Charts: [stable/grafana] datasource provisioning with sidecar should be done trough secrets

Created on 3 May 2019 · 12Comments · Source: helm/charts

We can define sidecar.datasources.enabled to deploy a sidecar that use configmaps with corresponding label for Grafana datasources provisioning.

This datasource configuration may contains sensitive data in secureJsonData field (other sensitive fields are now deprecated) : passwords, private keys, etc...

So, it'll be more secure to store these datasource configuration on Kubernetes using a secret and not a configmap.

Source

seboudry

👍2

Most helpful comment

I would like to work on this, but the upstream sidecar PR is not being merged...

https://github.com/kiwigrid/k8s-sidecar/pull/32

fr-ser on 2 Jul 2019

👍2

All 12 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] on 2 Jun 2019

activity!

maximbaz on 2 Jun 2019

stale[bot] on 2 Jul 2019

activity!

maximbaz on 2 Jul 2019

I would like to work on this, but the upstream sidecar PR is not being merged...

https://github.com/kiwigrid/k8s-sidecar/pull/32

fr-ser on 2 Jul 2019

👍2

Since the sidecar PR has been merged, I could take a stab at adding this feature (should be fairly easy now), if this is in line with the maintainers goals.
I wouldn't want to work on this if it is not something the repo owners want to merge...

fr-ser on 8 Jul 2019

👍1

To confirm that there is a desire to merge this, pinging maintainers: @zanhsieh, @rtluckie, @maorfr

maximbaz on 8 Jul 2019

yeah go for it!

maorfr on 8 Jul 2019

👍1

Would this make it possible to have most of the provisioning details in a configmap, but load just the secret values from a secret? Right now we have secrets (api keys, etc.) in Kubernetes secrets, but the rest of our details in configmaps, and it'd be great to be able to have the sidecar merge those automatically (instead of us having to write something to do it).

kyschouv on 12 Jul 2019

That PR (and the sidecar behind it) do not support that.

fr-ser on 12 Jul 2019

https://github.com/helm/charts/blob/master/stable/grafana/templates/clusterrole.yaml and
https://github.com/helm/charts/blob/master/stable/grafana/templates/role.yaml have the following lines:

{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }}
- apiGroups: [""] # "" indicates the core API group
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]
{{- end }}

With this change, does the role need to include secrets in addition to configmaps?

bailsman on 22 Jul 2019

Good point. I somehow missed the normal role and only updated the clusterrole

https://github.com/helm/charts/blob/master/stable/grafana/templates/clusterrole.yaml and
https://github.com/helm/charts/blob/master/stable/grafana/templates/role.yaml have the following lines:
{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }}
- apiGroups: [""] # "" indicates the core API group
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]
{{- end }}
With this change, does the role need to include secrets in addition to configmaps?

fr-ser on 22 Jul 2019

Was this page helpful?

0 / 5 - 0 ratings