feat: Enable Secret creation using tokengen

Signed-off-by: Jack Baldry <jack.baldry@grafana.com>
grafana · Sep 15, 2021 · d90f155 · d90f155
1 parent 4efa932
commit d90f155
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 4 deletions.
diff --git a/charts/enterprise-logs/templates/tokengen/job-tokengen.yaml b/charts/enterprise-logs/templates/tokengen/job-tokengen.yaml
@@ -35,7 +35,6 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      serviceAccountName: {{ template "loki.serviceAccountName" . }}
       {{- if .Values.tokengen.priorityClassName }}
       priorityClassName: {{ .Values.tokengen.priorityClassName }}
       {{- end }}
@@ -47,7 +46,7 @@ spec:
         - name: {{ . }}
       {{- end }}
       {{- end }}
-      containers:
+      initContainers:
         - name: enterprise-logs
           image: {{ template "enterprise-logs.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -62,13 +61,16 @@ spec:
             - -admin.client.s3.secret-access-key=supersecret
             - -admin.client.s3.insecure=true
             {{- end }}
+            - -tokengen.token-file=/shared/admin-token
             {{- range $key, $value := .Values.tokengen.extraArgs }}
             - "-{{ $key }}={{ $value }}"
             {{- end }}
           volumeMounts:
             {{- if .Values.tokengen.extraVolumeMounts }}
               {{ toYaml .Values.tokengen.extraVolumeMounts | nindent 12 }}
             {{- end }}
+            - name: shared
+              mountPath: /shared
             - name: config
               mountPath: /etc/loki/config
             - name: license
@@ -77,7 +79,27 @@ spec:
             {{- if .Values.tokengen.env }}
               {{ toYaml .Values.tokengen.env | nindent 12 }}
             {{- end }}
+      containers:
+        - name: create-secret
+          image: bitnami/kubectl
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - -euc
+            - kubectl create secret generic gel-admin-token --from-file=token=/shared/admin-token --from-literal=grafana-token="$(base64 <(echo :$(cat /shared/admin-token)))"
+          volumeMounts:
+            {{- if .Values.tokengen.extraVolumeMounts }}
+              {{ toYaml .Values.tokengen.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+            - name: shared
+              mountPath: /shared
+            - name: config
+              mountPath: /etc/loki/config
+            - name: license
+              mountPath: /etc/enterprise-logs/license
       restartPolicy: OnFailure
+      serviceAccount: {{ template "enterprise-logs.tokengenFullname" . }}
+      serviceAccountName: {{ template "enterprise-logs.tokengenFullname" . }}
       volumes:
         - name: config
           secret:
@@ -93,7 +115,7 @@ spec:
           {{- else }}
             secretName: enterprise-logs-license
           {{- end }}
-        - name: storage
+        - name: shared
           emptyDir: {}
         {{- if .Values.tokengen.extraVolumes }}
         {{ toYaml .Values.tokengen.extraVolumes | nindent 8 }}

diff --git a/charts/enterprise-logs/templates/tokengen/role-tokengen.yaml b/charts/enterprise-logs/templates/tokengen/role-tokengen.yaml
@@ -0,0 +1,20 @@
+{{ if .Values.tokengen.enable }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "enterprise-logs.tokengenFullname" . }}
+  labels:
+    {{- include "enterprise-logs.tokengenLabels" . | nindent 4 }}
+    {{- with .Values.tokengen.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.tokengen.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    "helm.sh/hook": post-install
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+{{- end }}
diff --git a/charts/enterprise-logs/templates/tokengen/rolebinding-tokengen.yaml b/charts/enterprise-logs/templates/tokengen/rolebinding-tokengen.yaml
@@ -0,0 +1,23 @@
+{{ if .Values.tokengen.enable }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "enterprise-logs.tokengenFullname" . }}
+  labels:
+    {{- include "enterprise-logs.tokengenLabels" . | nindent 4 }}
+    {{- with .Values.tokengen.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.tokengen.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    "helm.sh/hook": post-install
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "enterprise-logs.tokengenFullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "enterprise-logs.tokengenFullname" . }}
+{{- end }}
diff --git a/charts/enterprise-logs/templates/tokengen/serviceaccount-tokengen.yaml b/charts/enterprise-logs/templates/tokengen/serviceaccount-tokengen.yaml
@@ -0,0 +1,16 @@
+{{ if .Values.tokengen.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "enterprise-logs.tokengenFullname" . }}
+  labels:
+    {{- include "enterprise-logs.tokengenLabels" . | nindent 4 }}
+    {{- with .Values.tokengen.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.tokengen.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    "helm.sh/hook": post-install
+{{- end }}
diff --git a/charts/enterprise-logs/values.yaml b/charts/enterprise-logs/values.yaml
@@ -179,7 +179,7 @@ config:
 
 # -- Configuration for `tokengen` target
 tokengen:
-  # -- Weather the job should be part of the deployment
+  # -- Whether the job should be part of the deployment
   enable: true
   # -- Additional CLI arguments for the `tokengen` target
   extraArgs: {}
@@ -193,6 +193,10 @@ tokengen:
   extraVolumes: []
   # -- Additional volume mounts for Pods
   extraVolumeMounts: []
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 10001
+    fsGroup: 10001
 
 # -- Configuration for the `admin-api` target
 adminApi: