From d03ce3a618c5c60e2cfb2f6b85d3b1abba3e5eff Mon Sep 17 00:00:00 2001
From: sbbroot <86356638+sbbroot@users.noreply.github.com>
Date: Wed, 12 Jan 2022 15:11:36 +0100
Subject: [PATCH] Change Grafana admin password in the apply mode (#2420)
 (#2819)

* Change Grafana admin password in the apply mode (#2420)
---
 ansible/playbooks/filter_plugins/ini.py       | 32 +++++++++++++++++++
 .../playbooks/roles/grafana/tasks/main.yml    |  3 ++
 .../roles/grafana/tasks/password_change.yml   | 26 +++++++++++++++
 cli/engine/ansible/AnsibleVarsGenerator.py    |  4 +--
 docs/changelogs/CHANGELOG-1.3.md              |  1 +
 5 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 ansible/playbooks/filter_plugins/ini.py
 create mode 100644 ansible/playbooks/roles/grafana/tasks/password_change.yml

diff --git a/ansible/playbooks/filter_plugins/ini.py b/ansible/playbooks/filter_plugins/ini.py
new file mode 100644
index 0000000000..4c275d7dd5
--- /dev/null
+++ b/ansible/playbooks/filter_plugins/ini.py
@@ -0,0 +1,32 @@
+from typing import Dict
+import configparser
+
+
+class FilterModule(object):
+    """ Defines filters """
+
+    def filters(self):
+        return {
+            'from_ini': self.from_ini,
+        }
+
+    def from_ini(self, content: str, default_section_name: str = '__none__') -> Dict:
+        """
+        Parse `content` in ini format which was obtained from a decoded file.
+
+        :param content: to be parsed
+        :param default_section_name: fields without section will be available under this key
+        :return: properly parsed ini content
+        """
+        fixed_content = content.replace('\\n', '\n').replace('\\', '')
+
+        config = configparser.ConfigParser()
+
+        try:
+            config.read_string(fixed_content)
+        except configparser.MissingSectionHeaderError:
+            # content might be missing default header, add it and try to parse it once more
+            config = configparser.ConfigParser()
+            config.read_string(f'[{default_section_name}]\n{fixed_content}')
+
+        return {section: dict(config.items(section)) for section in config.sections()}
diff --git a/ansible/playbooks/roles/grafana/tasks/main.yml b/ansible/playbooks/roles/grafana/tasks/main.yml
index db991c0018..aaa51d3d34 100644
--- a/ansible/playbooks/roles/grafana/tasks/main.yml
+++ b/ansible/playbooks/roles/grafana/tasks/main.yml
@@ -24,6 +24,9 @@
   include_tasks: api_keys.yml
   when: grafana_api_keys | length > 0
 
+- name: Include password change tasks
+  include_tasks: password_change.yml
+
 - name: Include datasources tasks
   include_tasks: datasources.yml
   when: grafana_datasources != []
diff --git a/ansible/playbooks/roles/grafana/tasks/password_change.yml b/ansible/playbooks/roles/grafana/tasks/password_change.yml
new file mode 100644
index 0000000000..2695a8ab56
--- /dev/null
+++ b/ansible/playbooks/roles/grafana/tasks/password_change.yml
@@ -0,0 +1,26 @@
+---
+- name: Fail when grafana admin password isn't set
+  fail:
+    msg: "Please specify grafana admin password (grafana_security.admin_password)"
+  when:
+    - grafana_security.admin_password is undefined or grafana_security.admin_password | length == 0
+
+- name: Compare current grafana password set on the remote with the schema file
+  block:
+    - name: Fetch the grafana.ini file from the remote
+      slurp:
+        src: /etc/grafana/grafana.ini
+      register: grafana_config_file
+
+    - name: Parse grafana.ini content
+      set_fact:
+        grafana_config_file_content: "{{ grafana_config_file['content'] | b64decode | from_ini }}"
+
+    - name: Fetch the password
+      set_fact:
+        current_admin_password: "{{ grafana_config_file_content['security']['admin_password'] }}"
+
+    # Grafana admin password change is only available through the grafana-cli
+    - name: Change admin password using grafana-cli
+      command: grafana-cli admin reset-admin-password "{{ grafana_security.admin_password }}"
+      when: grafana_security.admin_password != current_admin_password
diff --git a/cli/engine/ansible/AnsibleVarsGenerator.py b/cli/engine/ansible/AnsibleVarsGenerator.py
index 3b96ecadc3..1749e0e2c0 100644
--- a/cli/engine/ansible/AnsibleVarsGenerator.py
+++ b/cli/engine/ansible/AnsibleVarsGenerator.py
@@ -68,8 +68,8 @@ def generate(self):
             # is changed between versions (e.g. wal_keep_segments -> wal_keep_size) and sometimes previous parameters
             # are not compatible with the new ones, defaults are used for template processing
             roles_with_defaults = [
-                'repository', 'image_registry', 'node_exporter', 'haproxy',
-                'postgresql', 'kafka_exporter', 'jmx_exporter', 'postgres_exporter'
+                'haproxy', 'image_registry', 'jmx_exporter', 'kafka_exporter',
+                'node_exporter', 'postgresql', 'repository'
                 ]
             # now lets add any external configs we want to load
             roles_with_defaults = [*roles_with_defaults, *self.inventory_upgrade.get_new_config_roles()]
diff --git a/docs/changelogs/CHANGELOG-1.3.md b/docs/changelogs/CHANGELOG-1.3.md
index c726e53248..8bb844b774 100644
--- a/docs/changelogs/CHANGELOG-1.3.md
+++ b/docs/changelogs/CHANGELOG-1.3.md
@@ -40,6 +40,7 @@
 - [#2774](https://github.com/epiphany-platform/epiphany/issues/2774) - Issue creating service principle on Azure
 - [#2737](https://github.com/epiphany-platform/epiphany/issues/2737) - Fix asserting number of postgres nodes
 - [#1175](https://github.com/epiphany-platform/epiphany/issues/1175) - Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists
+- [#2420](https://github.com/epiphany-platform/epiphany/issues/2420) - Changing Grafana admin password in the apply mode
 
 ### Updated