Grafana Chef Cookbook Wrapper to Override Nginx SSL Template
28 Jun 2015
I recently contributed to the overhaul and 2.0 release of the Grafana Chef cookbook. It was a nearly complete rewrite of the 1.x version, and many decisions were made along the way about what should (and should not) be included in the effort. The cookbook is designed to be as flexible as possible via attributes and to provide the user with a functional setup using the defaults. The previous version used Nginx as a web server, and it made sense to proxy the new Grafana with Nginx in the default setup.
One of the initially identified tasks was to provide SSL by default within the cookbook, but that proved to be foolish for two reasons: 1) it was well outside the scope of the Grafana cookbook and 2) SSL configs are highly dependent on several diverse factors ranging from web server version to client browser requirements. Creating a default Nginx SSL setup that was flexibly configurable with attributes was duly marked as out of scope, but not without some discussion.
For reference, here’s the default Nginx template from the Grafana cookbook:
Overriding The Nginx Conf Template
When defining an Nginx template with SSL enabled, it’s helpful to have additional variables passed to the template so info like cert locations can be more flexibly defined. Using cookbook
and source
attributes provided by the recipe would allow for the wrapper cookbook to define a new template, but not allow for additional variables to be passed to the template. By taking advantage of Chef’s compile phase, we can alter the template['/etc/nginx/sites-available/grafana']
resource to not only use the template of our choosing, but also pass additional attributes to the resource.
The resource definition below is from a Grafana cookbook wrapper recipe:
The recipe is grafana
and the containing cookbook is wrapper-cookbook
. When compared to the template within the Grafana cookbook’s _nginx.rb
, you can see that five additional SSL-related attributes are passed to the template (lines 12-16).
A Sample Nginx SSL Template
The nginx.conf.erb
will be dependent on your SSL requirements, but here’s an example:
Your mileage will most certainly vary. If you’re looking for suggestions on what SSL configs to use Mozilla has put together a great TLS configuration generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/.
Conclusion
You could argue that this is unnecessary for the Grafana cookbook’s _nginx.rb
given that the recipe is so simple, but it illustrates the power of Chef’s compile phase to override the defaults of the cookbooks used.
In addition to a default Nginx setup, the cookbook provides LWRPs for creating datasources, dashboards, organizations, and users. It’ll be exciting to see how people use and extend it.