Merge pull request #28 from grafana/use_secrets

Add secrets for credentials and endpoints
grafana · Apr 1, 2024 · 20232e9 · 20232e9
2 parents f61913d + 043a503
commit 20232e9
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 28 deletions.
diff --git a/charts/meta-monitoring/templates/agent/config.yaml b/charts/meta-monitoring/templates/agent/config.yaml
@@ -40,6 +40,11 @@ data:
     // Logs
 
     {{- if or .Values.local.logs.enabled .Values.cloud.logs.enabled }}
+    remote.kubernetes.secret "logs_credentials" {
+      namespace = "{{- .Values.metaMonitoringNamespace -}}"
+      name = "logs"
+    }
+
     loki.source.kubernetes "pods" {
       clustering {
         enabled = true
@@ -75,6 +80,11 @@ data:
     // Metrics
 
     {{- if or .Values.local.metrics.enabled .Values.cloud.metrics.enabled }}
+    remote.kubernetes.secret "metrics_credentials" {
+      namespace = "{{- .Values.metaMonitoringNamespace -}}"
+      name = "metrics"
+    }
+
     prometheus.scrape "pods" {
       clustering {
         enabled = true
@@ -210,6 +220,11 @@ data:
     // Traces
 
     {{- if or .Values.local.traces.enabled .Values.cloud.traces.enabled }}
+    remote.kubernetes.secret "traces_credentials" {
+      namespace = "{{- .Values.metaMonitoringNamespace -}}"
+      name = "traces"
+    }
+
     // Shamelessly copied from https://github.com/grafana/intro-to-mlt/blob/main/agent/config.river
     otelcol.receiver.otlp "otlp_receiver" {
       // We don't technically need this, but it shows how to change listen address and incoming port.
@@ -278,11 +293,10 @@ data:
     {{- if .Values.cloud.logs.enabled }}
     loki.write "cloud" {
       endpoint {
-        url = "{{- .Values.cloud.logs.endpoint -}}/loki/api/v1/push"
-
+        url = nonsensitive(remote.kubernetes.secret.logs_credentials.data["endpoint"])
         basic_auth {
-          username = "{{- .Values.cloud.logs.username -}}"
-          password = "{{- .Values.cloud.logs.password -}}"
+          username = nonsensitive(remote.kubernetes.secret.logs_credentials.data["username"])
+          password = remote.kubernetes.secret.logs_credentials.data["password"]
         }
       }
     }
@@ -291,11 +305,10 @@ data:
     {{- if .Values.cloud.metrics.enabled }}
     prometheus.remote_write "cloud" {
       endpoint {
-        url = "{{- .Values.cloud.metrics.endpoint -}}/api/prom/push"
-
+        url = nonsensitive(remote.kubernetes.secret.metrics_credentials.data["endpoint"])
         basic_auth {
-          username = "{{- .Values.cloud.metrics.username -}}"
-          password = "{{- .Values.cloud.metrics.password -}}"
+          username = nonsensitive(remote.kubernetes.secret.metrics_credentials.data["username"])
+          password = remote.kubernetes.secret.metrics_credentials.data["password"]
         }
       }
     }
@@ -304,13 +317,13 @@ data:
     {{- if .Values.cloud.traces.enabled }}
     otelcol.exporter.otlp "cloud" {
         client {
-            endpoint = "{{- .Values.cloud.traces.endpoint -}}"
+            endpoint = nonsensitive(remote.kubernetes.secret.traces_credentials.data["endpoint"])
             auth = otelcol.auth.basic.creds.handler
         }
     }
 
     otelcol.auth.basic "creds" {
-      username = "{{- .Values.cloud.traces.username -}}"
-      password = "{{- .Values.cloud.traces.password -}}"
+      username = nonsensitive(remote.kubernetes.secret.traces_credentials.data["username"])
+      password = remote.kubernetes.secret.traces_credentials.data["password"]
     }
     {{- end }}
diff --git a/charts/meta-monitoring/templates/validate.yaml b/charts/meta-monitoring/templates/validate.yaml
@@ -3,20 +3,20 @@
 {{- end -}}
 
 {{- if eq .Values.cloud.logs.enabled true -}}
-  {{- if or (empty .Values.cloud.logs.endpoint) (or (empty .Values.cloud.logs.username) (empty .Values.cloud.logs.password)) -}}
-    {{- fail "if cloud.logs is enabled then the endpoint, username and password have to be filled in" -}}
+  {{- if empty .Values.cloud.logs.secret -}}
+    {{- fail "if cloud.logs is enabled then the secret has to be filled in" -}}
   {{- end -}}
 {{- end -}}
 
 {{- if eq .Values.cloud.metrics.enabled true -}}
-  {{- if or (empty .Values.cloud.metrics.endpoint) (or (empty .Values.cloud.metrics.username) (empty .Values.cloud.metrics.password)) -}}
-    {{- fail "if cloud.metrics is enabled then the endpoint, username and password have to be filled in" -}}
+  {{- if empty .Values.cloud.metrics.secret -}}
+    {{- fail "if cloud.metrics is enabled then the secret has to be filled in" -}}
   {{- end -}}
 {{- end -}}
 
 {{- if eq .Values.cloud.traces.enabled true -}}
-  {{- if or (empty .Values.cloud.traces.endpoint) (or (empty .Values.cloud.traces.username) (empty .Values.cloud.traces.password)) -}}
-    {{- fail "if cloud.traces is enabled then the endpoint, username and password have to be filled in" -}}
+  {{- if empty .Values.cloud.traces.secret -}}
+    {{- fail "if cloud.traces is enabled then the secret has to be filled in" -}}
   {{- end -}}
 {{- end -}}
 

diff --git a/charts/meta-monitoring/values.yaml b/charts/meta-monitoring/values.yaml
@@ -5,26 +5,20 @@ namespacesToMonitor:
 - tempo
 # The name of the cluster where this will be installed
 clusterName: "meta-monitoring"
-metaMonitoringNamespace: "mmc"
+metaMonitoringNamespace: "meta"
 lokiNamespace: "loki"
 
 # Set to true to write logs, metrics or traces to Grafana Cloud
 cloud:
   logs:
     enabled: true
-    endpoint: to_be_changed
-    username: to_be_changed
-    password: to_be_changed
+    secret: ""
   metrics:
     enabled: true
-    endpoint: to_be_changed
-    username: to_be_changed
-    password: to_be_changed
+    secret: ""
   traces:
     enabled: true
-    endpoint: to_be_changed
-    username: to_be_changed
-    password: to_be_changed
+    secret: ""
 
 # Set to true for a local version of logs, metrics or traces
 local:

diff --git a/docs/installation.md b/docs/installation.md
@@ -6,7 +6,26 @@
    kubectl create namespace meta
    ```
 
-1. Create a values.yaml file based on the [default one](../charts/meta-monitoring/values.yaml).
+1. Create secrets with credentials and the endpoint when sending logs, metrics or traces to Grafana Cloud.
+
+   ```
+   kubectl create secret generic logs -n meta \
+    --from-literal=username=<logs username> \
+    --from-literal=password=<logs password>
+    --from-literal=endpoint='https://logs-prod-us-central1.grafana.net/loki/api/v1/push'
+
+   kubectl create secret generic metrics -n meta \
+    --from-literal=username=<metrics username> \
+    --from-literal=password=<metrics password>
+    --from-literal=endpoint='https://prometheus-us-central1.grafana.net/api/prom/push'
+
+   kubectl create secret generic traces -n meta \
+    --from-literal=username=<traces username> \
+    --from-literal=password=<traces password>
+    --from-literal=endpoint='https://tempo-us-central1.grafana.net/tempo'
+   ```
+
+1. Create a values.yaml file based on the [default one](../charts/meta-monitoring/values.yaml). Fill in the names of the secrets created above as needed.
 
 1. Install this helm chart