Thank @wrosscopeeko for providing the solution to this (wrong documentation) issue on how to add the CA.
Maybe we should add also here for future reference to other users that the CA on your example has a single white character added on all the CA lines.
It is not easy to understand from the text that the user needs to add also whitespaces until that point.
To add complete description:
# config file version
apiVersion: 1
sioning/#data-sources
datasources:
- name: Sample
# <string, required> datasource type. Required
type: prometheus
# <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
access: proxy
# <int> org id. will default to orgId 1 if not specified
orgId: 1
basicAuth: true
# <string> basic auth username, if used
basicAuthUser: {{ user }}
# <bool> enable/disable with credentials headers
withCredentials: true
# <bool> mark as default datasource. Max one per org
isDefault: true
# <map> fields that will be converted to json and stored in json_data
jsonData:
graphiteVersion: "1.1"
tlsAuth: false
tlsAuthWithCACert: true
oauthPassThru: true
# <string> json object of data that will be encrypted.
secureJsonData:
tlsCACert: |2
-----BEGIN CERTIFICATE-----
line 1
line 2
.
.
.
-----END CERTIFICATE-----
The interesting part to notice here is |<int> this indicates how many white space lines is expected after the pipe. By default (ommited) is 1. Anything above that (if desired) needs to be defined.
In case that someone wants to add the CA / CRT or KEY through Ansible the user can use Jinja2 with templates.
I managed to achieve it by loading the CA / CRT and KEY into vars and then adding it on the file.
Sample of code:
- name: Append 8 white space characters on ca
register: grafanaCa
ansible.builtin.shell:
cmd: "sed 's/^/ /g' {{ role_path }}/files/{{ grafana.cert.files.ca }}"
no_log: true
And then on the relevant file that the user wants to update:
datasources:
# <string, required> name of the datasource. Required
- name: Prometheus
# <string, required> datasource type. Required
type: prometheus
# <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
access: proxy
# <int> org id. will default to orgId 1 if not specified
orgId: 1
# <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
url: https://{{ hostname }}:{{ prometheus.conf.port }}
# <string> database user, if used
user:
# <string> database name, if used
database:
# <bool> enable/disable basic auth
basicAuth: true
# <string> basic auth username, if used
basicAuthUser: {{ user }}
# <bool> enable/disable with credentials headers
withCredentials: true
# <bool> mark as default datasource. Max one per org
isDefault: true
# <map> fields that will be converted to json and stored in json_data
jsonData:
graphiteVersion: "1.1"
tlsAuth: true
tlsAuthWithCACert: true
oauthPassThru: true
# <string> json object of data that will be encrypted.
secureJsonData:
tlsCACert: |2
{{ grafanaCa.stdout }}
tlsClientCert: |2
{{ grafanaCrt.stdout }}
tlsClientKey: |2
{{ grafanaKey.stdout }}
Hope this helps someone else as I spent way too much time trying to figure it out…