Replace hardcoded credentials in collector helm chart

Makefile

@@ -85,8 +85,8 @@ dev-operators-deploy: dev ## Deploy motel-operators helm chart to the K8s cluste
 .PHONY: dev-collectors-deploy
 dev-collectors-deploy: dev ## Deploy motel-collector helm chart to the K8s cluster specified in ~/.kube/config
 	cp -f $(TEMPLATES_DIR)/motel-collectors/values.yaml dev/collectors-values.yaml
-	@$(YQ) eval -i '.motel.logs_endpoint = "http://$(MOTEL_STORAGE_NAME)-victoria-logs-single-server.$(MOTEL_STORAGE_NS):9428/insert/opentelemetry/v1/logs"' dev/collectors-values.yaml
-	@$(YQ) eval -i '.motel.metrics_endpoint = "http://vminsert-cluster.$(MOTEL_STORAGE_NS):8480/insert/0/prometheus/api/v1/write"' dev/collectors-values.yaml
+	@$(YQ) eval -i '.motel.logs.endpoint = "http://$(MOTEL_STORAGE_NAME)-victoria-logs-single-server.$(MOTEL_STORAGE_NS):9428/insert/opentelemetry/v1/logs"' dev/collectors-values.yaml
+	@$(YQ) eval -i '.motel.metrics.endpoint = "http://vminsert-cluster.$(MOTEL_STORAGE_NS):8480/insert/0/prometheus/api/v1/write"' dev/collectors-values.yaml
 	@$(YQ) eval -i '.opencost.opencost.prometheus.external.url = "http://vmselect-cluster.$(MOTEL_STORAGE_NS):8481/select/0/prometheus"' dev/collectors-values.yaml
 	$(HELM) upgrade -i motel-collectors ./charts/motel-collectors --create-namespace -n motel -f dev/collectors-values.yaml
 
@@ -135,8 +135,8 @@ dev-managed-deploy-aws: dev ## Deploy Regional Managed cluster using HMC
 	@$(YQ) eval -i '.metadata.name = "$(USER)-aws-managed"' dev/aws-managed.yaml
 	@$(YQ) '.spec.services[] | select(.name == "motel-collectors") | .values' dev/aws-managed.yaml > dev/motel-managed-values.yaml
 	@$(YQ) eval -i '.opencost.opencost.prometheus.external.url = "https://vmauth.$(STORAGE_DOMAIN)/vm/select/0/prometheus"' dev/motel-managed-values.yaml
-	@$(YQ) eval -i '.motel.logs_endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vls/insert/opentelemetry/v1/logs"' dev/motel-managed-values.yaml
-	@$(YQ) eval -i '.motel.metrics_endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vm/insert/0/prometheus/api/v1/write"' dev/motel-managed-values.yaml
+	@$(YQ) eval -i '.motel.logs.endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vls/insert/opentelemetry/v1/logs"' dev/motel-managed-values.yaml
+	@$(YQ) eval -i '.motel.metrics.endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vm/insert/0/prometheus/api/v1/write"' dev/motel-managed-values.yaml
 	@$(YQ) eval -i '(.spec.services[] | select(.name == "motel-collectors")).values |= load_str("dev/motel-managed-values.yaml")' dev/aws-managed.yaml
 	kubectl apply -f dev/aws-managed.yaml
 

README.md

@@ -82,7 +82,7 @@ kubectl apply -f demo/cluster/aws-managed.yaml
 kubectl get clustersummaries.config.projectsveltos.io -n hmc-system
 ```
 
-Once your managed clusters are up, it should start pushing metrics and logs to your storage one, through ingress domain you've configured.
+Once your managed clusters are up, create secrets for storage cluster authentication, it should start pushing metrics and logs to your storage one, through ingress domain you've configured.
 Check your storage cluster's Grafana for results first, then you should be able to see the same cluster in Grafana on the "mothership".
 
 ### Scaling up

charts/motel-collectors/templates/_helpers.tpl

@@ -0,0 +1,13 @@
+{{- /* Basic auth extensions */ -}}
+{{- define "basic_auth_extensions" -}}
+{{- range tuple "metrics" "logs" }}
+{{- $secret := (lookup "v1" "Secret" $.Release.Namespace (index $.Values "motel" . "credentials_secret_name")) }}
+{{- if $secret }}
+basicauth/{{ . }}:
+  client_auth:
+    username: {{ index $secret.data (index $.Values "motel" . "username_key") | b64dec | quote }}
+    password: {{ index $secret.data (index $.Values "motel" . "password_key") | b64dec | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+

charts/motel-collectors/templates/opentelemetry/collector.yaml

@@ -41,25 +41,23 @@ spec:
     exporters:
       debug: {}
       prometheusremotewrite:
-        endpoint: {{ .Values.motel.metrics_endpoint }}
+        endpoint: {{ .Values.motel.metrics.endpoint }}
         tls:
           insecure: true
         auth:
-          authenticator: basicauth/client
+          authenticator: basicauth/metrics
       otlphttp:
         auth:
-          authenticator: basicauth/client
-        logs_endpoint: {{ .Values.motel.logs_endpoint }}
+          authenticator: basicauth/logs
+        logs_endpoint: {{ .Values.motel.logs.endpoint }}
 
     extensions:
-      basicauth/client:
-        client_auth:
-          username: motel
-          password: motel
+      {{- include "basic_auth_extensions" . | nindent 6 }}
 
     service:
       extensions:
-        - basicauth/client
+        - basicauth/metrics
+        - basicauth/logs
       pipelines:
         logs:
           exporters:

charts/motel-collectors/templates/opentelemetry/node-collector.yaml

@@ -128,28 +128,26 @@ spec:
       batch: {}
 
     extensions:
-      basicauth/client:
-        client_auth:
-          username: motel
-          password: motel
+      {{- include "basic_auth_extensions" . | nindent 6 }}
 
     exporters:
       prometheusremotewrite:
-        endpoint: {{ .Values.motel.metrics_endpoint }}
+        endpoint: {{ .Values.motel.metrics.endpoint }}
         tls:
           insecure: true
         auth:
-          authenticator: basicauth/client
+          authenticator: basicauth/metrics
       otlphttp:
         auth:
-          authenticator: basicauth/client
-        logs_endpoint: {{ .Values.motel.logs_endpoint }}
+          authenticator: basicauth/logs
+        logs_endpoint: {{ .Values.motel.logs.endpoint }}
       debug:
         verbosity: detailed
 
     service:
       extensions:
-        - basicauth/client
+        - basicauth/metrics
+        - basicauth/logs
       pipelines:
         logs:
           exporters:

charts/motel-collectors/values.yaml

@@ -2,8 +2,16 @@ global:
   clusterLabel: clusterName
   clusterName: mothership
 motel:
-  logs_endpoint: http://victoria-logs-single-server:9428/insert/opentelemetry/v1/logs
-  metrics_endpoint: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write
+  logs:
+    endpoint: http://victoria-logs-single-server:9428/insert/opentelemetry/v1/logs
+    credentials_secret_name: grafana-admin-credentials
+    username_key: GF_SECURITY_ADMIN_USER
+    password_key: GF_SECURITY_ADMIN_PASSWORD
+  metrics:
+    endpoint: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write
+    credentials_secret_name: grafana-admin-credentials
+    username_key: GF_SECURITY_ADMIN_USER
+    password_key: GF_SECURITY_ADMIN_PASSWORD
 prometheus-node-exporter:
   enabled: true
   hostNetwork: false
@@ -31,8 +39,9 @@ opencost:
   enabled: true
   opencost:
     prometheus:
-      username: "motel"
-      password: "motel"
+      existingSecretName: grafana-admin-credentials
+      username_key: GF_SECURITY_ADMIN_USER
+      password_key: GF_SECURITY_ADMIN_PASSWORD
       external:
         enabled: true
         url: "https://vmauth.storage0.example.net/vm/select/0/prometheus"

demo/cluster/aws-managed.yaml

@@ -41,10 +41,21 @@ spec:
           enabled: true
           opencost:
             prometheus:
+              existingSecretName: grafana-admin-credentials
+              username_key: GF_SECURITY_ADMIN_USER
+              password_key: GF_SECURITY_ADMIN_PASSWORD
               external:
                 url: "https://vmauth.storage0.example.net/vm/select/0/prometheus"
             exporter:
               defaultClusterId: "aws-managed0"
         motel:
-          logs_endpoint: https://vmauth.storage0.example.net/vls/insert/opentelemetry/v1/logs
-          metrics_endpoint: https://vmauth.storage0.example.net/vm/insert/0/prometheus/api/v1/write
+          logs:
+            credentials_secret_name: grafana-admin-credentials
+            username_key: GF_SECURITY_ADMIN_USER
+            password_key: GF_SECURITY_ADMIN_PASSWORD
+            endpoint: https://vmauth.storage0.example.net/vls/insert/opentelemetry/v1/logs
+          metrics:
+            credentials_secret_name: grafana-admin-credentials
+            username_key: GF_SECURITY_ADMIN_USER
+            password_key: GF_SECURITY_ADMIN_PASSWORD
+            endpoint: https://vmauth.storage0.example.net/vm/insert/0/prometheus/api/v1/write