Add new grafana playbook.

this patch introduce a new playbook and roles to deploy grafana automaticly
using openshift-ansible capabilities.

this patch will abstract the grafana deployment process specially for openshift.

inventory/hosts.grafana.example

@@ -0,0 +1,12 @@
+[OSEv3:children]
+masters
+nodes
+
+[OSEv3:vars]
+# Grafana Configuration
+#gf_datasource_name="example"
+#gf_prometheus_namespace="openshift-metrics"
+#gf_oauth=true
+
+[masters]
+master

playbooks/openshift-grafana/config.yml

@@ -0,0 +1,4 @@
+---
+- import_playbook: ../init/main.yml
+
+- import_playbook: private/config.yml

playbooks/openshift-grafana/private/config.yml

@@ -0,0 +1,6 @@
+---
+- name: Deploy grafana server
+  hosts: masters
+  tasks:
+  - include_role:
+      name: openshift_grafana

playbooks/openshift-grafana/private/filter_plugins

@@ -0,0 +1 @@
+../../../filter_plugins

playbooks/openshift-grafana/private/lookup_plugins

@@ -0,0 +1 @@
+../../../lookup_plugins

playbooks/openshift-grafana/private/roles

@@ -0,0 +1 @@
+../../../roles/

roles/openshift_grafana/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+gf_body_tmp:
+  name: grafana_name
+  type: prometheus
+  typeLogoUrl: ''
+  access: proxy
+  url: prometheus_url
+  basicAuth: false
+  withCredentials: false
+  jsonData:
+    tlsSkipVerify: true
+    token: satoken

roles/openshift_grafana/files/grafana-ocp-oauth.yml

@@ -0,0 +1,661 @@
+---
+kind: Template
+apiVersion: v1
+metadata:
+  name: grafana-ocp
+  annotations:
+    "openshift.io/display-name": Grafana ocp
+    description: |
+      Grafana server with patched Prometheus datasource.
+    iconClass: icon-cogs
+    tags: "metrics,monitoring,grafana,prometheus"
+parameters:
+- description: The location of the proxy image
+  name: IMAGE_GF
+  value: mrsiano/grafana-ocp:latest
+- description: The location of the proxy image
+  name: IMAGE_PROXY
+  value: openshift/oauth-proxy:v1.0.0
+- description: External URL for the grafana route
+  name: ROUTE_URL
+  value: ""
+- description: The namespace to instantiate heapster under. Defaults to 'grafana'.
+  name: NAMESPACE
+  value: grafana
+- description: The session secret for the proxy
+  name: SESSION_SECRET
+  generate: expression
+  from: "[a-zA-Z0-9]{43}"
+objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+    annotations:
+      serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana-ocp"}}'
+- apiVersion: authorization.openshift.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: gf-cluster-reader
+  roleRef:
+    name: cluster-reader
+  subjects:
+  - kind: ServiceAccount
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+- apiVersion: route.openshift.io/v1
+  kind: Route
+  metadata:
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+  spec:
+    host: "${ROUTE_URL}"
+    to:
+      name: grafana-ocp
+    tls:
+      termination: Reencrypt
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: grafana-ocp
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/scheme: https
+      service.alpha.openshift.io/serving-cert-secret-name: gf-tls
+    namespace: "${NAMESPACE}"
+    labels:
+      metrics-infra: grafana-ocp
+      name: grafana-ocp
+  spec:
+    ports:
+    - name: grafana-ocp
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+    selector:
+      app: grafana-ocp
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: gf-proxy
+    namespace: "${NAMESPACE}"
+  stringData:
+    session_secret: "${SESSION_SECRET}="
+# Deploy Prometheus behind an oauth proxy
+- apiVersion: extensions/v1beta1
+  kind: Deployment
+  metadata:
+    labels:
+      app: grafana-ocp
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app: grafana-ocp
+    template:
+      metadata:
+        labels:
+          app: grafana-ocp
+        name: grafana-ocp-app
+      spec:
+        serviceAccountName: grafana-ocp
+        containers:
+        - name: oauth-proxy
+          image: ${IMAGE_PROXY}
+          imagePullPolicy: IfNotPresent
+          ports:
+          - containerPort: 8443
+            name: web
+          args:
+          - -https-address=:8443
+          - -http-address=
+          - -email-domain=*
+          - -client-id=system:serviceaccount:${NAMESPACE}:grafana-ocp
+          - -upstream=http://localhost:3000
+          - -provider=openshift
+#          - '-openshift-delegate-urls={"/api/datasources": {"resource": "namespace", "verb": "get", "resourceName": "grafana-ocp", "namespace": "${NAMESPACE}"}}'
+          - '-openshift-sar={"namespace": "${NAMESPACE}", "verb": "list", "resource": "services"}'
+          - -tls-cert=/etc/tls/private/tls.crt
+          - -tls-key=/etc/tls/private/tls.key
+          - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+          - -cookie-secret-file=/etc/proxy/secrets/session_secret
+          - -skip-auth-regex=^/metrics,/api/datasources,/api/dashboards
+          volumeMounts:
+          - mountPath: /etc/tls/private
+            name: gf-tls
+          - mountPath: /etc/proxy/secrets
+            name: secrets
+
+        - name: grafana-ocp
+          image: ${IMAGE_GF}
+          ports:
+          - name: grafana-http
+            containerPort: 3000
+          volumeMounts:
+          - mountPath: "/root/go/src/github.com/grafana/grafana/data"
+            name: gf-data
+          - mountPath: "/root/go/src/github.com/grafana/grafana/conf"
+            name: gfconfig
+          - mountPath: /etc/tls/private
+            name: gf-tls
+          - mountPath: /etc/proxy/secrets
+            name: secrets
+          command:
+           - "./bin/grafana-server"
+
+        volumes:
+        - name: gfconfig
+          configMap:
+            name: gf-config
+        - name: secrets
+          secret:
+            secretName: gf-proxy
+        - name: gf-tls
+          secret:
+            secretName: gf-tls
+        - emptyDir: {}
+          name: gf-data
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: gf-config
+    namespace: "${NAMESPACE}"
+  data:
+    defaults.ini: |-
+      ##################### Grafana Configuration Defaults #####################
+      #
+      # Do not modify this file in grafana installs
+      #
+
+      # possible values : production, development
+      app_mode = production
+
+      # instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+      instance_name = ${HOSTNAME}
+
+      #################################### Paths ###############################
+      [paths]
+      # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+      #
+      data = data
+      #
+      # Directory where grafana can store logs
+      #
+      logs = data/log
+      #
+      # Directory where grafana will automatically scan and look for plugins
+      #
+      plugins = data/plugins
+
+      #################################### Server ##############################
+      [server]
+      # Protocol (http, https, socket)
+      protocol = http
+
+      # The ip address to bind to, empty will bind to all interfaces
+      http_addr =
+
+      # The http port  to use
+      http_port = 3000
+
+      # The public facing domain name used to access grafana from a browser
+      domain = localhost
+
+      # Redirect to correct domain if host header does not match domain
+      # Prevents DNS rebinding attacks
+      enforce_domain = false
+
+      # The full public facing url
+      root_url = %(protocol)s://%(domain)s:%(http_port)s/
+
+      # Log web requests
+      router_logging = false
+
+      # the path relative working path
+      static_root_path = public
+
+      # enable gzip
+      enable_gzip = false
+
+      # https certs & key file
+      cert_file = /etc/tls/private/tls.crt
+      cert_key = /etc/tls/private/tls.key
+
+      # Unix socket path
+      socket = /tmp/grafana.sock
+
+      #################################### Database ############################
+      [database]
+      # You can configure the database connection by specifying type, host, name, user and password
+      # as separate properties or as on string using the url property.
+
+      # Either "mysql", "postgres" or "sqlite3", it's your choice
+      type = sqlite3
+      host = 127.0.0.1:3306
+      name = grafana
+      user = root
+      # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+      password =
+      # Use either URL or the previous fields to configure the database
+      # Example: mysql://user:secret@host:port/database
+      url =
+
+      # Max idle conn setting default is 2
+      max_idle_conn = 2
+
+      # Max conn setting default is 0 (mean not set)
+      max_open_conn =
+
+      # For "postgres", use either "disable", "require" or "verify-full"
+      # For "mysql", use either "true", "false", or "skip-verify".
+      ssl_mode = disable
+
+      ca_cert_path =
+      client_key_path =
+      client_cert_path =
+      server_cert_name =
+
+      # For "sqlite3" only, path relative to data_path setting
+      path = grafana.db
+
+      #################################### Session #############################
+      [session]
+      # Either "memory", "file", "redis", "mysql", "postgres", "memcache", default is "file"
+      provider = file
+
+      # Provider config options
+      # memory: not have any config yet
+      # file: session dir path, is relative to grafana data_path
+      # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
+      # postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
+      # mysql: go-sql-driver/mysql dsn config string, examples:
+      #         `user:password@tcp(127.0.0.1:3306)/database_name`
+      #         `user:password@unix(/var/run/mysqld/mysqld.sock)/database_name`
+      # memcache: 127.0.0.1:11211
+
+
+      provider_config = sessions
+
+      # Session cookie name
+      cookie_name = grafana_sess
+
+      # If you use session in https only, default is false
+      cookie_secure = false
+
+      # Session life time, default is 86400
+      session_life_time = 86400
+      gc_interval_time = 86400
+
+      #################################### Data proxy ###########################
+      [dataproxy]
+
+      # This enables data proxy logging, default is false
+      logging = false
+
+      #################################### Analytics ###########################
+      [analytics]
+      # Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+      # No ip addresses are being tracked, only simple counters to track
+      # running instances, dashboard and error counts. It is very helpful to us.
+      # Change this option to false to disable reporting.
+      reporting_enabled = true
+
+      # Set to false to disable all checks to https://grafana.com
+      # for new versions (grafana itself and plugins), check is used
+      # in some UI views to notify that grafana or plugin update exists
+      # This option does not cause any auto updates, nor send any information
+      # only a GET request to https://grafana.com to get latest versions
+      check_for_updates = true
+
+      # Google Analytics universal tracking code, only enabled if you specify an id here
+      google_analytics_ua_id =
+
+      # Google Tag Manager ID, only enabled if you specify an id here
+      google_tag_manager_id =
+
+      #################################### Security ############################
+      [security]
+      # default admin user, created on startup
+      admin_user = admin
+
+      # default admin password, can be changed before first start of grafana,  or in profile settings
+      admin_password = admin
+
+      # used for signing
+      secret_key = SW2YcwTIb9zpOOhoPsMm
+
+      # Auto-login remember days
+      login_remember_days = 7
+      cookie_username = grafana_user
+      cookie_remember_name = grafana_remember
+
+      # disable gravatar profile images
+      disable_gravatar = false
+
+      # data source proxy whitelist (ip_or_domain:port separated by spaces)
+      data_source_proxy_whitelist =
+
+      [snapshots]
+      # snapshot sharing options
+      external_enabled = true
+      external_snapshot_url = https://snapshots-origin.raintank.io
+      external_snapshot_name = Publish to snapshot.raintank.io
+
+      # remove expired snapshot
+      snapshot_remove_expired = true
+
+      # remove snapshots after 90 days
+      snapshot_TTL_days = 90
+
+      #################################### Users ####################################
+      [users]
+      # disable user signup / registration
+      allow_sign_up = true
+
+      # Allow non admin users to create organizations
+      allow_org_create = true
+
+      # Set to true to automatically assign new users to the default organization (id 1)
+      auto_assign_org = true
+
+      # Default role new users will be automatically assigned (if auto_assign_org above is set to true)
+      auto_assign_org_role = Admin
+
+      # Require email validation before sign up completes
+      verify_email_enabled = false
+
+      # Background text for the user field on the login page
+      login_hint = email or username
+
+      # Default UI theme ("dark" or "light")
+      default_theme = dark
+
+      # External user management
+      external_manage_link_url =
+      external_manage_link_name =
+      external_manage_info =
+
+      [auth]
+      # Set to true to disable (hide) the login form, useful if you use OAuth
+      disable_login_form = true
+
+      # Set to true to disable the signout link in the side menu. useful if you use auth.proxy
+      disable_signout_menu = true
+
+      #################################### Anonymous Auth ######################
+      [auth.anonymous]
+      # enable anonymous access
+      enabled = true
+
+      # specify organization name that should be used for unauthenticated users
+      org_name = Main Org.
+
+      # specify role for unauthenticated users
+      org_role = Admin
+
+      #################################### Github Auth #########################
+      [auth.github]
+      enabled = false
+      allow_sign_up = true
+      client_id = some_id
+      client_secret = some_secret
+      scopes = user:email
+      auth_url = https://github.com/login/oauth/authorize
+      token_url = https://github.com/login/oauth/access_token
+      api_url = https://api.github.com/user
+      team_ids =
+      allowed_organizations =
+
+      #################################### Google Auth #########################
+      [auth.google]
+      enabled = false
+      allow_sign_up = true
+      client_id = some_client_id
+      client_secret = some_client_secret
+      scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+      auth_url = https://accounts.google.com/o/oauth2/auth
+      token_url = https://accounts.google.com/o/oauth2/token
+      api_url = https://www.googleapis.com/oauth2/v1/userinfo
+      allowed_domains =
+      hosted_domain =
+
+      #################################### Grafana.com Auth ####################
+      # legacy key names (so they work in env variables)
+      [auth.grafananet]
+      enabled = false
+      allow_sign_up = true
+      client_id = some_id
+      client_secret = some_secret
+      scopes = user:email
+      allowed_organizations =
+
+      [auth.grafana_com]
+      enabled = false
+      allow_sign_up = true
+      client_id = some_id
+      client_secret = some_secret
+      scopes = user:email
+      allowed_organizations =
+
+      #################################### Generic OAuth #######################
+      [auth.generic_oauth]
+      name = OAuth
+      enabled = false
+      allow_sign_up = true
+      client_id = some_id
+      client_secret = some_secret
+      scopes = user:email
+      auth_url =
+      token_url =
+      api_url =
+      team_ids =
+      allowed_organizations =
+
+      #################################### Basic Auth ##########################
+      [auth.basic]
+      enabled = false
+
+      #################################### Auth Proxy ##########################
+      [auth.proxy]
+      enabled = true
+      header_name = X-WEBAUTH-USER
+      header_property = username
+      auto_sign_up = true
+      ldap_sync_ttl = 60
+      whitelist =
+
+      #################################### Auth LDAP ###########################
+      [auth.ldap]
+      enabled = false
+      config_file = /etc/grafana/ldap.toml
+      allow_sign_up = true
+
+      #################################### SMTP / Emailing #####################
+      [smtp]
+      enabled = false
+      host = localhost:25
+      user =
+      # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
+      password =
+      cert_file =
+      key_file =
+      skip_verify = false
+      from_address = admin@grafana.localhost
+      from_name = Grafana
+      ehlo_identity =
+
+      [emails]
+      welcome_email_on_sign_up = false
+      templates_pattern = emails/*.html
+
+      #################################### Logging ##########################
+      [log]
+      # Either "console", "file", "syslog". Default is console and  file
+      # Use space to separate multiple modes, e.g. "console file"
+      mode = console file
+
+      # Either "debug", "info", "warn", "error", "critical", default is "info"
+      level = error
+
+      # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
+      filters =
+
+      # For "console" mode only
+      [log.console]
+      level =
+
+      # log line format, valid options are text, console and json
+      format = console
+
+      # For "file" mode only
+      [log.file]
+      level =
+
+      # log line format, valid options are text, console and json
+      format = text
+
+      # This enables automated log rotate(switch of following options), default is true
+      log_rotate = true
+
+      # Max line number of single file, default is 1000000
+      max_lines = 1000000
+
+      # Max size shift of single file, default is 28 means 1 << 28, 256MB
+      max_size_shift = 28
+
+      # Segment log daily, default is true
+      daily_rotate = true
+
+      # Expired days of log file(delete after max days), default is 7
+      max_days = 7
+
+      [log.syslog]
+      level =
+
+      # log line format, valid options are text, console and json
+      format = text
+
+      # Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
+      network =
+      address =
+
+      # Syslog facility. user, daemon and local0 through local7 are valid.
+      facility =
+
+      # Syslog tag. By default, the process' argv[0] is used.
+      tag =
+
+
+      #################################### AMQP Event Publisher ################
+      [event_publisher]
+      enabled = false
+      rabbitmq_url = amqp://localhost/
+      exchange = grafana_events
+
+      #################################### Dashboard JSON files ################
+      [dashboards.json]
+      enabled = false
+      path = /var/lib/grafana/dashboards
+
+      #################################### Usage Quotas ########################
+      [quota]
+      enabled = false
+
+      #### set quotas to -1 to make unlimited. ####
+      # limit number of users per Org.
+      org_user = 10
+
+      # limit number of dashboards per Org.
+      org_dashboard = 100
+
+      # limit number of data_sources per Org.
+      org_data_source = 10
+
+      # limit number of api_keys per Org.
+      org_api_key = 10
+
+      # limit number of orgs a user can create.
+      user_org = 10
+
+      # Global limit of users.
+      global_user = -1
+
+      # global limit of orgs.
+      global_org = -1
+
+      # global limit of dashboards
+      global_dashboard = -1
+
+      # global limit of api_keys
+      global_api_key = -1
+
+      # global limit on number of logged in users.
+      global_session = -1
+
+      #################################### Alerting ############################
+      [alerting]
+      # Disable alerting engine & UI features
+      enabled = true
+      # Makes it possible to turn off alert rule execution but alerting UI is visible
+      execute_alerts = true
+
+      #################################### Internal Grafana Metrics ############
+      # Metrics available at HTTP API Url /api/metrics
+      [metrics]
+      enabled           = true
+      interval_seconds  = 10
+
+      # Send internal Grafana metrics to graphite
+      [metrics.graphite]
+      # Enable by setting the address setting (ex localhost:2003)
+      address =
+      prefix = prod.grafana.%(instance_name)s.
+
+      [grafana_net]
+      url = https://grafana.com
+
+      [grafana_com]
+      url = https://grafana.com
+
+      #################################### Distributed tracing ############
+      [tracing.jaeger]
+      # jaeger destination (ex localhost:6831)
+      address =
+      # tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
+      always_included_tag =
+      # Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+      sampler_type = const
+      # jaeger samplerconfig param
+      # for "const" sampler, 0 or 1 for always false/true respectively
+      # for "probabilistic" sampler, a probability between 0 and 1
+      # for "rateLimiting" sampler, the number of spans per second
+      # for "remote" sampler, param is the same as for "probabilistic"
+      # and indicates the initial sampling rate before the actual one
+      # is received from the mothership
+      sampler_param = 1
+
+      #################################### External Image Storage ##############
+      [external_image_storage]
+      # You can choose between (s3, webdav, gcs)
+      provider =
+
+      [external_image_storage.s3]
+      bucket_url =
+      bucket =
+      region =
+      path =
+      access_key =
+      secret_key =
+
+      [external_image_storage.webdav]
+      url =
+      username =
+      password =
+      public_url =
+
+      [external_image_storage.gcs]
+      key_file =
+      bucket =

roles/openshift_grafana/files/grafana-ocp.yml

@@ -0,0 +1,76 @@
+---
+kind: Template
+apiVersion: v1
+metadata:
+  name: grafana-ocp
+  annotations:
+    "openshift.io/display-name": Grafana ocp
+    description: |
+      Grafana server with patched Prometheus datasource.
+    iconClass: icon-cogs
+    tags: "metrics,monitoring,grafana,prometheus"
+parameters:
+- description: External URL for the grafana route
+  name: ROUTE_URL
+  value: ""
+- description: The namespace to instantiate heapster under. Defaults to 'grafana'.
+  name: NAMESPACE
+  value: grafana
+objects:
+- apiVersion: route.openshift.io/v1
+  kind: Route
+  metadata:
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+  spec:
+    host: "${ROUTE_URL}"
+    to:
+      name: grafana-ocp
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+    labels:
+      metrics-infra: grafana-ocp
+      name: grafana-ocp
+  spec:
+    selector:
+      name: grafana-ocp
+    ports:
+    - port: 8082
+      protocol: TCP
+      targetPort: grafana-http
+- apiVersion: v1
+  kind: ReplicationController
+  metadata:
+    name: grafana-ocp
+    namespace: "${NAMESPACE}"
+    labels:
+      metrics-infra: grafana-ocp
+      name: grafana-ocp
+  spec:
+    selector:
+      name: grafana-ocp
+    replicas: 1
+    template:
+      version: v1
+      metadata:
+        labels:
+          metrics-infra: grafana-ocp
+          name: grafana-ocp
+      spec:
+        volumes:
+        - name: data
+          emptyDir: {}
+        containers:
+        - image: "mrsiano/grafana-ocp:latest"
+          name: grafana-ocp
+          ports:
+          - name: grafana-http
+            containerPort: 3000
+          volumeMounts:
+          - name: data
+            mountPath: "/root/go/src/github.com/grafana/grafana/data"
+          command:
+          - "./bin/grafana-server"

roles/openshift_grafana/meta/main.yml

@@ -0,0 +1,13 @@
+---
+galaxy_info:
+  author: Eldad Marciano
+  description: Setup grafana pod
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.3
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - metrics

roles/openshift_grafana/tasks/gf-permissions.yml

@@ -0,0 +1,12 @@
+---
+- name: Create gf user on htpasswd
+  command: htpasswd -c /etc/origin/master/htpasswd gfadmin
+
+- name: Make sure master config use HTPasswdPasswordIdentityProvider
+  command: "sed -ie 's|AllowAllPasswordIdentityProvider|HTPasswdPasswordIdentityProvider\n      file: /etc/origin/master/htpasswd|' /etc/origin/master/master-config.yaml"
+
+- name: Grant permission for gfuser
+  command: oc adm policy add-cluster-role-to-user cluster-reader gfadmin
+
+- name: Restart mater api
+  command: systemctl restart atomic-openshift-master-api.service

roles/openshift_grafana/tasks/main.yml

@@ -0,0 +1,122 @@
+---
+- name: Create grafana namespace
+  oc_project:
+    state: present
+    name: grafana
+
+- name: Configure Grafana Permissions
+  include_tasks: tasks/gf-permissions.yml
+  when: gf_oauth | default(false) | bool == true
+
+# TODO: we should grab this yaml file from openshift/origin
+- name: Templatize grafana yaml
+  template: src=grafana-ocp.yaml dest=/tmp/grafana-ocp.yaml
+  register:
+    cl_file: /tmp/grafana-ocp.yaml
+  when: gf_oauth | default(false) | bool == false
+
+# TODO: we should grab this yaml file from openshift/origin
+- name: Templatize grafana yaml
+  template: src=grafana-ocp-oauth.yaml dest=/tmp/grafana-ocp-oauth.yaml
+  register:
+    cl_file: /tmp/grafana-ocp-oauth.yaml
+  when: gf_oauth | default(false) | bool == true
+
+- name: Process the grafana file
+  oc_process:
+    namespace: grafana
+    template_name: "{{ cl_file }}"
+    create: True
+    when: gf_oauth | default(false) | bool == true
+
+- name: Wait to grafana be running
+  command: oc rollout status deployment/grafana-ocp
+
+- name: oc adm policy add-role-to-user view -z grafana-ocp -n {{ gf_prometheus_namespace }}
+  oc_adm_policy_user:
+    user: grafana-ocp
+    resource_kind: cluster-role
+    resource_name: view
+    state: present
+    role_namespace: "{{ gf_prometheus_namespace }}"
+
+- name: Get grafana route
+  oc_obj:
+    kind: route
+    name: grafana
+    namespace: grafana
+  register: route
+
+- name: Get prometheus route
+  oc_obj:
+    kind: route
+    name: prometheus
+    namespace: "{{ gf_prometheus_namespace }}"
+  register: route
+
+- name: Get the prometheus SA
+  oc_serviceaccount_secret:
+    state: list
+    service_account: prometheus
+    namespace: "{{ gf_prometheus_namespace }}"
+  register: sa
+
+- name: Get the management SA bearer token
+  set_fact:
+    management_token: "{{ sa.results | oo_filter_sa_secrets }}"
+
+- name: Ensure the SA bearer token value is read
+  oc_secret:
+    state: list
+    name: "{{ management_token }}"
+    namespace: "{{ gf_prometheus_namespace }}"
+  no_log: True
+  register: sa_secret
+
+- name: Get the SA bearer token for prometheus
+  set_fact:
+    token: "{{ sa_secret.results.encoded.token }}"
+
+- name: Convert to json
+  var:
+    ds_json: "{{ gf_body_tmp }} | to_json }}"
+
+- name: Set protocol type
+  var:
+    protocol: "{{ 'https' if {{ gf_oauth }} == true else 'http' }}"
+
+- name: Add gf datasrouce
+  uri:
+    url: "{{ protocol }}://{{ route }}/api/datasources"
+    user: admin
+    password: admin
+    method: POST
+    body: "{{ ds_json | regex_replace('grafana_name', {{ gf_datasource_name }}) | regex_replace('prometheus_url', 'https://'{{ prometheus }} ) | regex_replace('satoken', {{ token }}) }}"
+    headers:
+      Content-Type: "Content-Type: application/json"
+  register: add_ds
+
+- name: Regex setup ds name
+  replace:
+    path: "{{ lookup('file', 'openshift-cluster-monitoring.json') }}"
+    regexp: '${DS_PR}'
+    replace: '{{ gf_datasource_name }}'
+    backup: yes
+
+- name: Add new dashboard
+  uri:
+    url: "{{ protocol }}://{{ route }}/api/dashboards/db"
+    user: admin
+    password: admin
+    method: POST
+    body: "{{ lookup('file', 'openshift-cluster-monitoring.json') }}"
+    headers:
+      Content-Type: "Content-Type: application/json"
+  register: add_ds
+
+- name: Regex json tear down
+  replace:
+    path: "{{ lookup('file', 'openshift-cluster-monitoring.json') }}"
+    regexp: '${DS_PR}'
+    replace: '{{ gf_datasource_name }}'
+    backup: yes