[stable/grafana] Allow secrets for sidecar (helm#13492) (helm#15331)

* [stable/grafana] Allow secrets for sidecar (helm#13492) Updated the sidecar image to version 0.0.18 This allows also using secrets for volume mounts This way the dashboard and datasource import can be extended to those datatypes Signed-off-by: Sergej Herbert <[email protected]> * [stable/grafana] Allow secret - review (helm#13492) - keep the appVersion the same - bump minor version - add missing apostrophe Signed-off-by: Sergej Herbert <[email protected]> * [stable/grafana] Allow secret - review #2 (helm#13492) - enable sidecar resource secrets and configmaps by default - update readme to indicate secret preference for datasources Signed-off-by: Sergej Herbert <[email protected]>
ArtifexTechnologyDevelopment · Jul 21, 2019 · 4644bc2 · 4644bc2
1 parent 9fcf3ca
commit 4644bc2
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 9 deletions.
diff --git a/stable/grafana/.helmignore b/stable/grafana/.helmignore
@@ -16,6 +16,7 @@
 *.tmp
 *~
 # Various IDEs
+.vscode
 .project
 .idea/
 *.tmproj

diff --git a/stable/grafana/Chart.yaml b/stable/grafana/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: grafana
-version: 3.5.13
+version: 3.6.0
 appVersion: 6.2.5
 kubeVersion: "^1.8.0-0"
 description: The leading tool for querying and visualizing time series and metrics.

diff --git a/stable/grafana/README.md b/stable/grafana/README.md
@@ -93,7 +93,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `sidecar.image`                           | Sidecar image                                 | `kiwigrid/k8s-sidecar:0.0.16`                           |
 | `sidecar.imagePullPolicy`                 | Sidecar image pull policy                     | `IfNotPresent`                                          |
 | `sidecar.resources`                       | Sidecar resources                             | `{}`                                                    |
-| `sidecar.dashboards.enabled`              | Enabled the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false`       |
+| `sidecar.dashboards.enabled`              | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false`       |
 | `sidecar.dashboards.provider.name`        | Unique name of the grafana provider           | `sidecarProvider`                                       |
 | `sidecar.dashboards.provider.orgid`       | Id of the organisation, to which the dashboards should be added | `1`                                   |
 | `sidecar.dashboards.provider.folder`      | Logical folder in which grafana groups dashboards | `""`                                                |
@@ -104,7 +104,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `sidecar.dashboards.folder`                | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards`    |
 | `sidecar.dashboards.defaultFolderName`                | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil`                                |
 | `sidecar.dashboards.searchNamespace`      | If specified, the sidecar will search for dashboard config-maps inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil`                                |
-| `sidecar.datasources.enabled`             | Enabled the cluster wide search for datasources and adds/updates/deletes them in grafana |`false`       |
+| `sidecar.datasources.enabled`             | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false`       |
 | `sidecar.datasources.label`               | Label that config maps with datasources should have to be added | `grafana_datasource`                               |
 | `sidecar.datasources.searchNamespace`     | If specified, the sidecar will search for datasources config-maps inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil`                               |
 | `smtp.existingSecret`                     | The name of an existing secret containing the SMTP credentials. | `""`                                  |
@@ -181,7 +181,15 @@ the url value is https://yourgerritserver/a/user%2Frepo/branches/master/files/di
 
 ## Sidecar for dashboards
 
-If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana pod. This container watches all config maps in the cluster and filters out the ones with a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported dashboards are deleted/updated. A recommendation is to use one configmap per dashboard, as an reduction of multiple dashboards inside one configmap is currently not properly mirrored in grafana.
+If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana
+pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with
+a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written
+to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported
+dashboards are deleted/updated.
+
+A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside
+one configmap is currently not properly mirrored in grafana.
+
 Example dashboard config:
 ```
 apiVersion: v1
@@ -197,17 +205,26 @@ data:
 
 ## Sidecar for datasources
 
-If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana pod. This container lists all config maps in the cluster and filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in those configmaps are written to a folder and accessed by grafana on startup. Using these yaml files, the data sources in grafana can be imported. The configmaps must be created before `helm install` so that the datasources init container can list the configmaps.
+If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana
+pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and
+filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in
+those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
+the data sources in grafana can be imported. The secrets must be created before `helm install` so
+that the datasources init container can list the secrets.
+
+Secrets are recommended over configmaps for this usecase because datasources usually contain private
+data like usernames and passwords. Secrets are the more appropriate cluster ressource to manage those.
 
 Example datasource config adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file):
 ```
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: sample-grafana-datasource
   labels:
      grafana_datasource: 1
-data:
+type: Opaque
+stringData:
   datasource.yaml: |-
     # config file version
     apiVersion: 1

diff --git a/stable/grafana/templates/clusterrole.yaml b/stable/grafana/templates/clusterrole.yaml
@@ -15,7 +15,7 @@ metadata:
 {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }}
 rules:
 - apiGroups: [""] # "" indicates the core API group
-  resources: ["configmaps"]
+  resources: ["configmaps", "secrets"]
   verbs: ["get", "watch", "list"]
 {{- else }}
 rules: []

diff --git a/stable/grafana/templates/deployment.yaml b/stable/grafana/templates/deployment.yaml
@@ -103,6 +103,8 @@ spec:
               value: "{{ .Values.sidecar.datasources.label }}"
             - name: FOLDER
               value: "/etc/grafana/provisioning/datasources"
+            - name: RESOURCE
+              value: "both"
             {{- if .Values.sidecar.datasources.searchNamespace }}
             - name: NAMESPACE
               value: "{{ .Values.sidecar.datasources.searchNamespace }}"
@@ -136,6 +138,8 @@ spec:
               value: "{{ .Values.sidecar.dashboards.label }}"
             - name: FOLDER
               value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}"
+            - name: RESOURCE
+              value: "both"
             {{- if .Values.sidecar.dashboards.searchNamespace }}
             - name: NAMESPACE
               value: "{{ .Values.sidecar.dashboards.searchNamespace }}"

diff --git a/stable/grafana/values.yaml b/stable/grafana/values.yaml
@@ -381,7 +381,7 @@ smtp:
 ## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
 ## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
 sidecar:
-  image: kiwigrid/k8s-sidecar:0.0.16
+  image: kiwigrid/k8s-sidecar:0.0.18
   imagePullPolicy: IfNotPresent
   resources: {}
 #   limits:
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ @@
     *.tmp
     *~
     # Various IDEs
+    .vscode
     .project
     .idea/
     *.tmproj
@@ Expand Down @@