From 0a822874f0011f43f50772d519cded35e9691149 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Tue, 12 Sep 2023 14:13:36 +0200 Subject: [PATCH] grafana: Update config 10.1.1 release. --- roles/grafana/templates/grafana.ini.j2 | 105 +++++++++++++++++++------ 1 file changed, 81 insertions(+), 24 deletions(-) diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2 index 6d4d806..2022825 100644 --- a/roles/grafana/templates/grafana.ini.j2 +++ b/roles/grafana/templates/grafana.ini.j2 @@ -34,6 +34,9 @@ provisioning = /etc/grafana/provisioning # Protocol (http, https, h2, socket) ;protocol = http +# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.2, TLS1.3. If nothing is set TLS1.2 would be taken +;min_tls_version = "" + # The ip address to bind to, empty will bind to all interfaces http_addr = 127.0.0.1 @@ -381,6 +384,9 @@ strict_transport_security = true # The CSRF check will be executed even if the request has no login cookie. ;csrf_always_check = false +# Comma-separated list of plugins ids that won't be loaded inside the frontend sandbox +;disable_frontend_sandbox_for_plugins = + [security.encryption] # Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache). # Please note that small values may cause performance issues due to a high frequency decryption operations. @@ -433,7 +439,7 @@ allow_sign_up = false # Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true) ;auto_assign_org_id = 1 -# Default role new users will be automatically assigned (if auto_assign_org above is set to true) +# Default role new users will be automatically assigned ;auto_assign_org_role = Viewer # Require email validation before sign up completes @@ -589,7 +595,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid ;auto_login = false ;client_id = some_id ;client_secret = some_secret -;scopes = api +;scopes = openid email profile ;auth_url = https://gitlab.com/oauth/authorize ;token_url = https://gitlab.com/oauth/token ;api_url = https://gitlab.com/api/v4 @@ -599,6 +605,11 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid ;role_attribute_strict = false ;allow_assign_grafana_admin = false ;skip_org_role_sync = false +;tls_skip_verify_insecure = false +;tls_client_cert = +;tls_client_key = +;tls_client_ca = +;use_pkce = true #################################### Google Auth ########################## [auth.google] @@ -609,13 +620,14 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid ;auto_login = false ;client_id = some_client_id ;client_secret = some_client_secret -;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email -;auth_url = https://accounts.google.com/o/oauth2/auth -;token_url = https://accounts.google.com/o/oauth2/token -;api_url = https://www.googleapis.com/oauth2/v1/userinfo +;scopes = openid email profile +;auth_url = https://accounts.google.com/o/oauth2/v2/auth +;token_url = https://oauth2.googleapis.com/token +;api_url = https://openidconnect.googleapis.com/v1/userinfo ;allowed_domains = ;hosted_domain = ;skip_org_role_sync = false +;use_pkce = true #################################### Grafana.com Auth #################### [auth.grafana_com] @@ -647,6 +659,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid ;allowed_organizations = ;role_attribute_strict = false ;allow_assign_grafana_admin = false +;use_pkce = true # prevent synchronizing users organization roles ;skip_org_role_sync = false @@ -668,6 +681,7 @@ signout_redirect_url = https://keycloak.xenrox.net/realms/xenrox/protocol/openid ;role_attribute_strict = false ;allow_assign_grafana_admin = false ;skip_org_role_sync = false +;use_pkce = true #################################### Generic OAuth ########################## [auth.generic_oauth] @@ -761,6 +775,12 @@ role_attribute_strict = true # If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers ; assume_role_enabled = true +# Specify max no of pages to be returned by the ListMetricPages API +; list_metrics_page_limit = 500 + +# Experimental, for use in Grafana Cloud only. Please do not set. +; external_id = + #################################### Azure ############################### [azure] # Azure cloud environment where Grafana is hosted @@ -777,6 +797,23 @@ role_attribute_strict = true # Should be set for user-assigned identity and should be empty for system-assigned identity ;managed_identity_client_id = +# Specifies whether user identity authentication (on behalf of currently signed-in user) should be enabled in datasources +# that support it (requires AAD authentication) +# Disabled by default, needs to be explicitly enabled +;user_identity_enabled = false + +# Override token URL for Azure Active Directory +# By default is the same as token URL configured for AAD authentication settings +;user_identity_token_url = + +# Override ADD application ID which would be used to exchange users token to an access token for the datasource +# By default is the same as used in AAD authentication or can be set to another application (for OBO flow) +;user_identity_client_id = + +# Override the AAD application client secret +# By default is the same as used in AAD authentication or can be set to another application (for OBO flow) +;user_identity_client_secret = + #################################### Role-based Access Control ########### [rbac] ;permission_cache = true @@ -819,6 +856,9 @@ role_attribute_strict = true # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug ;filters = +# Set the default error message shown to users. This message is displayed instead of sensitive backend errors which should be obfuscated. Default is the same as the sample value. +;user_facing_default_error = "please inspect Grafana server log for details" + # For "console" mode only [log.console] ;level = @@ -865,20 +905,11 @@ role_attribute_strict = true ;tag = [log.frontend] -# Should Sentry javascript agent be initialized +# Should Faro javascript agent be initialized ;enabled = false -# Defines which provider to use, default is Sentry -;provider = sentry - -# Sentry DSN if you want to send events to Sentry. -;sentry_dsn = - -# Custom HTTP endpoint to send events captured by the Sentry agent to. Default will log the events to stdout. -;custom_endpoint = /log - -# Rate of events to be reported between 0 (none) and 1 (all), float -;sample_rate = 1.0 +# Custom HTTP endpoint to send events to. Default will log the events to stdout. +;custom_endpoint = /log-grafana-javascript-agent # Requests per second limit enforced an extended period, for Grafana backend log ingestion endpoint (/log). ;log_endpoint_requests_per_second_limit = 3 @@ -993,6 +1024,11 @@ role_attribute_strict = true # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m. ;ha_peer_timeout = "15s" +# The label is an optional string to include on each packet and stream. +# It uniquely identifies the cluster and prevents cross-communication +# issues when sending gossip messages in an enviromenet with multiple clusters. +;ha_label = + # The interval between sending gossip messages. By lowering this value (more frequent) gossip messages are propagated # across cluster more quickly at the expense of increased bandwidth usage. # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m. @@ -1154,6 +1190,16 @@ role_attribute_strict = true # Enable the Profile section ;enabled = true +#################################### News ############################# +[news] +# Enable the news feed section +; news_feed_enabled = true + +#################################### Query ############################# +[query] +# Set the number of data source queries that can be executed concurrently in mixed queries. Default is the number of CPUs. +;concurrent_query_limit = + #################################### Query History ############################# [query_history] # Enable the Query history @@ -1168,6 +1214,8 @@ role_attribute_strict = true ;interval_seconds = 10 # Disable total stats (stat_totals_*) metrics to be generated ;disable_total_stats = false +# The interval at which the total stats collector will update the stats. Default is 1800 seconds. +;total_stats_collector_interval_seconds = 1800 #If both are set, basic auth will be required for the metrics endpoints. ; basic_auth_username = @@ -1302,8 +1350,11 @@ role_attribute_strict = true ;plugin_catalog_hidden_plugins = # Log all backend requests for core and external plugins. ;log_backend_requests = false -# Force download of public key for verifying plugin signature on startup. -;enforce_public_key_download = false +# Disable download of the public key for verifying plugin signature. +; public_key_retrieval_disabled = false +# Force download of the public key for verifying plugin signature on startup. If disabled, the public key will be retrieved every 10 days. +# Requires public_key_retrieval_disabled to be false to have any effect. +; public_key_retrieval_on_startup = false #################################### Grafana Live ########################################## [live] @@ -1450,13 +1501,13 @@ role_attribute_strict = true # Move an app plugin referenced by its id (including all its pages) to a specific navigation section [navigation.app_sections] -# The following will move an app plugin with the id of `my-app-id` under the `starred` section -# my-app-id = admin +# The following will move an app plugin with the id of `my-app-id` under the `cfg` section +# my-app-id = cfg # Move a specific app plugin page (referenced by its `path` field) to a specific navigation section [navigation.app_standalone_pages] -# The following will move the page with the path "/a/my-app-id/starred-content" from `my-app-id` to the `starred` section -# /a/my-app-id/starred-content = starred +# The following will move the page with the path "/a/my-app-id/my-page" from `my-app-id` to the `cfg` section +# /a/my-app-id/my-page = cfg #################################### Secure Socks5 Datasource Proxy ##################################### [secure_socks_datasource_proxy] @@ -1467,5 +1518,11 @@ role_attribute_strict = true ; server_name = # The address of the socks5 proxy datasources should connect to ; proxy_address = +; show_ui = true + +################################## Feature Management ############################################## +[feature_management] +hidden_toggles = +read_only_toggles = # vi: ft=dosini -- 2.44.0