Description
Currently, the cos-lite (or COS 2/stable) Terraform module establishes relations between Traefik and all backend components, including Mimir, Loki, and Prometheus. This results in all these components being ingressed and potentially exposed to the internet/external network.
While these components provide their own UIs, the maturity of the Grafana UI has made the individual component UIs largely redundant for standard administrative tasks. To improve security and simplify the deployment architecture, we should consider removing the Traefik relations for these backend components and only keep Grafana ingressed by default.
Rationale
-
Reduced Attack Surface: Only exposing the visualization layer (Grafana) limits the entry points for potential threats.
-
Improved OIDC Workflow: Managing OIDC and authentication at the ingress level is significantly simpler when only one endpoint (Grafana) needs to be exposed and secured; furthermore, the necessary relations already exist in the charm and the grafana UI can handle OIDC via manual configuration too.
-
UI Consolidation: As noted in internal discussions, Grafana now provides a comprehensive interface that supersedes the need for direct access to Prometheus or Loki UIs for most users.
-
Cleaner Architecture: Reduces the number of public-facing endpoints and simplifies the Traefik configuration.
Proposed Changes
-
Modify the Terraform module to remove the traefik relation for:
- Prometheus
- Loki
- Mimir
- Any other backend components currently being ingressed here
-
Ensure Grafana remains related to Traefik as the primary entry point.
-
Optional: Consider adding a boolean flag (e.g., enable_backend_ingress) for users who specifically require direct access to component UIs for debugging purposes, though the default should be false.
Description
Currently, the cos-lite (or COS 2/stable) Terraform module establishes relations between Traefik and all backend components, including Mimir, Loki, and Prometheus. This results in all these components being ingressed and potentially exposed to the internet/external network.
While these components provide their own UIs, the maturity of the Grafana UI has made the individual component UIs largely redundant for standard administrative tasks. To improve security and simplify the deployment architecture, we should consider removing the Traefik relations for these backend components and only keep Grafana ingressed by default.
Rationale
Reduced Attack Surface: Only exposing the visualization layer (Grafana) limits the entry points for potential threats.
Improved OIDC Workflow: Managing OIDC and authentication at the ingress level is significantly simpler when only one endpoint (Grafana) needs to be exposed and secured; furthermore, the necessary relations already exist in the charm and the grafana UI can handle OIDC via manual configuration too.
UI Consolidation: As noted in internal discussions, Grafana now provides a comprehensive interface that supersedes the need for direct access to Prometheus or Loki UIs for most users.
Cleaner Architecture: Reduces the number of public-facing endpoints and simplifies the Traefik configuration.
Proposed Changes
Modify the Terraform module to remove the traefik relation for:
Ensure Grafana remains related to Traefik as the primary entry point.
Optional: Consider adding a boolean flag (e.g., enable_backend_ingress) for users who specifically require direct access to component UIs for debugging purposes, though the default should be false.