From 4644bc283c5918bd0d92a471d9e82e660b07f3f7 Mon Sep 17 00:00:00 2001 From: Sergej Herbert <18115758+fr-ser@users.noreply.github.com> Date: Sun, 21 Jul 2019 11:49:16 +0200 Subject: [PATCH] [stable/grafana] Allow secrets for sidecar (#13492) (#15331) * [stable/grafana] Allow secrets for sidecar (#13492) Updated the sidecar image to version 0.0.18 This allows also using secrets for volume mounts This way the dashboard and datasource import can be extended to those datatypes Signed-off-by: Sergej Herbert * [stable/grafana] Allow secret - review (#13492) - keep the appVersion the same - bump minor version - add missing apostrophe Signed-off-by: Sergej Herbert * [stable/grafana] Allow secret - review #2 (#13492) - enable sidecar resource secrets and configmaps by default - update readme to indicate secret preference for datasources Signed-off-by: Sergej Herbert --- stable/grafana/.helmignore | 1 + stable/grafana/Chart.yaml | 2 +- stable/grafana/README.md | 29 ++++++++++++++++++----- stable/grafana/templates/clusterrole.yaml | 2 +- stable/grafana/templates/deployment.yaml | 4 ++++ stable/grafana/values.yaml | 2 +- 6 files changed, 31 insertions(+), 9 deletions(-) diff --git a/stable/grafana/.helmignore b/stable/grafana/.helmignore index 7c04072e1355..8cade1318fbf 100644 --- a/stable/grafana/.helmignore +++ b/stable/grafana/.helmignore @@ -16,6 +16,7 @@ *.tmp *~ # Various IDEs +.vscode .project .idea/ *.tmproj diff --git a/stable/grafana/Chart.yaml b/stable/grafana/Chart.yaml index 187b151ef986..619ee96b41dd 100755 --- a/stable/grafana/Chart.yaml +++ b/stable/grafana/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: grafana -version: 3.5.13 +version: 3.6.0 appVersion: 6.2.5 kubeVersion: "^1.8.0-0" description: The leading tool for querying and visualizing time series and metrics. diff --git a/stable/grafana/README.md b/stable/grafana/README.md index 7d3433a1a39d..5dff8de32788 100644 --- a/stable/grafana/README.md +++ b/stable/grafana/README.md @@ -93,7 +93,7 @@ The command removes all the Kubernetes components associated with the chart and | `sidecar.image` | Sidecar image | `kiwigrid/k8s-sidecar:0.0.16` | | `sidecar.imagePullPolicy` | Sidecar image pull policy | `IfNotPresent` | | `sidecar.resources` | Sidecar resources | `{}` | -| `sidecar.dashboards.enabled` | Enabled the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | +| `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | | `sidecar.dashboards.provider.name` | Unique name of the grafana provider | `sidecarProvider` | | `sidecar.dashboards.provider.orgid` | Id of the organisation, to which the dashboards should be added | `1` | | `sidecar.dashboards.provider.folder` | Logical folder in which grafana groups dashboards | `""` | @@ -104,7 +104,7 @@ The command removes all the Kubernetes components associated with the chart and | `sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` | | `sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` | | `sidecar.dashboards.searchNamespace` | If specified, the sidecar will search for dashboard config-maps inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil` | -| `sidecar.datasources.enabled` | Enabled the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | +| `sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | | `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `grafana_datasource` | | `sidecar.datasources.searchNamespace` | If specified, the sidecar will search for datasources config-maps inside this namespace. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces | `nil` | | `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` | @@ -181,7 +181,15 @@ the url value is https://yourgerritserver/a/user%2Frepo/branches/master/files/di ## Sidecar for dashboards -If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana pod. This container watches all config maps in the cluster and filters out the ones with a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported dashboards are deleted/updated. A recommendation is to use one configmap per dashboard, as an reduction of multiple dashboards inside one configmap is currently not properly mirrored in grafana. +If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana +pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with +a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written +to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported +dashboards are deleted/updated. + +A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside +one configmap is currently not properly mirrored in grafana. + Example dashboard config: ``` apiVersion: v1 @@ -197,17 +205,26 @@ data: ## Sidecar for datasources -If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana pod. This container lists all config maps in the cluster and filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in those configmaps are written to a folder and accessed by grafana on startup. Using these yaml files, the data sources in grafana can be imported. The configmaps must be created before `helm install` so that the datasources init container can list the configmaps. +If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the data sources in grafana can be imported. The secrets must be created before `helm install` so +that the datasources init container can list the secrets. + +Secrets are recommended over configmaps for this usecase because datasources usually contain private +data like usernames and passwords. Secrets are the more appropriate cluster ressource to manage those. Example datasource config adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): ``` apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: sample-grafana-datasource labels: grafana_datasource: 1 -data: +type: Opaque +stringData: datasource.yaml: |- # config file version apiVersion: 1 diff --git a/stable/grafana/templates/clusterrole.yaml b/stable/grafana/templates/clusterrole.yaml index ccfc72374834..56097b71a017 100644 --- a/stable/grafana/templates/clusterrole.yaml +++ b/stable/grafana/templates/clusterrole.yaml @@ -15,7 +15,7 @@ metadata: {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }} rules: - apiGroups: [""] # "" indicates the core API group - resources: ["configmaps"] + resources: ["configmaps", "secrets"] verbs: ["get", "watch", "list"] {{- else }} rules: [] diff --git a/stable/grafana/templates/deployment.yaml b/stable/grafana/templates/deployment.yaml index 7005ce5d6b74..0e01d32e0f86 100644 --- a/stable/grafana/templates/deployment.yaml +++ b/stable/grafana/templates/deployment.yaml @@ -103,6 +103,8 @@ spec: value: "{{ .Values.sidecar.datasources.label }}" - name: FOLDER value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: "both" {{- if .Values.sidecar.datasources.searchNamespace }} - name: NAMESPACE value: "{{ .Values.sidecar.datasources.searchNamespace }}" @@ -136,6 +138,8 @@ spec: value: "{{ .Values.sidecar.dashboards.label }}" - name: FOLDER value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" + - name: RESOURCE + value: "both" {{- if .Values.sidecar.dashboards.searchNamespace }} - name: NAMESPACE value: "{{ .Values.sidecar.dashboards.searchNamespace }}" diff --git a/stable/grafana/values.yaml b/stable/grafana/values.yaml index 11cc5cf46221..e2763e92a2fb 100644 --- a/stable/grafana/values.yaml +++ b/stable/grafana/values.yaml @@ -381,7 +381,7 @@ smtp: ## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders ## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards sidecar: - image: kiwigrid/k8s-sidecar:0.0.16 + image: kiwigrid/k8s-sidecar:0.0.18 imagePullPolicy: IfNotPresent resources: {} # limits: