feat(nimbus): Grafana proxy view (#15433)

Because

-Grafana is behind Google IAP, which sets session cookies on`
yardstick.mozilla.org.` Browsers block these as third-party cookies when
the dashboard is embedded in an iframe on a different origin, causing it
to fail to load.

This commit

- Adds a server-side GrafanaProxyView that fetches Grafana content via
internal k8s DNS (grafana.grafana-prod.svc.cluster.local:8080),
bypassing IAP entirely
- Rewrites <base href> and appUrl in HTML responses so Grafana's assets
and API calls also route through the proxy
- Adds `GRAFANA_INTERNAL_URL` and `GRAFANA_SERVICE_ACCOUNT_TOKEN`
settings for the internal endpoint and service account auth
- Adds feature_monitoring_proxy_path on NimbusFeatureConfig to extract
the path/query from the monitoring URL
Updates the feature monitoring iframe to use `/nimbus/grafana-proxy/
`instead of the direct Grafana URL

Fixes #15342 
mozilla/webservices-infra#10728

---------

Co-authored-by: Yashika Khurana <yashikakhurana@Yashikas-MBP.home.local>
Co-authored-by: Yashika Khurana <yashikakhurana@Yashikas-MacBook-Pro.local>

Author: 3 people

experimenter/experimenter/nimbus_ui/templates/nimbus_experiments/feature_monitoring.html

@@ -526,6 +526,34 @@ <h5 class="fw-semibold mt-3 d-flex align-items-center">
           </div>
         </div>
       </div>
+      {% if selected_feature_config %}
+        <!-- Feature Monitoring Card -->
+        <div id="feature-monitoring-card"
+             class="card shadow-sm border-0 px-3 pt-3 h-100 rounded-3 bg-primary-subtle mb-4">
+          <div class="d-flex align-items-center justify-content-between mt-3 mb-2">
+            <h5 class="fw-semibold mb-0 d-flex align-items-center">
+              <i class="fa-solid fa-chart-line me-2"></i>
+              Feature Monitoring
+            </h5>
+            <a href="{{ selected_feature_config.feature_monitoring_url }}"
+               target="_blank"
+               rel="noopener noreferrer"
+               class="btn btn-outline-primary btn-sm">
+              <i class="fa-solid fa-arrow-up-right-from-square me-1"></i>
+              Open in Grafana
+            </a>
+          </div>
+          <div class="card shadow-sm border-0 rounded-3 mb-3">
+            <div class="card-body p-0">
+              <iframe src="/nimbus/grafana-proxy/?slug={{ selected_feature_config.slug }}"
+                      width="100%"
+                      height="800"
+                      frameborder="0"
+                      title="Feature Monitoring Dashboard"></iframe>
+            </div>
+          </div>
+        </div>
+      {% endif %}
     </div>
   </div>
 {% endblock %}

experimenter/experimenter/nimbus_ui/templates/nimbus_experiments/features.html

@@ -3,6 +3,7 @@
 import json
 from unittest.mock import patch
 
+import requests
 from django.conf import settings
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import TestCase, override_settings
@@ -5754,6 +5755,73 @@ def test_post_clears_all_tags_when_none_selected(self):
         self.assertEqual(experiment.tags.count(), 0)
 
 
+class TestGrafanaProxyView(AuthTestCase):
+    def _dashboard_url(self, slug):
+        return reverse("nimbus-ui-grafana-proxy") + f"?slug={slug}"
+
+    @patch("experimenter.nimbus_ui.views.requests.get")
+    def test_proxy_returns_grafana_response(self, mock_get):
+        feature = NimbusFeatureConfigFactory.create(
+            slug="my-feature",
+            application=NimbusExperiment.Application.DESKTOP,
+        )
+        mock_get.return_value.status_code = 200
+        mock_get.return_value.headers = {"Content-Type": "text/html; charset=utf-8"}
+        mock_get.return_value.content = b"<html></html>"
+
+        response = self.client.get(self._dashboard_url(feature.slug))
+
+        self.assertEqual(response.status_code, 200)
+        mock_get.assert_called_once()
+        call_url = mock_get.call_args[0][0]
+        self.assertIn("nimbus-feature-monitoring", call_url)
+        call_params = mock_get.call_args[1]["params"]
+        self.assertEqual(call_params["var-feature"], "my-feature")
+        self.assertEqual(call_params["var-application"], "firefox_desktop")
+
+    @patch(
+        "experimenter.nimbus_ui.views.requests.get",
+        side_effect=requests.exceptions.ConnectionError("connection refused"),
+    )
+    def test_proxy_returns_503_when_grafana_unavailable(self, mock_get):
+        feature = NimbusFeatureConfigFactory.create(
+            slug="my-feature",
+            application=NimbusExperiment.Application.DESKTOP,
+        )
+        response = self.client.get(self._dashboard_url(feature.slug))
+
+        self.assertEqual(response.status_code, 503)
+
+    def test_proxy_requires_login(self):
+        self.client.defaults.pop(settings.OPENIDC_EMAIL_HEADER)
+        response = self.client.get(reverse("nimbus-ui-grafana-proxy"))
+        self.assertNotEqual(response.status_code, 200)
+
+    @override_settings(GRAFANA_SERVICE_ACCOUNT_TOKEN="test-token")
+    @patch("experimenter.nimbus_ui.views.requests.get")
+    def test_proxy_sends_service_account_token(self, mock_get):
+        feature = NimbusFeatureConfigFactory.create(
+            slug="my-feature",
+            application=NimbusExperiment.Application.DESKTOP,
+        )
+        mock_get.return_value.status_code = 200
+        mock_get.return_value.headers = {"Content-Type": "text/html"}
+        mock_get.return_value.content = b""
+
+        self.client.get(self._dashboard_url(feature.slug))
+
+        call_headers = mock_get.call_args[1]["headers"]
+        self.assertEqual(call_headers["Authorization"], "Bearer test-token")
+
+    def test_proxy_returns_400_when_slug_missing(self):
+        response = self.client.get(reverse("nimbus-ui-grafana-proxy"))
+        self.assertEqual(response.status_code, 400)
+
+    def test_proxy_returns_404_when_slug_invalid(self):
+        response = self.client.get(self._dashboard_url("nonexistent-feature"))
+        self.assertEqual(response.status_code, 404)
+
+
 class TestNewOverviewUpdateView(AuthTestCase):
     url_name = "nimbus-ui-new-update-overview"
 

experimenter/experimenter/nimbus_ui/tests/test_views.py

@@ -23,6 +23,7 @@
     DraftToReviewView,
     EditOutcomeSummaryView,
     FeatureSubscribersUpdateView,
+    GrafanaProxyView,
     LiveToCompleteView,
     LiveToEndEnrollmentView,
     LiveToUpdateRolloutView,
@@ -43,7 +44,6 @@
     NimbusExperimentsListTableView,
     NimbusExperimentsPromoteToRolloutView,
     NimbusExperimentsSidebarCloneView,
-    NimbusFeatureMonitoringView,
     NimbusFeaturesView,
     NimbusRolloutDetailView,
     OverviewUpdateView,
@@ -82,9 +82,9 @@
         name="nimbus-ui-features",
     ),
     re_path(
-        r"^feature-monitoring/(?P<pk>\d+)/$",
-        NimbusFeatureMonitoringView.as_view(),
-        name="nimbus-ui-feature-monitoring",
+        r"^grafana-proxy/$",
+        GrafanaProxyView.as_view(),
+        name="nimbus-ui-grafana-proxy",
     ),
     re_path(
         r"^tags/manage/$",

experimenter/experimenter/nimbus_ui/urls.py

@@ -1,12 +1,15 @@
 import json
 
+import requests
 from deepdiff import DeepDiff
 from django.conf import settings
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.core.paginator import Paginator
 from django.db.models import Q
 from django.http import HttpResponse, HttpResponseRedirect
-from django.shortcuts import render
+from django.shortcuts import get_object_or_404, render
 from django.urls import reverse
+from django.views import View
 from django.views.generic import CreateView, DetailView, TemplateView
 from django.views.generic.edit import UpdateView
 from django_filters.views import FilterView
@@ -1137,10 +1140,63 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class NimbusFeatureMonitoringView(DetailView):
-    template_name = "nimbus_experiments/feature_monitoring.html"
-    model = NimbusFeatureConfig
-    context_object_name = "feature_config"
+# Grafana is behind Google IAP, which blocks third-party cookies in iframes.
+# Both Experimenter and Grafana run in the same k8s cluster, so the backend
+# can reach Grafana via internal DNS (bypassing IAP) and proxy it to the browser.
+class GrafanaProxyView(LoginRequiredMixin, View):
+    _SAFE_RESPONSE_HEADERS = ("Cache-Control", "ETag", "Last-Modified", "Content-Type")
+
+    def get(self, request):
+        slug = request.GET.get("slug")
+        if not slug:
+            return HttpResponse("Missing slug parameter", status=400)
+
+        feature_config = get_object_or_404(NimbusFeatureConfig, slug=slug)
+
+        # Construct the Grafana URL entirely from known-safe components.
+        # User input (slug) is validated against the DB before use;
+        # the host and dashboard path come from settings only.
+        application = (feature_config.application or "").replace("-", "_")
+        target = "{base}/{path}".format(
+            base=settings.GRAFANA_INTERNAL_URL.rstrip("/"),
+            path=settings.GRAFANA_FEATURE_MONITORING_DASHBOARD_PATH,
+        )
+        params = {
+            "orgId": "1",
+            "from": "now-30d",
+            "to": "now",
+            "timezone": "utc",
+            "var-application": application,
+            "var-feature": feature_config.slug,
+            "kiosk": "",
+        }
+
+        headers = {}
+        if settings.GRAFANA_SERVICE_ACCOUNT_TOKEN:
+            headers["Authorization"] = f"Bearer {settings.GRAFANA_SERVICE_ACCOUNT_TOKEN}"
+
+        try:
+            upstream = requests.get(
+                target,
+                params=params,
+                headers=headers,
+                timeout=30,
+            )
+        except requests.exceptions.RequestException:
+            return HttpResponse("Grafana is unavailable", status=503)
+
+        response = HttpResponse(
+            upstream.content,
+            content_type=upstream.headers.get("Content-Type", "application/octet-stream"),
+            status=upstream.status_code,
+        )
+
+        for header in self._SAFE_RESPONSE_HEADERS:
+            if value := upstream.headers.get(header):
+                response[header] = value
+
+        response["X-Frame-Options"] = "SAMEORIGIN"
+        return response
 
 
 class NimbusExperimentsHomeView(FilterView):

experimenter/experimenter/nimbus_ui/views.py

@@ -440,6 +440,15 @@
     "https://yardstick.mozilla.org/d/dtfz7xv/nimbus-feature-monitoring"
     "?orgId=1&var-feature_slug={slug}&var-application={application}"
 )
+GRAFANA_INTERNAL_URL = config(
+    "GRAFANA_INTERNAL_URL",
+    default="http://grafana.grafana-prod.svc.cluster.local:8080",
+)
+GRAFANA_FEATURE_MONITORING_DASHBOARD_PATH = config(
+    "GRAFANA_FEATURE_MONITORING_DASHBOARD_PATH",
+    default="d/dtfz7xv/nimbus-feature-monitoring",
+)
+GRAFANA_SERVICE_ACCOUNT_TOKEN = config("GRAFANA_SERVICE_ACCOUNT_TOKEN", default="")
 
 # Statsd via Markus
 STATSD_BACKEND = config(