Optionally pass cortex config as configmap.

Fixes cortexproject#235.

Signed-off-by: Josh Carp <[email protected]>

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Changelog
 
 ## master / unreleased
+* [FEATURE] Optionally manage cortex config as configmap. #280
 
 ## 1.1.0 / 2021-12-01
 

README.md

@@ -754,5 +754,6 @@ Kubernetes: `^1.19.0-0`
 | table_manager.​terminationGracePeriodSeconds | int | `180` |  |
 | table_manager.​tolerations | list | `[]` |  |
 | tags.​blocks-storage-memcached | bool | `false` | Set to true to enable block storage memcached caching |
+| useConfigMap | bool | `false` |  |
 | useExternalConfig | bool | `false` |  |
 

ci/test-configmap-values.yaml

@@ -0,0 +1,206 @@
+ingress:
+  enabled: true
+
+useConfigMap: true
+
+config:
+  ingester:
+    lifecycler:
+      join_after: 30s
+      final_sleep: 30s
+      tokens_file_path: "/data/tokens"
+      ring:
+        replication_factor: 1
+        kvstore:
+          store: "memberlist"
+
+  # See https://github.com/cortexproject/cortex/blob/master/docs/configuration/config-file-reference.md#storage_config
+  storage:
+    engine: blocks
+  blocks_storage:
+    backend: "filesystem"
+    tsdb:
+      dir: "/data/tsdb"
+    bucket_store:
+      sync_dir: "/data/tsdb-sync"
+    filesystem:
+      dir: "/data/store"
+
+  distributor:
+    ring:
+      kvstore:
+        store: memberlist
+
+  ruler:
+    ring:
+      kvstore:
+        store: memberlist
+
+  ruler_storage:
+    backend: "filesystem"
+    filesystem:
+      dir: "/data/store"
+
+  alertmanager_storage:
+    backend: "filesystem"
+    filesystem:
+      dir: "/data/store"
+
+  memberlist:
+    join_members:
+      - '{{ include "cortex.fullname" $ }}-memberlist'
+
+ingester:
+  replicas: 1
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+  statefulSet:
+    enabled: false
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+compactor:
+  replicas: 1
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+distributor:
+  replicas: 1
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+querier:
+  replicas: 1
+  autoscaling:
+    enabled: true
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+query_frontend:
+  replicas: 1
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+nginx:
+  replicas: 1
+  autoscaling:
+    enabled: true
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+  config:
+    httpSnippet: |-
+      # http snippet
+    mainSnippet: |-
+      # main snippet
+    serverSnippet: |-
+      # server snippet
+runtimeconfigmap:
+  annotations:
+    foo: bar
+alertmanager:
+  replicas: 1
+  statefulSet:
+    enabled: false
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+ruler:
+  replicas: 1
+  enabled: true
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+store_gateway:
+  replicas: 1
+  extraVolumes:
+    - name: tmp-test
+      emptyDir: {}
+  extraVolumeMounts:
+    - name: tmp-test
+      mountPath: /tmp-test
+
+tags:
+  blocks-storage-memcached: true
+memcached:
+  enabled: true
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    # https://github.com/helm/helm/issues/9136
+    requests:
+      cpu: 0
+      memory: 0
+memcached-index-read:
+  enabled: true
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 0
+      memory: 0
+memcached-index-write:
+  enabled: true
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 0
+      memory: 0
+memcached-frontend:
+  enabled: true
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 0
+      memory: 0
+memcached-blocks:
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 0
+      memory: 0
+memcached-blocks-index:
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 0
+      memory: 0
+memcached-blocks-metadata:
+  architecture: standalone
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 0
+      memory: 0

docs/guides/configure_configmap.markdown

@@ -0,0 +1,18 @@
+---
+layout: page
+title: Configure with configmap
+parent: Guides
+has_children: true
+has_toc: false
+---
+# Configuring using configmap
+
+By default, cortex configuration is managed using a `Secret`. To use a `ConfigMap` instead, set `useConfigMap`:
+
+{% raw %}
+```yaml
+useConfigMap: true
+```
+{% endraw %}
+
+Note: if `useConfigMap` is enabled, sensitive values should be stored in separate secrets, then referenced in the config [using environment variables](https://cortexmetrics.io/docs/configuration/configuration-file/#use-environment-variables-in-the-configuration). Use `extraVolumes`, `extraVolumeMounts`, `extraEnvs`, and `extraArgs` to add environment variables from secrets.

templates/_helpers.tpl

@@ -123,3 +123,33 @@ policy/v1
 policy/v1beta1
 {{- end -}}
 {{- end -}}
+
+{{/*
+Get checksum of config secret or configMap
+*/}}
+{{- define "cortex.configChecksum" -}}
+{{- if .Values.useExternalConfig -}}
+{{- .Values.externalConfigVersion -}}
+{{- else if .Values.useConfigMap -}}
+{{- include (print $.Template.BasePath "/configmap.yaml") . | sha256sum -}}
+{{- else -}}
+{{- include (print $.Template.BasePath "/secret.yaml") . | sha256sum -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get volume of config secret of configMap
+*/}}
+{{- define "cortex.configVolume" -}}
+- name: config
+  {{- if .Values.useExternalConfig }}
+  secret:
+    secretName: {{ .Values.externalConfigSecretName }}
+  {{- else if .Values.useConfigMap }}
+  configMap:
+    name: {{ template "cortex.fullname" . }}
+  {{- else }}
+  secret:
+    secretName: {{ template "cortex.fullname" . }}
+  {{- end }}
+{{- end -}}

templates/alertmanager/alertmanager-dep.yaml

@@ -26,11 +26,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        {{- if .Values.useExternalConfig }}
-        checksum/config: {{ .Values.externalConfigVersion }}
-        {{- else }}
-        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-        {{- end }}
+        checksum/config: {{ include "cortex.configChecksum" . }}
         {{- with .Values.alertmanager.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -157,13 +153,7 @@ spec:
         {{- toYaml .Values.alertmanager.tolerations | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.alertmanager.terminationGracePeriodSeconds }}
       volumes:
-        - name: config
-          secret:
-          {{- if .Values.useExternalConfig }}
-            secretName: {{ .Values.externalConfigSecretName }}
-          {{- else }}
-            secretName: {{ template "cortex.fullname" . }}
-          {{- end }}
+        {{- include "cortex.configVolume" . | nindent 8 }}
         - name: runtime-config
           configMap:
             name: {{ template "cortex.fullname" . }}-runtime-config

templates/alertmanager/alertmanager-statefulset.yaml

@@ -49,11 +49,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        {{- if .Values.useExternalConfig }}
-        checksum/config: {{ .Values.externalConfigVersion }}
-        {{- else }}
-        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-        {{- end }}
+        checksum/config: {{ include "cortex.configChecksum" . }}
         {{- with .Values.alertmanager.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -81,13 +77,7 @@ spec:
         {{- toYaml .Values.alertmanager.tolerations | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.alertmanager.terminationGracePeriodSeconds }}
       volumes:
-        - name: config
-          secret:
-            {{- if .Values.useExternalConfig }}
-            secretName: {{ .Values.externalConfigSecretName }}
-            {{- else }}
-            secretName: {{ template "cortex.fullname" . }}
-            {{- end }}
+        {{- include "cortex.configVolume" . | nindent 8 }}
         - name: runtime-config
           configMap:
             name: {{ template "cortex.fullname" . }}-runtime-config

templates/compactor/compactor-statefulset.yaml

@@ -49,11 +49,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        {{- if .Values.useExternalConfig }}
-        checksum/config: {{ .Values.externalConfigVersion }}
-        {{- else }}
-        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-        {{- end }}
+        checksum/config: {{ include "cortex.configChecksum" . }}
         {{- with .Values.compactor.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -81,13 +77,7 @@ spec:
         {{- toYaml .Values.compactor.tolerations | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.compactor.terminationGracePeriodSeconds }}
       volumes:
-        - name: config
-          secret:
-            {{- if .Values.useExternalConfig }}
-            secretName: {{ .Values.externalConfigSecretName }}
-            {{- else }}
-            secretName: {{ template "cortex.fullname" . }}
-            {{- end }}
+        {{- include "cortex.configVolume" . | nindent 8 }}
         - name: runtime-config
           configMap:
             name: {{ template "cortex.fullname" . }}-runtime-config

templates/configmap.yaml

@@ -0,0 +1,12 @@
+{{- if (and (not .Values.useExternalConfig) (.Values.useConfigMap)) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "cortex.fullname" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cortex.labels" . | nindent 4 }}
+data:
+  cortex.yaml: |
+    {{- tpl (toYaml .Values.config) . | nindent 4 }}
+{{- end }}

templates/configs/configs-dep.yaml

@@ -23,11 +23,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-{{- if .Values.useExternalConfig }}
-        checksum/config: {{ .Values.externalConfigVersion }}
-{{- else }}
-        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-{{- end }}
+        checksum/config: {{ include "cortex.configChecksum" . }}
         {{- with .Values.configs.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -110,13 +106,7 @@ spec:
         {{- toYaml .Values.configs.tolerations | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.configs.terminationGracePeriodSeconds }}
       volumes:
-        - name: config
-          secret:
-          {{- if .Values.useExternalConfig }}
-            secretName: {{ .Values.externalConfigSecretName }}
-          {{- else }}
-            secretName: {{ template "cortex.fullname" . }}
-          {{- end }}
+        {{- include "cortex.configVolume" . | nindent 8 }}
         {{- if .Values.configsdb_postgresql.enabled }}
         - name: postgres-password
           secret: