From c57f5752ebed4b4ed4457b89cbfc53575039cff5 Mon Sep 17 00:00:00 2001 From: Aleksei Larkov Date: Fri, 27 Dec 2024 16:32:34 +0200 Subject: [PATCH 1/6] Remove unused log source from mothership grafana --- .../templates/grafana/logs-datasource.yaml | 23 ------------------- 1 file changed, 23 deletions(-) diff --git a/charts/motel-mothership/templates/grafana/logs-datasource.yaml b/charts/motel-mothership/templates/grafana/logs-datasource.yaml index ec5b0aa..49a4f7d 100644 --- a/charts/motel-mothership/templates/grafana/logs-datasource.yaml +++ b/charts/motel-mothership/templates/grafana/logs-datasource.yaml @@ -1,27 +1,4 @@ {{- if .Values.grafana.enabled }} -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDatasource -metadata: - labels: - app.kubernetes.io/managed-by: Helm - name: victorialogs - namespace: {{ $.Release.Namespace }} -spec: - datasource: - access: proxy - isDefault: false - name: victorialogs - type: "victoriametrics-logs-datasource" - url: "http://vmselect-cluster.{{ .Release.Namespace }}:8481" - basicAuth: true - basicAuthUser: motel - secureJsonData: - basicAuthPassword: motel - instanceSelector: - matchLabels: - dashboards: grafana - resyncPeriod: 5m ---- {{- range .Values.grafana.logSources }} apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDatasource From ac31483f64915a9d32b4515b2ac46b82d4361ca6 Mon Sep 17 00:00:00 2001 From: Aleksei Larkov Date: Fri, 27 Dec 2024 14:35:10 +0200 Subject: [PATCH 2/6] Replace hardcoded credentials in values with secret reference --- Makefile | 4 ++-- README.md | 24 ++++++++++++++++--- .../templates/grafana/grafana.yaml | 23 +++++++++++++----- .../templates/grafana/logs-datasource.yaml | 14 ++++++++--- .../templates/promxy/configmap.yaml | 7 +++--- charts/motel-mothership/values.yaml | 15 ++++-------- demo/demo-mothership-values.yaml | 4 +--- 7 files changed, 61 insertions(+), 30 deletions(-) diff --git a/Makefile b/Makefile index faf89a1..ad1d9cf 100644 --- a/Makefile +++ b/Makefile @@ -103,8 +103,8 @@ dev-storage-deploy: dev ## Deploy motel-storage helm chart to the K8s cluster sp dev-ms-deploy-aws: dev ## Deploy Mothership helm chart to the K8s cluster specified in ~/.kube/config for a remote storage cluster cp -f $(TEMPLATES_DIR)/motel-mothership/values.yaml dev/mothership-values.yaml @$(YQ) eval -i '.hmc.installTemplates = true' dev/mothership-values.yaml - @$(YQ) eval -i '.grafana.logSources = [{"name": "$(USER)-storage", "url": "https://vmauth.$(STORAGE_DOMAIN)/vls", "type": "victoriametrics-logs-datasource", "auth": {"username": "motel", "password": "motel"} }]' dev/mothership-values.yaml - @$(YQ) eval -i '.promxy.config.serverGroups = [{"clusterName": "$(USER)-storage", "targets": ["vmauth.$(STORAGE_DOMAIN):443"], "auth": {"username": "motel", "password": "motel"}}]' dev/mothership-values.yaml + @$(YQ) eval -i '.grafana.logSources = [{"name": "$(USER)-storage", "url": "https://vmauth.$(STORAGE_DOMAIN)/vls", "type": "victoriametrics-logs-datasource", "auth": {"credentials_secret_name": "grafana-admin-credentials"}}]' dev/mothership-values.yaml + @$(YQ) eval -i '.promxy.config.serverGroups = [{"clusterName": "$(USER)-storage", "targets": ["vmauth.$(STORAGE_DOMAIN):443"], "auth": {"credentials_secret_name": "grafana-admin-credentials"}}]' dev/mothership-values.yaml @$(YQ) eval -i '.hmc.motel.charts.collectors.version = "$(COLLECTORS_VERSION)"' dev/mothership-values.yaml @$(YQ) eval -i '.hmc.motel.charts.storage.version = "$(STORAGE_VERSION)"' dev/mothership-values.yaml diff --git a/README.md b/README.md index cd980d7..8ced25f 100644 --- a/README.md +++ b/README.md @@ -10,10 +10,26 @@ This repo contains 4 charts to deploy a monitoring stack using HMC and get metri ### Demo deployment In `demo/demo-mothership-values.yaml` set your target ingress names that you are going to use for your regional clusters, but they can always be changed after the fact + +Create secrets for grafana admin user and storage clusters datasources endpoint access. By default the secret below be reused everywhere, but it is customizable. + +```yaml +--- +kind: Secret +apiVersion: v1 +metadata: + name: grafana-admin-credentials + namespace: motel +stringData: + GF_SECURITY_ADMIN_USER: username # Grafana username + GF_SECURITY_ADMIN_PASSWORD: password # Grafana password +type: Opaque ``` + +```bash helm repo add motel https://mirantis.github.io/motel/ helm repo update -helm upgrade -i motel motel/motel-mothership -n hmc-system -f demo/demo-mothership-values.yaml +helm upgrade -i motel motel/motel-mothership -n motel -f demo/demo-mothership-values.yaml ``` ## Storage chart @@ -28,13 +44,15 @@ helm upgrade -i motel motel/motel-mothership -n hmc-system -f demo/demo-mothersh To deploy storage `managedcluster` configure desired ingress names for vmauth and regional Grafana in it's values for the `motel-storage` template. `demo/cluster/aws-storage.yaml` contains example definitions -``` + +```bash kubectl apply -f demo/cluster/aws-storage.yaml # you can check helm chart deployment status using ClusterSummary object: kubectl get clustersummaries.config.projectsveltos.io -n hmc-system ``` Once the storage managedcluster is ready - retrieve its kubeconfig and get loadbalancer IP/DNS name for your ingress-nginx service. -``` + +```bash kubectl get secret -n hmc-system aws-storage-kubeconfig -o jsonpath={.data.value} | base64 -d > /tmp/hmc-aws-storage-kubeconfig.yaml export KUBECONFIG=/tmp/hmc-aws-storage-kubeconfig.yaml kubectl get svc -n ingress-nginx ingress-nginx-controller diff --git a/charts/motel-mothership/templates/grafana/grafana.yaml b/charts/motel-mothership/templates/grafana/grafana.yaml index e543904..984ee1b 100644 --- a/charts/motel-mothership/templates/grafana/grafana.yaml +++ b/charts/motel-mothership/templates/grafana/grafana.yaml @@ -46,15 +46,26 @@ spec: - name: grafana-data mountPath: /var/lib/grafana volumes: - - name: grafana-data - persistentVolumeClaim: - claimName: grafana-vm-pvc + - name: grafana-data + persistentVolumeClaim: + claimName: grafana-vm-pvc + containers: + - name: grafana + env: + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + key: GF_SECURITY_ADMIN_USER + name: {{ .Values.grafana.security.credentials_secret_name }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: GF_SECURITY_ADMIN_PASSWORD + name: {{ .Values.grafana.security.credentials_secret_name }} config: plugins: allow_loading_unsigned_plugins: victoriametrics-datasource,victoriametrics-logs-datasource - security: - admin_user: {{ .Values.grafana.security.admin_user | quote }} - admin_password: {{ .Values.grafana.security.admin_password | quote }} + ingress: metadata: annotations: diff --git a/charts/motel-mothership/templates/grafana/logs-datasource.yaml b/charts/motel-mothership/templates/grafana/logs-datasource.yaml index 49a4f7d..690b969 100644 --- a/charts/motel-mothership/templates/grafana/logs-datasource.yaml +++ b/charts/motel-mothership/templates/grafana/logs-datasource.yaml @@ -8,6 +8,17 @@ metadata: name: {{ .name }} namespace: {{ $.Release.Namespace }} spec: + valuesFrom: + - targetPath: "basicAuthUser" + valueFrom: + secretKeyRef: + key: {{ .auth.username_key | default "GF_SECURITY_ADMIN_USER" }} + name: {{ .auth.credentials_secret_name }} + - targetPath: "secureJsonData.basicAuthPassword" + valueFrom: + secretKeyRef: + key: {{ .auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD" }} + name: {{ .auth.credentials_secret_name }} datasource: access: proxy isDefault: false @@ -15,9 +26,6 @@ spec: type: {{ .type | default "victoriametrics-logs-datasource" }} url: {{ .url }} basicAuth: true - basicAuthUser: {{ .auth.username | quote }} - secureJsonData: - basicAuthPassword: {{ .auth.password | quote }} instanceSelector: matchLabels: dashboards: grafana diff --git a/charts/motel-mothership/templates/promxy/configmap.yaml b/charts/motel-mothership/templates/promxy/configmap.yaml index fc54393..7772754 100644 --- a/charts/motel-mothership/templates/promxy/configmap.yaml +++ b/charts/motel-mothership/templates/promxy/configmap.yaml @@ -32,9 +32,10 @@ data: tls_config: insecure_skip_verify: true basic_auth: - username: {{ .auth.username | quote }} - password: {{ .auth.password | quote }} +{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .auth.credentials_secret_name) }} + username: {{ index $secret.data (.auth.username_key | default "GF_SECURITY_ADMIN_USER") | quote }} + password: {{ index $secret.data (.auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD") | quote }} labels: promxyCluster: {{ .clusterName | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/motel-mothership/values.yaml b/charts/motel-mothership/values.yaml index 9fbc100..fabf678 100644 --- a/charts/motel-mothership/values.yaml +++ b/charts/motel-mothership/values.yaml @@ -38,17 +38,14 @@ grafana: url: https://vmauth.hmc0.example.net/vls type: victoriametrics-logs-datasource auth: - username: motel - password: motel + credentials_secret_name: grafana-admin-credentials - name: hmc1-logs url: https://vmauth.hmc1.example.net/vls type: victoriametrics-logs-datasource auth: - username: motel - password: motel + credentials_secret_name: grafana-admin-credentials security: - admin_user: motel - admin_password: motel + credentials_secret_name: grafana-admin-credentials victoria-metrics-operator: enabled: true crds: @@ -102,11 +99,9 @@ promxy: targets: - vmauth.hmc0.example.net:443 auth: - username: motel - password: motel + credentials_secret_name: grafana-admin-credentials - clusterName: hmc1 targets: - vmauth.hmc1.example.net:443 auth: - username: motel - password: motel + credentials_secret_name: grafana-admin-credentials diff --git a/demo/demo-mothership-values.yaml b/demo/demo-mothership-values.yaml index 484a7fa..50927db 100644 --- a/demo/demo-mothership-values.yaml +++ b/demo/demo-mothership-values.yaml @@ -28,8 +28,7 @@ grafana: username: motel password: motel security: - admin_user: motel - admin_password: motel + credentials_secret_name: grafana-admin-credentials victoria-metrics-operator: enabled: true crds: @@ -86,4 +85,3 @@ promxy: auth: username: motel password: motel - From 27076f610853a94549d6e095bb21d7dce90b118a Mon Sep 17 00:00:00 2001 From: Aleksei Larkov Date: Fri, 27 Dec 2024 19:20:00 +0200 Subject: [PATCH 3/6] Replace promxy configmap with secret Due to configuration contains server group authentication --- .../motel-mothership/templates/promxy/_helpers.tpl | 8 ++++---- .../templates/promxy/deployment.yaml | 4 ++-- .../templates/promxy/{configmap.yaml => secret.yaml} | 12 ++++++------ charts/motel-mothership/values.yaml | 2 +- demo/demo-mothership-values.yaml | 12 +++++++----- 5 files changed, 20 insertions(+), 18 deletions(-) rename charts/motel-mothership/templates/promxy/{configmap.yaml => secret.yaml} (85%) diff --git a/charts/motel-mothership/templates/promxy/_helpers.tpl b/charts/motel-mothership/templates/promxy/_helpers.tpl index 9aafe9e..f86f60b 100644 --- a/charts/motel-mothership/templates/promxy/_helpers.tpl +++ b/charts/motel-mothership/templates/promxy/_helpers.tpl @@ -63,11 +63,11 @@ Create the name of the service account to use {{- end -}} {{/* -Defins the name of configmap +Defins the name of secret */}} -{{- define "chart.configname" -}} -{{- if .Values.promxy.configMap -}} -{{- .Values.promxy.configMap -}} +{{- define "chart.secretname" -}} +{{- if .Values.promxy.secret -}} +{{- .Values.promxy.secret -}} {{- else -}} {{- include "chart.fullname" . -}}-promxy-config {{- end -}} diff --git a/charts/motel-mothership/templates/promxy/deployment.yaml b/charts/motel-mothership/templates/promxy/deployment.yaml index e368d71..135a7ac 100644 --- a/charts/motel-mothership/templates/promxy/deployment.yaml +++ b/charts/motel-mothership/templates/promxy/deployment.yaml @@ -113,6 +113,6 @@ spec: memory: 20Mi volumes: - name: config - configMap: - name: {{ include "chart.configname" .}} + secret: + secretName: {{ include "chart.secretname" .}} {{- end }} diff --git a/charts/motel-mothership/templates/promxy/configmap.yaml b/charts/motel-mothership/templates/promxy/secret.yaml similarity index 85% rename from charts/motel-mothership/templates/promxy/configmap.yaml rename to charts/motel-mothership/templates/promxy/secret.yaml index 7772754..3e53639 100644 --- a/charts/motel-mothership/templates/promxy/configmap.yaml +++ b/charts/motel-mothership/templates/promxy/secret.yaml @@ -1,15 +1,15 @@ -{{- if eq .Values.promxy.configMap "" }} +{{- if eq .Values.promxy.secret "" }} apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: - name: {{ include "chart.configname" . }} + name: {{ include "chart.secretname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "chart.labels" . | nindent 4 }} {{- if .Values.promxy.extraLabels }} {{ toYaml .Values.promxy.extraLabels | nindent 4 }} {{- end }} -data: +stringData: config.yaml: | global: evaluation_interval: 5s @@ -33,8 +33,8 @@ data: insecure_skip_verify: true basic_auth: {{- $secret := (lookup "v1" "Secret" $.Release.Namespace .auth.credentials_secret_name) }} - username: {{ index $secret.data (.auth.username_key | default "GF_SECURITY_ADMIN_USER") | quote }} - password: {{ index $secret.data (.auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD") | quote }} + username: {{ index $secret.data (.auth.username_key | default "GF_SECURITY_ADMIN_USER") | b64dec | quote }} + password: {{ index $secret.data (.auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD") | b64dec | quote }} labels: promxyCluster: {{ .clusterName | quote }} {{- end }} diff --git a/charts/motel-mothership/values.yaml b/charts/motel-mothership/values.yaml index fabf678..7372707 100644 --- a/charts/motel-mothership/values.yaml +++ b/charts/motel-mothership/values.yaml @@ -91,7 +91,7 @@ promxy: memory: 128Mi extraArgs: log-level: "info" - configMap: "" + secret: "" config: remoteWriteUrl: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write serverGroups: diff --git a/demo/demo-mothership-values.yaml b/demo/demo-mothership-values.yaml index 50927db..f5527eb 100644 --- a/demo/demo-mothership-values.yaml +++ b/demo/demo-mothership-values.yaml @@ -25,8 +25,9 @@ grafana: url: https://vmauth.hmc0.example.net/vls type: victorialogs-datasource auth: - username: motel - password: motel + credentials_secret_name: vmauth-credentials + username_key: "username" + password_key: "password" security: credentials_secret_name: grafana-admin-credentials victoria-metrics-operator: @@ -75,7 +76,7 @@ promxy: memory: 128Mi extraArgs: log-level: "info" - configMap: "" + secret: "" config: remoteWriteUrl: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write serverGroups: @@ -83,5 +84,6 @@ promxy: targets: - vmauth.hmc0.example.net:443 auth: - username: motel - password: motel + credentials_secret_name: vmauth-credentials + username_key: "username" + password_key: "password" From d0904598d3a46fd7429b4b791af43190026aada7 Mon Sep 17 00:00:00 2001 From: Aleksei Larkov Date: Mon, 30 Dec 2024 13:45:26 +0200 Subject: [PATCH 4/6] Replace hardcoded credentials in storage helm chart values --- README.md | 2 ++ .../motel-storage/templates/grafana/grafana.yaml | 16 +++++++++++++--- .../templates/victoria/vmuser-creds.yaml | 12 ------------ .../motel-storage/templates/victoria/vmuser.yaml | 4 ++-- charts/motel-storage/values.yaml | 6 +++--- demo/cluster/aws-storage.yaml | 8 +++++--- 6 files changed, 25 insertions(+), 23 deletions(-) delete mode 100644 charts/motel-storage/templates/victoria/vmuser-creds.yaml diff --git a/README.md b/README.md index 8ced25f..fec0935 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,8 @@ export KUBECONFIG=/tmp/hmc-aws-storage-kubeconfig.yaml kubectl get svc -n ingress-nginx ingress-nginx-controller ``` +Create secrets for grafana and vmauth according to the names provided in helm values. + With your preffered DNS hosting, set your ingress domains to resolve to that IP/DNS name, that's how the traffic will flow to/from regional cluster. To simplify this process it is posssible to enable [external-dns](https://kubernetes-sigs.github.io/external-dns/) helm chart deployment in values. diff --git a/charts/motel-storage/templates/grafana/grafana.yaml b/charts/motel-storage/templates/grafana/grafana.yaml index b47b84c..881ba5f 100644 --- a/charts/motel-storage/templates/grafana/grafana.yaml +++ b/charts/motel-storage/templates/grafana/grafana.yaml @@ -48,12 +48,22 @@ spec: - name: grafana-data persistentVolumeClaim: claimName: grafana-vm-pvc + containers: + - name: grafana + env: + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + key: GF_SECURITY_ADMIN_USER + name: {{ .Values.grafana.security.credentials_secret_name }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: GF_SECURITY_ADMIN_PASSWORD + name: {{ .Values.grafana.security.credentials_secret_name }} config: plugins: allow_loading_unsigned_plugins: victoriametrics-datasource,victoriametrics-logs-datasource - security: - admin_user: {{ .Values.grafana.security.admin_user | quote }} - admin_password: {{ .Values.grafana.security.admin_password | quote }} {{- if .Values.grafana.ingress.enabled }} ingress: metadata: diff --git a/charts/motel-storage/templates/victoria/vmuser-creds.yaml b/charts/motel-storage/templates/victoria/vmuser-creds.yaml deleted file mode 100644 index e26c4dc..0000000 --- a/charts/motel-storage/templates/victoria/vmuser-creds.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.victoriametrics.enabled }} -{{- if .Values.victoriametrics.vmauth.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: vmuser-creds - namespace: {{ .Release.Namespace }} -type: Opaque -stringData: - password: {{ .Values.victoriametrics.vmauth.credentials.password | default "motel" }} -{{- end }} -{{- end }} diff --git a/charts/motel-storage/templates/victoria/vmuser.yaml b/charts/motel-storage/templates/victoria/vmuser.yaml index c87dddd..66d7bd5 100644 --- a/charts/motel-storage/templates/victoria/vmuser.yaml +++ b/charts/motel-storage/templates/victoria/vmuser.yaml @@ -24,7 +24,7 @@ spec: url: http://vminsert-cluster.{{ .Release.Namespace }}.svc:8480 username: {{ .Values.victoriametrics.vmauth.credentials.username | default "motel" }} passwordRef: - key: password - name: vmuser-creds + key: {{ .Values.victoriametrics.vmauth.credentials.password_key | default "password" }} + name: {{ .Values.victoriametrics.vmauth.credentials.password_secret_name }} {{- end }} {{- end }} diff --git a/charts/motel-storage/values.yaml b/charts/motel-storage/values.yaml index faf194e..103456f 100644 --- a/charts/motel-storage/values.yaml +++ b/charts/motel-storage/values.yaml @@ -25,8 +25,9 @@ victoriametrics: vmauth: enabled: true credentials: + password_secret_name: grafana-admin-credentials + password_key: "GF_SECURITY_ADMIN_PASSWORD" username: motel - password: motel ingress: host: vmauth.hmc0.example.net vmcluster: @@ -47,8 +48,7 @@ grafana: alerts: enabled: true security: - admin_user: motel - admin_password: motel + credentials_secret_name: grafana-admin-credentials ingress: enabled: true host: grafana.hmc0.example.net diff --git a/demo/cluster/aws-storage.yaml b/demo/cluster/aws-storage.yaml index 89b1f3c..0c97719 100644 --- a/demo/cluster/aws-storage.yaml +++ b/demo/cluster/aws-storage.yaml @@ -39,11 +39,13 @@ spec: vmauth: ingress: host: vmauth.storage0.example.net - credentials: - username: motel - password: motel + security: + password_secret_name: grafana-admin-credentials + password_key: "GF_SECURITY_ADMIN_PASSWORD" grafana: ingress: host: grafana.storage0.example.net + security: + credentials_secret_name: grafana-admin-credentials cert-manager: email: mail@example.net From 7faa0a5fbf486f816c98939b14276d0020c03b34 Mon Sep 17 00:00:00 2001 From: Aleksei Larkov Date: Mon, 30 Dec 2024 13:53:42 +0200 Subject: [PATCH 5/6] Fix helm-push lint --- charts/motel-mothership/templates/promxy/secret.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/motel-mothership/templates/promxy/secret.yaml b/charts/motel-mothership/templates/promxy/secret.yaml index 3e53639..7182c8e 100644 --- a/charts/motel-mothership/templates/promxy/secret.yaml +++ b/charts/motel-mothership/templates/promxy/secret.yaml @@ -33,8 +33,10 @@ stringData: insecure_skip_verify: true basic_auth: {{- $secret := (lookup "v1" "Secret" $.Release.Namespace .auth.credentials_secret_name) }} +{{- if $secret }} username: {{ index $secret.data (.auth.username_key | default "GF_SECURITY_ADMIN_USER") | b64dec | quote }} password: {{ index $secret.data (.auth.password_key | default "GF_SECURITY_ADMIN_PASSWORD") | b64dec | quote }} +{{- end }} labels: promxyCluster: {{ .clusterName | quote }} {{- end }} From 739670397f9433ae23413cb288c667f253ad9a54 Mon Sep 17 00:00:00 2001 From: Aleksei Larkov Date: Mon, 30 Dec 2024 16:26:53 +0200 Subject: [PATCH 6/6] Replace hardcoded credentials in collector helm chart --- Makefile | 8 ++++---- README.md | 2 +- charts/motel-collectors/templates/_helpers.tpl | 13 +++++++++++++ .../templates/opentelemetry/collector.yaml | 16 +++++++--------- .../templates/opentelemetry/node-collector.yaml | 16 +++++++--------- charts/motel-collectors/values.yaml | 17 +++++++++++++---- demo/cluster/aws-managed.yaml | 15 +++++++++++++-- 7 files changed, 58 insertions(+), 29 deletions(-) create mode 100644 charts/motel-collectors/templates/_helpers.tpl diff --git a/Makefile b/Makefile index ad1d9cf..78c0625 100644 --- a/Makefile +++ b/Makefile @@ -85,8 +85,8 @@ dev-operators-deploy: dev ## Deploy motel-operators helm chart to the K8s cluste .PHONY: dev-collectors-deploy dev-collectors-deploy: dev ## Deploy motel-collector helm chart to the K8s cluster specified in ~/.kube/config cp -f $(TEMPLATES_DIR)/motel-collectors/values.yaml dev/collectors-values.yaml - @$(YQ) eval -i '.motel.logs_endpoint = "http://$(MOTEL_STORAGE_NAME)-victoria-logs-single-server.$(MOTEL_STORAGE_NS):9428/insert/opentelemetry/v1/logs"' dev/collectors-values.yaml - @$(YQ) eval -i '.motel.metrics_endpoint = "http://vminsert-cluster.$(MOTEL_STORAGE_NS):8480/insert/0/prometheus/api/v1/write"' dev/collectors-values.yaml + @$(YQ) eval -i '.motel.logs.endpoint = "http://$(MOTEL_STORAGE_NAME)-victoria-logs-single-server.$(MOTEL_STORAGE_NS):9428/insert/opentelemetry/v1/logs"' dev/collectors-values.yaml + @$(YQ) eval -i '.motel.metrics.endpoint = "http://vminsert-cluster.$(MOTEL_STORAGE_NS):8480/insert/0/prometheus/api/v1/write"' dev/collectors-values.yaml @$(YQ) eval -i '.opencost.opencost.prometheus.external.url = "http://vmselect-cluster.$(MOTEL_STORAGE_NS):8481/select/0/prometheus"' dev/collectors-values.yaml $(HELM) upgrade -i motel-collectors ./charts/motel-collectors --create-namespace -n motel -f dev/collectors-values.yaml @@ -135,8 +135,8 @@ dev-managed-deploy-aws: dev ## Deploy Regional Managed cluster using HMC @$(YQ) eval -i '.metadata.name = "$(USER)-aws-managed"' dev/aws-managed.yaml @$(YQ) '.spec.services[] | select(.name == "motel-collectors") | .values' dev/aws-managed.yaml > dev/motel-managed-values.yaml @$(YQ) eval -i '.opencost.opencost.prometheus.external.url = "https://vmauth.$(STORAGE_DOMAIN)/vm/select/0/prometheus"' dev/motel-managed-values.yaml - @$(YQ) eval -i '.motel.logs_endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vls/insert/opentelemetry/v1/logs"' dev/motel-managed-values.yaml - @$(YQ) eval -i '.motel.metrics_endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vm/insert/0/prometheus/api/v1/write"' dev/motel-managed-values.yaml + @$(YQ) eval -i '.motel.logs.endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vls/insert/opentelemetry/v1/logs"' dev/motel-managed-values.yaml + @$(YQ) eval -i '.motel.metrics.endpoint = "https://vmauth.$(STORAGE_DOMAIN)/vm/insert/0/prometheus/api/v1/write"' dev/motel-managed-values.yaml @$(YQ) eval -i '(.spec.services[] | select(.name == "motel-collectors")).values |= load_str("dev/motel-managed-values.yaml")' dev/aws-managed.yaml kubectl apply -f dev/aws-managed.yaml diff --git a/README.md b/README.md index fec0935..e3ba587 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ kubectl apply -f demo/cluster/aws-managed.yaml kubectl get clustersummaries.config.projectsveltos.io -n hmc-system ``` -Once your managed clusters are up, it should start pushing metrics and logs to your storage one, through ingress domain you've configured. +Once your managed clusters are up, create secrets for storage cluster authentication, it should start pushing metrics and logs to your storage one, through ingress domain you've configured. Check your storage cluster's Grafana for results first, then you should be able to see the same cluster in Grafana on the "mothership". ### Scaling up diff --git a/charts/motel-collectors/templates/_helpers.tpl b/charts/motel-collectors/templates/_helpers.tpl new file mode 100644 index 0000000..00d78f5 --- /dev/null +++ b/charts/motel-collectors/templates/_helpers.tpl @@ -0,0 +1,13 @@ +{{- /* Basic auth extensions */ -}} +{{- define "basic_auth_extensions" -}} +{{- range tuple "metrics" "logs" }} +{{- $secret := (lookup "v1" "Secret" $.Release.Namespace (index $.Values "motel" . "credentials_secret_name")) }} +{{- if $secret }} +basicauth/{{ . }}: + client_auth: + username: {{ index $secret.data (index $.Values "motel" . "username_key") | b64dec | quote }} + password: {{ index $secret.data (index $.Values "motel" . "password_key") | b64dec | quote }} +{{- end }} +{{- end }} +{{- end }} + diff --git a/charts/motel-collectors/templates/opentelemetry/collector.yaml b/charts/motel-collectors/templates/opentelemetry/collector.yaml index c64b823..2f7228a 100644 --- a/charts/motel-collectors/templates/opentelemetry/collector.yaml +++ b/charts/motel-collectors/templates/opentelemetry/collector.yaml @@ -41,25 +41,23 @@ spec: exporters: debug: {} prometheusremotewrite: - endpoint: {{ .Values.motel.metrics_endpoint }} + endpoint: {{ .Values.motel.metrics.endpoint }} tls: insecure: true auth: - authenticator: basicauth/client + authenticator: basicauth/metrics otlphttp: auth: - authenticator: basicauth/client - logs_endpoint: {{ .Values.motel.logs_endpoint }} + authenticator: basicauth/logs + logs_endpoint: {{ .Values.motel.logs.endpoint }} extensions: - basicauth/client: - client_auth: - username: motel - password: motel + {{- include "basic_auth_extensions" . | nindent 6 }} service: extensions: - - basicauth/client + - basicauth/metrics + - basicauth/logs pipelines: logs: exporters: diff --git a/charts/motel-collectors/templates/opentelemetry/node-collector.yaml b/charts/motel-collectors/templates/opentelemetry/node-collector.yaml index 03b4d84..4087716 100644 --- a/charts/motel-collectors/templates/opentelemetry/node-collector.yaml +++ b/charts/motel-collectors/templates/opentelemetry/node-collector.yaml @@ -128,28 +128,26 @@ spec: batch: {} extensions: - basicauth/client: - client_auth: - username: motel - password: motel + {{- include "basic_auth_extensions" . | nindent 6 }} exporters: prometheusremotewrite: - endpoint: {{ .Values.motel.metrics_endpoint }} + endpoint: {{ .Values.motel.metrics.endpoint }} tls: insecure: true auth: - authenticator: basicauth/client + authenticator: basicauth/metrics otlphttp: auth: - authenticator: basicauth/client - logs_endpoint: {{ .Values.motel.logs_endpoint }} + authenticator: basicauth/logs + logs_endpoint: {{ .Values.motel.logs.endpoint }} debug: verbosity: detailed service: extensions: - - basicauth/client + - basicauth/metrics + - basicauth/logs pipelines: logs: exporters: diff --git a/charts/motel-collectors/values.yaml b/charts/motel-collectors/values.yaml index abd35d3..c202c26 100644 --- a/charts/motel-collectors/values.yaml +++ b/charts/motel-collectors/values.yaml @@ -2,8 +2,16 @@ global: clusterLabel: clusterName clusterName: mothership motel: - logs_endpoint: http://victoria-logs-single-server:9428/insert/opentelemetry/v1/logs - metrics_endpoint: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write + logs: + endpoint: http://victoria-logs-single-server:9428/insert/opentelemetry/v1/logs + credentials_secret_name: grafana-admin-credentials + username_key: GF_SECURITY_ADMIN_USER + password_key: GF_SECURITY_ADMIN_PASSWORD + metrics: + endpoint: http://vminsert-cluster:8480/insert/0/prometheus/api/v1/write + credentials_secret_name: grafana-admin-credentials + username_key: GF_SECURITY_ADMIN_USER + password_key: GF_SECURITY_ADMIN_PASSWORD prometheus-node-exporter: enabled: true hostNetwork: false @@ -31,8 +39,9 @@ opencost: enabled: true opencost: prometheus: - username: "motel" - password: "motel" + existingSecretName: grafana-admin-credentials + username_key: GF_SECURITY_ADMIN_USER + password_key: GF_SECURITY_ADMIN_PASSWORD external: enabled: true url: "https://vmauth.storage0.example.net/vm/select/0/prometheus" diff --git a/demo/cluster/aws-managed.yaml b/demo/cluster/aws-managed.yaml index 64e28a9..b36aa38 100644 --- a/demo/cluster/aws-managed.yaml +++ b/demo/cluster/aws-managed.yaml @@ -41,10 +41,21 @@ spec: enabled: true opencost: prometheus: + existingSecretName: grafana-admin-credentials + username_key: GF_SECURITY_ADMIN_USER + password_key: GF_SECURITY_ADMIN_PASSWORD external: url: "https://vmauth.storage0.example.net/vm/select/0/prometheus" exporter: defaultClusterId: "aws-managed0" motel: - logs_endpoint: https://vmauth.storage0.example.net/vls/insert/opentelemetry/v1/logs - metrics_endpoint: https://vmauth.storage0.example.net/vm/insert/0/prometheus/api/v1/write + logs: + credentials_secret_name: grafana-admin-credentials + username_key: GF_SECURITY_ADMIN_USER + password_key: GF_SECURITY_ADMIN_PASSWORD + endpoint: https://vmauth.storage0.example.net/vls/insert/opentelemetry/v1/logs + metrics: + credentials_secret_name: grafana-admin-credentials + username_key: GF_SECURITY_ADMIN_USER + password_key: GF_SECURITY_ADMIN_PASSWORD + endpoint: https://vmauth.storage0.example.net/vm/insert/0/prometheus/api/v1/write