From 3b575060a5ee83de72ae0e68b0a236819ed0ad12 Mon Sep 17 00:00:00 2001
From: Alejandro Pedraza <alejandro@buoyant.io>
Date: Thu, 17 Aug 2023 15:34:04 -0500
Subject: [PATCH] Complete Grafana Task with authpolicy instructions (#1628)

Closes linkerd/linkerd2#10891

As of 2.13 the access to linkerd-viz' Prometheus instance is locked via
an AuthorizationPolicy. This changes adds instructions on how to also
grant access to Grafana.
---
 linkerd.io/content/2-edge/tasks/grafana.md | 9 +++++++++
 linkerd.io/content/2.13/tasks/grafana.md   | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/linkerd.io/content/2-edge/tasks/grafana.md b/linkerd.io/content/2-edge/tasks/grafana.md
index f5fb6a0954..b2f734e0eb 100644
--- a/linkerd.io/content/2-edge/tasks/grafana.md
+++ b/linkerd.io/content/2-edge/tasks/grafana.md
@@ -36,6 +36,15 @@ datasource Linkerd Viz' Prometheus instance, sets up a reverse proxy (more on
 that later), and pre-loads all the Linkerd Grafana dashboards that are published
 on <https://grafana.com/orgs/linkerd>.
 
+{{< note >}}
+The access to Linkerd Viz' Prometheus instance is restricted through the
+`prometheus-admin` AuthorizationPolicy, granting access only to the
+`metrics-api` ServiceAccount. In order to also grant access to Grafana, you need
+to add an AuthorizationPolicy pointing to its ServiceAccount. You can apply
+[authzpolicy-grafana.yaml](https://github.com/linkerd/linkerd2/blob/release/stable-2.13/grafana/authzpolicy-grafana.yaml)
+which grants permission for the `grafana` ServiceAccount.
+{{< /note >}}
+
 A more complex and production-oriented source is the [Grafana
 Operator](https://github.com/grafana-operator/grafana-operator). And there are
 also hosted solutions such as [Grafana
diff --git a/linkerd.io/content/2.13/tasks/grafana.md b/linkerd.io/content/2.13/tasks/grafana.md
index f5fb6a0954..b2f734e0eb 100644
--- a/linkerd.io/content/2.13/tasks/grafana.md
+++ b/linkerd.io/content/2.13/tasks/grafana.md
@@ -36,6 +36,15 @@ datasource Linkerd Viz' Prometheus instance, sets up a reverse proxy (more on
 that later), and pre-loads all the Linkerd Grafana dashboards that are published
 on <https://grafana.com/orgs/linkerd>.
 
+{{< note >}}
+The access to Linkerd Viz' Prometheus instance is restricted through the
+`prometheus-admin` AuthorizationPolicy, granting access only to the
+`metrics-api` ServiceAccount. In order to also grant access to Grafana, you need
+to add an AuthorizationPolicy pointing to its ServiceAccount. You can apply
+[authzpolicy-grafana.yaml](https://github.com/linkerd/linkerd2/blob/release/stable-2.13/grafana/authzpolicy-grafana.yaml)
+which grants permission for the `grafana` ServiceAccount.
+{{< /note >}}
+
 A more complex and production-oriented source is the [Grafana
 Operator](https://github.com/grafana-operator/grafana-operator). And there are
 also hosted solutions such as [Grafana