Merge pull request #13 from gmlexx/secrets

Replace hardcoded credentials with secrets references
K0rdent · Dec 30, 2024 · cac4037 · cac4037
2 parents 22bf931 + 7396703
commit cac4037
Show file tree

Hide file tree

Showing 19 changed files with 164 additions and 121 deletions.
diff --git a/Makefile b/Makefile
@@ -85,8 +85,8 @@ dev-operators-deploy: dev ## Deploy motel-operators helm chart to the K8s cluste
 .PHONY: dev-collectors-deploy
 dev-collectors-deploy: dev ## Deploy motel-collector helm chart to the K8s cluster specified in ~/.kube/config
 	cp -f $(TEMPLATES_DIR)/motel-collectors/values.yaml dev/collectors-values.yaml
-	@$(YQ) eval -i '.motel.logs_endpoint = "http://$(MOTEL_STORAGE_NAME)-victoria-logs-single-server.$(MOTEL_STORAGE_NS):9428/insert/opentelemetry/v1/logs"' dev/collectors-values.yaml
-	@$(YQ) eval -i '.motel.metrics_endpoint = "http://vminsert-cluster.$(MOTEL_STORAGE_NS):8480/insert/0/prometheus/api/v1/write"' dev/collectors-values.yaml
+	@$(YQ) eval -i '.motel.logs.endpoint = "http://$(MOTEL_STORAGE_NAME)-victoria-logs-single-server.$(MOTEL_STORAGE_NS):9428/insert/opentelemetry/v1/logs"' dev/collectors-values.yaml
+	@$(YQ) eval -i '.motel.metrics.endpoint = "http://vminsert-cluster.$(MOTEL_STORAGE_NS):8480/insert/0/prometheus/api/v1/write"' dev/collectors-values.yaml
 	@$(YQ) eval -i '.opencost.opencost.prometheus.external.url = "http://vmselect-cluster.$(MOTEL_STORAGE_NS):8481/select/0/prometheus"' dev/collectors-values.yaml
 	$(HELM) upgrade -i motel-collectors ./charts/motel-collectors --create-namespace -n motel -f dev/collectors-values.yaml
 
@@ -103,8 +103,8 @@ dev-storage-deploy: dev ## Deploy motel-storage helm chart to the K8s cluster sp
 dev-ms-deploy-aws: dev ## Deploy Mothership helm chart to the K8s cluster specified in ~/.kube/config for a remote storage cluster
 	cp -f $(TEMPLATES_DIR)/motel-mothership/values.yaml dev/mothership-values.yaml
 	@$(YQ) eval -i '.hmc.installTemplates = true' dev/mothership-values.yaml
-	@$(YQ) eval -i '.grafana.logSources = [{"name": "$(USER)-storage", "url": "https://vmauth.$(STORAGE_DOMAIN)/vls", "type": "victoriametrics-logs-datasource", "auth": {"username": "motel", "password": "motel"} }]' dev/mothership-values.yaml
-	@$(YQ) eval -i '.promxy.config.serverGroups = [{"clusterName": "$(USER)-storage", "targets": ["vmauth.$(STORAGE_DOMAIN):443"], "auth": {"username": "motel", "password": "motel"}}]' dev/mothership-values.yaml
+	@$(YQ) eval -i '.grafana.logSources = [{"name": "$(USER)-storage", "url": "https://vmauth.$(STORAGE_DOMAIN)/vls", "type": "victoriametrics-logs-datasource", "auth": {"credentials_secret_name": "grafana-admin-credentials"}}]' dev/mothership-values.yaml
+	@$(YQ) eval -i '.promxy.config.serverGroups = [{"clusterName": "$(USER)-storage", "targets": ["vmauth.$(STORAGE_DOMAIN):443"], "auth": {"credentials_secret_name": "grafana-admin-credentials"}}]' dev/mothership-values.yaml
 
 	@$(YQ) eval -i '.hmc.motel.charts.collectors.version = "$(COLLECTORS_VERSION)"' dev/mothership-values.yaml
 	@$(YQ) eval -i '.hmc.motel.charts.storage.version = "$(STORAGE_VERSION)"' dev/mothership-values.yaml
@@ -135,8 +135,8 @@ dev-managed-deploy-aws: dev ## Deploy Regional Managed cluster using HMC
 	@$(YQ) eval -i '.metadata.name = "$(USER)-aws-managed"' dev/aws-managed.yaml
 	@$(YQ) '.spec.services[] | select(.name == "motel-collectors") | .values' dev/aws-managed.yaml > dev/motel-managed-values.yaml
 	@$(YQ) eval -i '.opencost.opencost.prometheus.external.url = "https://vmauth.$(STORAGE_DOMAIN)/vm/select/0/prometheus"' dev/motel-managed-values.yaml
-	@$(YQ) eval -i '.motel.logs_endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vls/insert/opentelemetry/v1/logs"' dev/motel-managed-values.yaml
-	@$(YQ) eval -i '.motel.metrics_endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vm/insert/0/prometheus/api/v1/write"' dev/motel-managed-values.yaml
+	@$(YQ) eval -i '.motel.logs.endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vls/insert/opentelemetry/v1/logs"' dev/motel-managed-values.yaml
+	@$(YQ) eval -i '.motel.metrics.endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vm/insert/0/prometheus/api/v1/write"' dev/motel-managed-values.yaml
 	@$(YQ) eval -i '(.spec.services[] | select(.name == "motel-collectors")).values |= load_str("dev/motel-managed-values.yaml")' dev/aws-managed.yaml
 	kubectl apply -f dev/aws-managed.yaml
 

diff --git a/README.md b/README.md
@@ -10,10 +10,26 @@ This repo contains 4 charts to deploy a monitoring stack using HMC and get metri
 
 ### Demo deployment
 In `demo/demo-mothership-values.yaml` set your target ingress names that you are going to use for your regional clusters, but they can always be changed after the fact
+
+Create secrets for grafana admin user and storage clusters datasources endpoint access. By default the secret below be reused everywhere, but it is customizable.
+
+```yaml
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: grafana-admin-credentials
+  namespace: motel
+stringData:
+  GF_SECURITY_ADMIN_USER: username # Grafana username
+  GF_SECURITY_ADMIN_PASSWORD: password # Grafana password
+type: Opaque
 ```
+
+```bash
 helm repo add motel https://mirantis.github.io/motel/
 helm repo update
-helm upgrade -i motel motel/motel-mothership -n hmc-system -f demo/demo-mothership-values.yaml
+helm upgrade -i motel motel/motel-mothership -n motel -f demo/demo-mothership-values.yaml
 ```
 
 ## Storage chart
@@ -28,18 +44,22 @@ helm upgrade -i motel motel/motel-mothership -n hmc-system -f demo/demo-mothersh
 
 To deploy storage `managedcluster` configure desired ingress names for vmauth and regional Grafana in it's values for the `motel-storage` template.
 `demo/cluster/aws-storage.yaml` contains example definitions
-```
+
+```bash
 kubectl apply -f demo/cluster/aws-storage.yaml
 # you can check helm chart deployment status using ClusterSummary object:
 kubectl get clustersummaries.config.projectsveltos.io -n hmc-system
 ```
 Once the storage managedcluster is ready - retrieve its kubeconfig and get loadbalancer IP/DNS name for your ingress-nginx service.
-```
+
+```bash
 kubectl get secret -n hmc-system aws-storage-kubeconfig -o jsonpath={.data.value} | base64 -d  > /tmp/hmc-aws-storage-kubeconfig.yaml
 export KUBECONFIG=/tmp/hmc-aws-storage-kubeconfig.yaml
 kubectl get svc -n ingress-nginx ingress-nginx-controller
 ```
 
+Create secrets for grafana and vmauth according to the names provided in helm values.
+
 With your preffered DNS hosting, set your ingress domains to resolve to that IP/DNS name, that's how the traffic will flow to/from regional cluster. 
 To simplify this process it is posssible to enable [external-dns](https://kubernetes-sigs.github.io/external-dns/) helm chart deployment in values.
 
@@ -62,7 +82,7 @@ kubectl apply -f demo/cluster/aws-managed.yaml
 kubectl get clustersummaries.config.projectsveltos.io -n hmc-system
 ```
 
-Once your managed clusters are up, it should start pushing metrics and logs to your storage one, through ingress domain you've configured.
+Once your managed clusters are up, create secrets for storage cluster authentication, it should start pushing metrics and logs to your storage one, through ingress domain you've configured.
 Check your storage cluster's Grafana for results first, then you should be able to see the same cluster in Grafana on the "mothership".
 
 ### Scaling up

diff --git a/charts/motel-collectors/templates/_helpers.tpl b/charts/motel-collectors/templates/_helpers.tpl
@@ -0,0 +1,13 @@
+{{- /* Basic auth extensions */ -}}
+{{- define "basic_auth_extensions" -}}
+{{- range tuple "metrics" "logs" }}
+{{- $secret := (lookup "v1" "Secret" $.Release.Namespace (index $.Values "motel" . "credentials_secret_name")) }}
+{{- if $secret }}
+basicauth/{{ . }}:
+  client_auth:
+    username: {{ index $secret.data (index $.Values "motel" . "username_key") | b64dec | quote }}
+    password: {{ index $secret.data (index $.Values "motel" . "password_key") | b64dec | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
diff --git a/charts/motel-collectors/templates/opentelemetry/collector.yaml b/charts/motel-collectors/templates/opentelemetry/collector.yaml
@@ -41,25 +41,23 @@ spec:
     exporters:
       debug: {}
       prometheusremotewrite:
-        endpoint: {{ .Values.motel.metrics_endpoint }}
+        endpoint: {{ .Values.motel.metrics.endpoint }}
         tls:
           insecure: true
         auth:
-          authenticator: basicauth/client
+          authenticator: basicauth/metrics
       otlphttp:
         auth:
-          authenticator: basicauth/client
-        logs_endpoint: {{ .Values.motel.logs_endpoint }}
+          authenticator: basicauth/logs
+        logs_endpoint: {{ .Values.motel.logs.endpoint }}
 
     extensions:
-      basicauth/client:
-        client_auth:
-          username: motel
-          password: motel
+      {{- include "basic_auth_extensions" . | nindent 6 }}
 
     service:
       extensions:
-        - basicauth/client
+        - basicauth/metrics
+        - basicauth/logs
       pipelines:
         logs:
           exporters:

diff --git a/charts/motel-collectors/templates/opentelemetry/node-collector.yaml b/charts/motel-collectors/templates/opentelemetry/node-collector.yaml
@@ -128,28 +128,26 @@ spec:
       batch: {}
 
     extensions:
-      basicauth/client:
-        client_auth:
-          username: motel
-          password: motel
+      {{- include "basic_auth_extensions" . | nindent 6 }}
 
     exporters:
       prometheusremotewrite:
-        endpoint: {{ .Values.motel.metrics_endpoint }}
+        endpoint: {{ .Values.motel.metrics.endpoint }}
         tls:
           insecure: true
         auth:
-          authenticator: basicauth/client
+          authenticator: basicauth/metrics
       otlphttp:
         auth:
-          authenticator: basicauth/client
-        logs_endpoint: {{ .Values.motel.logs_endpoint }}
+          authenticator: basicauth/logs
+        logs_endpoint: {{ .Values.motel.logs.endpoint }}
       debug:
         verbosity: detailed
 
     service:
       extensions:
-        - basicauth/client
+        - basicauth/metrics
+        - basicauth/logs
       pipelines:
         logs:
           exporters:

diff --git a/charts/motel-collectors/values.yaml b/charts/motel-collectors/values.yaml
@@ -2,8 +2,16 @@ global:
   clusterLabel: clusterName
   clusterName: mothership
 motel:
-  logs_endpoint: http://victoria-logs-single-server:9428/insert/opentelemetry/v1/logs
-  metrics_endpoint: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write
+  logs:
+    endpoint: http://victoria-logs-single-server:9428/insert/opentelemetry/v1/logs
+    credentials_secret_name: grafana-admin-credentials
+    username_key: GF_SECURITY_ADMIN_USER
+    password_key: GF_SECURITY_ADMIN_PASSWORD
+  metrics:
+    endpoint: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write
+    credentials_secret_name: grafana-admin-credentials
+    username_key: GF_SECURITY_ADMIN_USER
+    password_key: GF_SECURITY_ADMIN_PASSWORD
 prometheus-node-exporter:
   enabled: true
   hostNetwork: false
@@ -31,8 +39,9 @@ opencost:
   enabled: true
   opencost:
     prometheus:
-      username: "motel"
-      password: "motel"
+      existingSecretName: grafana-admin-credentials
+      username_key: GF_SECURITY_ADMIN_USER
+      password_key: GF_SECURITY_ADMIN_PASSWORD
       external:
         enabled: true
         url: "https://vmauth.storage0.example.net/vm/select/0/prometheus"

diff --git a/charts/motel-mothership/templates/grafana/grafana.yaml b/charts/motel-mothership/templates/grafana/grafana.yaml
@@ -46,15 +46,26 @@ spec:
                 - name: grafana-data
                   mountPath: /var/lib/grafana
           volumes:
-          - name: grafana-data
-            persistentVolumeClaim:
-              claimName: grafana-vm-pvc
+            - name: grafana-data
+              persistentVolumeClaim:
+                claimName: grafana-vm-pvc
+          containers:
+            - name: grafana
+              env:
+                - name: GF_SECURITY_ADMIN_USER
+                  valueFrom:
+                    secretKeyRef:
+                      key: GF_SECURITY_ADMIN_USER
+                      name: {{ .Values.grafana.security.credentials_secret_name }}
+                - name: GF_SECURITY_ADMIN_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: GF_SECURITY_ADMIN_PASSWORD
+                      name: {{ .Values.grafana.security.credentials_secret_name }}
   config:
     plugins:
       allow_loading_unsigned_plugins: victoriametrics-datasource,victoriametrics-logs-datasource
-    security:
-      admin_user: {{ .Values.grafana.security.admin_user | quote }}
-      admin_password: {{ .Values.grafana.security.admin_password | quote }}
+
   ingress:
     metadata:
       annotations:

diff --git a/charts/motel-mothership/templates/grafana/logs-datasource.yaml b/charts/motel-mothership/templates/grafana/logs-datasource.yaml
@@ -1,27 +1,4 @@
 {{- if .Values.grafana.enabled }}
-apiVersion: grafana.integreatly.org/v1beta1
-kind: GrafanaDatasource
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: Helm
-  name: victorialogs
-  namespace: {{ $.Release.Namespace }}
-spec:
-  datasource:
-    access: proxy
-    isDefault: false
-    name: victorialogs
-    type: "victoriametrics-logs-datasource"
-    url: "http://vmselect-cluster.{{ .Release.Namespace }}:8481"
-    basicAuth: true
-    basicAuthUser: motel
-    secureJsonData:
-      basicAuthPassword: motel
-  instanceSelector:
-    matchLabels:
-      dashboards: grafana
-  resyncPeriod: 5m
----
 {{- range .Values.grafana.logSources }}
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDatasource
@@ -31,16 +8,24 @@ metadata:
   name: {{ .name }}
   namespace: {{ $.Release.Namespace }}
 spec:
+  valuesFrom:
+    - targetPath: "basicAuthUser"
+      valueFrom:
+        secretKeyRef:
+          key: {{ .auth.username_key | default "GF_SECURITY_ADMIN_USER" }}
+          name: {{ .auth.credentials_secret_name }}
+    - targetPath: "secureJsonData.basicAuthPassword"
+      valueFrom:
+        secretKeyRef:
+          key: {{ .auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD" }}
+          name: {{ .auth.credentials_secret_name }}
   datasource:
     access: proxy
     isDefault: false
     name: {{ .name }}
     type: {{ .type | default "victoriametrics-logs-datasource" }}
     url: {{ .url }}
     basicAuth: true
-    basicAuthUser: {{ .auth.username | quote }}
-    secureJsonData:
-      basicAuthPassword: {{ .auth.password | quote }}
   instanceSelector:
     matchLabels:
       dashboards: grafana

diff --git a/charts/motel-mothership/templates/promxy/_helpers.tpl b/charts/motel-mothership/templates/promxy/_helpers.tpl
@@ -63,11 +63,11 @@ Create the name of the service account to use
 {{- end -}}
 
 {{/*
-Defins the name of configmap
+Defins the name of secret
 */}}
-{{- define "chart.configname" -}}
-{{- if .Values.promxy.configMap -}}
-{{- .Values.promxy.configMap -}}
+{{- define "chart.secretname" -}}
+{{- if .Values.promxy.secret -}}
+{{- .Values.promxy.secret -}}
 {{- else -}}
 {{- include "chart.fullname" . -}}-promxy-config
 {{- end -}}

diff --git a/charts/motel-mothership/templates/promxy/deployment.yaml b/charts/motel-mothership/templates/promxy/deployment.yaml
@@ -113,6 +113,6 @@ spec:
             memory: 20Mi
       volumes:
       - name: config
-        configMap:
-          name: {{ include "chart.configname" .}}
+        secret:
+          secretName: {{ include "chart.secretname" .}}
 {{- end }}
diff --git a/...othership/templates/promxy/configmap.yaml → ...l-mothership/templates/promxy/secret.yaml b/...othership/templates/promxy/configmap.yaml → ...l-mothership/templates/promxy/secret.yaml
@@ -1,15 +1,15 @@
-{{- if eq .Values.promxy.configMap "" }}
+{{- if eq .Values.promxy.secret "" }}
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: {{ include "chart.configname" . }}
+  name: {{ include "chart.secretname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "chart.labels" . | nindent 4 }}
     {{- if .Values.promxy.extraLabels }}
     {{ toYaml .Values.promxy.extraLabels | nindent 4 }}
     {{- end }}
-data:
+stringData:
   config.yaml: |
     global:
       evaluation_interval: 5s
@@ -32,9 +32,12 @@ data:
             tls_config:
               insecure_skip_verify: true
             basic_auth:
-              username: {{ .auth.username | quote }}
-              password: {{ .auth.password | quote }}
+{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .auth.credentials_secret_name) }}
+{{- if $secret }}
+              username: {{ index $secret.data (.auth.username_key | default "GF_SECURITY_ADMIN_USER") | b64dec | quote }}
+              password: {{ index $secret.data (.auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD") | b64dec | quote }}
+{{- end }}
           labels:
             promxyCluster: {{ .clusterName | quote }}
         {{- end }}
-{{- end }}
+{{- end }}