grafana/k8s-monitoring-helm

Allow Credentials to be Retrieved from a Remote

bentonam opened this issue · 0 comments

bentonam commented

There are situations when the credentials cannot be set in the helm chart or even a Secret. Alloy supports:

  • remote.kubernetes.secret
  • remote.http
  • remote.vault

And more.

For each of the externalServices if a remote reference is needed, the proposal is to add a an additional value for the username, password, tenant and host.

For example the current prometheus properties are:

externalServices:
  # Connection information for Prometheus
  prometheus:
    # -- Prometheus host where metrics will be sent
    # @section -- External Services (Prometheus)
    host: ""
    # -- The key for the host property in the secret
    # @section -- External Services (Prometheus)
    hostKey: host

    # -- The type of server protocol for writing metrics. Valid options:
    #  "remote_write" will use Prometheus Remote Write,
    #  "otlp" will use OTLP,
    #  "otlphttp" will use OTLP HTTP
    # @section -- External Services (Prometheus)
    protocol: "remote_write"
    # -- HTTP proxy to proxy requests to Prometheus through.
    # @section -- External Services (Prometheus)
    proxyURL: ""
    # -- Prometheus metrics query endpoint. Preset for Grafana Cloud Metrics instances.
    # @section -- External Services (Prometheus)
    queryEndpoint: /api/prom/api/v1/query
    # -- Prometheus metrics write endpoint. Preset for Grafana Cloud Metrics instances.
    # @section -- External Services (Prometheus)
    writeEndpoint: /api/prom/push
    # -- Custom labels to be added to all time series
    # @section -- External Services (Prometheus)
    externalLabels: {}
    # -- Rule blocks to be added to the [write_relabel_config block](https://grafana.com/docs/alloy/latest/reference/components/prometheus.remote_write/#write_relabel_config-block)
    # of the prometheus.remote_write component.
    # @section -- External Services (Prometheus)
    writeRelabelConfigRules: ""

    # -- Sets the `X-Scope-OrgID` header when sending metrics
    # @section -- External Services (Prometheus)
    tenantId: ""
    # -- The key for the tenant ID property in the secret
    # @section -- External Services (Prometheus)
    tenantIdKey: tenantId

    # -- one of "none", "basic"
    # @section -- External Services (Prometheus)
    authMode: basic

    # Authenticate to Prometheus using basic authentication
    # @section -- External Services (Prometheus)
    basicAuth:
      # -- Prometheus basic auth username
      # @section -- External Services (Prometheus)
      username: ""
      # -- The key for the username property in the secret
      # @section -- External Services (Prometheus)
      usernameKey: username
      # -- Prometheus basic auth password
      # @section -- External Services (Prometheus)
      password: ""
      # -- The key for the password property in the secret
      # @section -- External Services (Prometheus)
      passwordKey: password

    # Credential management
    secret:
      # -- Should this Helm chart create the secret. If false, you must define the name and namespace values.
      # @section -- External Services (Prometheus)
      create: true
      # -- The name of the secret.
      # @section -- External Services (Prometheus)
      name: ""
      # -- The namespace of the secret. Only used if secret.create = "false"
      # @section -- External Services (Prometheus)
      namespace: ""

The following values would be added:

externalServices:
  # Connection information for Prometheus
  prometheus:
    # -- Prometheus host where metrics will be sent, set from an remote.* component, environment variable, or some other means.
    # @section -- External Services (Prometheus)
    hostFrom: ""
    # -- Sets the `X-Scope-OrgID` header when sending metrics
    # @section -- External Services (Prometheus), set from an remote.* component, environment variable, or some other 
    tenantIdFrom: ""
    # Authenticate to Prometheus using basic authentication
    # @section -- External Services (Prometheus)    
    basicAuth:
      # -- Prometheus basic auth username, set from an remote.* component, environment variable, or some other means.
      # @section -- External Services (Prometheus)
      usernameFrom: ""
      # -- Prometheus basic auth password, set from an remote.* component, environment variable, or some other means.
      # @section -- External Services (Prometheus)
      passwordFrom: ""

There are already other means in the chart to add the remote reference. An example for metrics would look like:

externalServices:
  prometheus:
    hostFrom: nonsensitive(remote.kubernetes.secret.endpoint.data["username"])
    basicAuth:
      usernameFrom: nonsensitive(remote.kubernetes.secret.endpoint.data["username"])
      passwordFrom: remote.kubernetes.secret.endpoint.data["password"]
    secret:
      create: false
extraConfig: |-
  remote.kubernetes.secret "credentials" {
      namespace = "monitoring"
      name = "metrics-secret"
    }