannot be changed without requiring an update to data source settings to re-encode them.

Alright, that key was still in use. Gotta rotate that too.

Per [docs](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#secret_key): > **secret_key** > > Used for signing some data source settings like secrets and passwords, the encryption format used is AES-256 in CFB mode. Cannot be changed without requiring an update to data source settings to re-encode them. Alright, that key was still in use. Gotta rotate that too.
Jafner reopened this issue 2024-06-25 12:25:57 -07:00
Jafner commented 2024-06-25 12:28:45 -07:00
Author
Owner
Copy Link
  1. Generated a new key. Placed it in custom.ini, rebooted the container.
  2. Per the docs, I made trivial changes to each of our data sources and hit Save & Test, which returned good for both. I think we're good now??
1. Generated a new key. Placed it in `custom.ini`, rebooted the container. 2. Per the docs, I made trivial changes to each of our data sources and hit Save & Test, which returned good for both. I think we're good now??
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Jafner/homelab#128
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?