* DataSourceSettings: Add servername field to DataSource TLS config
A DNS lookup URL can be provided in the DataSource URL field in order
to dynamically load balance between multiple instances of a DataSource.
When using mutual TLS, Golang's TLS config implementation checks that
the certificate's common name (< 1.15) or subject alternative name
(>= 1.15) has the same value as the domain being accessed. If the DNS
entry is dynamically generated for a specific environment, the
certificate cannot be generated with a name matching the dynamic
DNS URL. As such, Golang offers a servername field that can be set to
overwrite what value is used when checking against the certificate's
common name (or subject alternative name). Without this change, Skip
TLS Verify must be set to true in order for the DataSource to work,
removing some of the benefits gained by using mutual TLS.
This commit adds the ability to set Grafana's internal Golang TLS config
servername field from the UI or a provisioned DataSource.
The servername field is optional and the existing behavior is retained if
the field is not set.
Co-authored-by: Dana Pruitt <dpruitt@vmware.com>
Co-authored-by: Jeremy Alvis <jalvis@pivotal.io>
* Update docs with PR review changes
Co-authored-by: Jeremy Alvis <jalvis@pivotal.io>
Co-authored-by: Dana Pruitt <dpruitt@vmware.com>
* Update with additional PR requested changes
* Minor updates based on PR change requests
Co-authored-by: Dana Pruitt <dpruitt@vmware.com>
Prefixes SigV4 json data and secure json data keys with sigV4 to make
sure they don't collide with any other settings. Also minor fixes to UI.
Ref #27552
For backend data sources executing in the backend (not through data proxy) make
sure that the timeout applies to cached HTTP client.
Fixes#25863
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>
I renamed `tlsAuth` to `tlsClientAuth` to better describe the fact that
this variable is used to enable TLS client authentication (as opposed to
server authentication) in c04d95f35.
However, changing the name breaks backwards compatibility for existing
installations using this feature and Grafana does not have a
standardised way of migrating changes in the schema:
https://github.com/grafana/grafana/pull/9377#issuecomment-333063543
For reasons of expediency given the severity of the bug (not verifying
TLS), keep the old name.
In c04d95f35 I changed the default for datasource HTTP requests so that
TLS is always verified.
This commit adds a checkbox to allow an admin to explicitly skip TLS
verification, for testing purposes.
