[helm] allow provisioned tokens to be created in different namespaces (…

…#8081) **What this PR does / why we need it**: _Note_: This PR bumps the chart to 4.0, so it includes a few other breaking changes we've been waiting to make. The new helm chart has a few different ways to create tokens when running in enterprise mode: * The tokengen job creates the initial admin token * The provisioner job creates the self-monitoring tenant if enabled * The provisioner job can also create additional tenants if configured The problem with these jobs is they put the generated read/write tokens for these tenants in secrets in the same namespace as the loki deploiyment. This is problematic if you need these tokens for a specific application, for example a Grafana datasource, that is deployed in a separate namespace. This PR introduces two breaking changes, one of which is breaking as it significantly changes how both the self monitoring and additional tenants are configured. First it adds the value `enterprise.adminToken.additionalNamespaces` and moves `enterprise.adminTokenSecret` to `enterprise.adminToken.secret`. If `additionalNamespaces` are included, additional secrets containing the GEL admin token are created in those namespaces as well as the release namespace. Second, it changes the structure of defining a tenant from just a string name, to an object containing a `name` and `secretNamespace` field. The `secretNamespace` is the namespace the secret containing that tenants token(s) will be placed in. In the case of the self-monitoring token, a secret will still be created in the default namespace in addition to the `secretNamespace` specified as that token is required by multiple components.
grafana · Jan 17, 2023 · eb39e26 · eb39e26
1 parent d8a0c6f
commit eb39e26
Show file tree

Hide file tree

Showing 37 changed files with 203 additions and 217 deletions.
diff --git a/.github/workflows/helm-ci.yml b/.github/workflows/helm-ci.yml
@@ -18,7 +18,7 @@ jobs:
 
       - name: Check Docs
         run: |
-          docker run --rm --volume "$(pwd):/helm-docs" -u "$(id -u)" jnorwood/helm-docs:v1.8.1
+          docker run --rm --volume "$(pwd):/helm-docs" -u "$(id -u)" jnorwood/helm-docs:v1.11.0
           if ! git diff --exit-code; then
               echo "Documentation not up to date. Please run helm-docs and commit changes!" >&2
               exit 1

diff --git a/docs/sources/installation/helm/reference.md b/docs/sources/installation/helm/reference.md
@@ -246,7 +246,16 @@ null
 </td>
 		</tr>
 		<tr>
-			<td>enterprise.adminTokenSecret</td>
+			<td>enterprise.adminToken.additionalNamespaces</td>
+			<td>list</td>
+			<td>Additional namespace to also create the token in. Useful if your Grafana instance is in a different namespace</td>
+			<td><pre lang="json">
+[]
+</pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.adminToken.secret</td>
 			<td>string</td>
 			<td>Alternative name for admin token secret, needed by tokengen and provisioner jobs</td>
 			<td><pre lang="json">
@@ -333,6 +342,15 @@ null
 			<td><pre lang="json">
 "grafana/enterprise-logs"
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.image.tag</td>
+			<td>string</td>
+			<td>Docker image tag TODO: needed for 3rd target backend functionality revert to null or latest once this behavior is relased</td>
+			<td><pre lang="json">
+"main-96f32b9f"
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -344,15 +362,6 @@ null
   "contents": "NOTAVALIDLICENSE"
 }
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>enterprise.nginxConfig.file</td>
-			<td>string</td>
-			<td></td>
-			<td><pre lang="json">
-null
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -361,6 +370,7 @@ null
 			<td>Configuration for `provisioner` target</td>
 			<td><pre lang="json">
 {
+  "additionalTenants": [],
   "annotations": {},
   "enabled": true,
   "env": [],
@@ -373,16 +383,24 @@ null
   },
   "labels": {},
   "priorityClassName": null,
-  "provisionedSecretPrefix": "{{ include \"loki.name\" . }}-provisioned",
+  "provisionedSecretPrefix": null,
   "securityContext": {
     "fsGroup": 10001,
     "runAsGroup": 10001,
     "runAsNonRoot": true,
     "runAsUser": 10001
-  },
-  "tenants": []
+  }
 }
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.provisioner.additionalTenants</td>
+			<td>list</td>
+			<td>Additional tenants to be created. Each tenant will get a read and write policy and associated token. Tenant must have a name and a namespace for the secret containting the token to be created in. For example additionalTenants:   - name: loki     secretNamespace: grafana</td>
+			<td><pre lang="json">
+[]
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -494,7 +512,7 @@ null
 			<td>string</td>
 			<td>Name of the secret to store provisioned tokens in</td>
 			<td><pre lang="json">
-"{{ include \"loki.name\" . }}-provisioned"
+null
 </pre>
 </td>
 		</tr>
@@ -510,15 +528,6 @@ null
   "runAsUser": 10001
 }
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>enterprise.provisioner.tenants</td>
-			<td>list</td>
-			<td>Tenants to be created. Each tenant will get a read and write policy and associated token.</td>
-			<td><pre lang="json">
-[]
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -1615,9 +1624,9 @@ See values.yaml
 		<tr>
 			<td>loki.image.tag</td>
 			<td>string</td>
-			<td>Overrides the image tag whose default is the chart's appVersion</td>
+			<td>Overrides the image tag whose default is the chart's appVersion TODO: needed for 3rd target backend functionality revert to null or latest once this behavior is relased</td>
 			<td><pre lang="json">
-null
+"main-5e53303"
 </pre>
 </td>
 		</tr>
@@ -2138,15 +2147,6 @@ true
 			<td><pre lang="json">
 {}
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>monitoring.rules.namespace</td>
-			<td>string</td>
-			<td>Alternative namespace to create recording rules PrometheusRule resource in</td>
-			<td><pre lang="json">
-null
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -2192,15 +2192,6 @@ true
 			<td><pre lang="json">
 {}
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>monitoring.selfMonitoring.grafanaAgent.namespace</td>
-			<td>string</td>
-			<td>Alternative namespace for Grafana Agent resources</td>
-			<td><pre lang="json">
-null
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -2228,15 +2219,6 @@ null
 			<td><pre lang="json">
 {}
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>monitoring.selfMonitoring.logsInstance.namespace</td>
-			<td>string</td>
-			<td>Alternative namespace for LogsInstance resources</td>
-			<td><pre lang="json">
-null
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -2255,15 +2237,6 @@ null
 			<td><pre lang="json">
 {}
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>monitoring.selfMonitoring.podLogs.namespace</td>
-			<td>string</td>
-			<td>Alternative namespace for PodLogs resources</td>
-			<td><pre lang="json">
-null
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -2277,11 +2250,32 @@ null
 		</tr>
 		<tr>
 			<td>monitoring.selfMonitoring.tenant</td>
-			<td>string</td>
+			<td>object</td>
 			<td>Tenant to use for self monitoring</td>
 			<td><pre lang="json">
+{
+  "name": "self-monitoring",
+  "secretNamespace": "{{ .Release.Namespace }}"
+}
+</pre>
+</td>
+		</tr>
+		<tr>
+			<td>monitoring.selfMonitoring.tenant.name</td>
+			<td>string</td>
+			<td>Name of the tenant</td>
+			<td><pre lang="json">
 "self-monitoring"
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>monitoring.selfMonitoring.tenant.secretNamespace</td>
+			<td>string</td>
+			<td>Namespace to create additional tenant token secret in. Useful if your Grafana instance is in a separate namespace. Token will still be created in the canary namespace.</td>
+			<td><pre lang="json">
+"{{ .Release.Namespace }}"
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -2368,15 +2362,6 @@ true
 			<td><pre lang="json">
 null
 </pre>
-</td>
-		</tr>
-		<tr>
-			<td>monitoring.serviceMonitor.namespace</td>
-			<td>string</td>
-			<td>Alternative namespace for ServiceMonitor resources</td>
-			<td><pre lang="json">
-null
-</pre>
 </td>
 		</tr>
 		<tr>
@@ -2706,9 +2691,9 @@ null
 		<tr>
 			<td>read.legacyReadTarget</td>
 			<td>bool</td>
-			<td>Set to false to enable the new 3-target mode (read, write, backend) that will be the default in future version of Loki</td>
+			<td>Whether or not to use the 2 target type simple scalable mode (read, write) or the 3 target type (read, write, backend). Legacy refers to the 2 target type, so true will run two targets, false will run 3 targets.</td>
 			<td><pre lang="json">
-true
+false
 </pre>
 </td>
 		</tr>

diff --git a/production/helm/loki/CHANGELOG.md b/production/helm/loki/CHANGELOG.md
@@ -11,6 +11,17 @@ Entries should be ordered as follows:
 
 Entries should include a reference to the pull request that introduced the change.
 
+## 4.0
+
+- [FEATURE] Added `enterprise.adminToken.additionalNamespaces` which are a list of additional namespaces to create secrets containing the GEL admin token in. This is especially useful if your Grafana instance is in another namespace.
+- [CHANGE] **BREAKING** Remove `enterprise.nginxConfig.file`. Both enterprise and gateway configurations now share the same nginx config, use `gateway.nginxConfig.file` for both. Admin routes will 404 on OSS deployments.
+- [CHANGE] **BREAKING** Default simple deployment mode to new, 3 target configuration (read, write, and backend). This new configuration allows the `read` target to be run as a deployment and auto-scaled. To go back to the legacy, 2 target configuration, set `read.legacyReadTraget` to `true`.
+- [CHANGE] **BREAKING** Change how tenants are defined
+- [CHANGE] **BREKAING** Remove `enterprise.adminTokenSecret`. This is now defined under `enterprise.adminToken.secret`.
+- [CHANGE] **BREKAING** Rename and change format of `enterprise.provisioner.tenants`. Property has been renamed to `enterprise.provisioner.additionalTenants`, and is now an array of objects rather than string. Each object must contain a `name` and a `secretNamespace` field, where `name` is the name of the tenant and `secretNamespace` is the namespace to create the secret with the tenant's read and write token.
+- [CHANGE] **BREAKING** Change the structure of `monitoring.selfMonitoring.tenant` from a string to an object. The new object must have a `name` and a `secretNamespace` field, where `name` is the name of the self-monitoring tenant and `secretNamespace` is the namespace to create an additional secret with the tenant's token. A secret will still also be created in the release namespace as it's needed by the Loki canary.
+- [CHANGE] **BREAKING** Remove ability to create self-monitoring resources in different namespaces (with the exception of dashboard configmaps).
+
 ## 3.10.0
 
 - [CHANGE] Deprecate `enterprise.nginxConfig.file`. Both enterprise and gateway configurations now share the same nginx config. Admin routes will 404 on OSS deployments. Will be removed in version 4 of the chart, please use `gateway.nginxConfig.file` for both OSS and Enterprise gateways.

diff --git a/production/helm/loki/Chart.yaml b/production/helm/loki/Chart.yaml
@@ -4,7 +4,7 @@ name: loki
 description: Helm chart for Grafana Loki in simple, scalable mode
 type: application
 appVersion: 2.7.0
-version: 3.10.0
+version: 4.0.0
 home: https://grafana.github.io/helm-charts
 sources:
   - https://github.com/grafana/loki

diff --git a/production/helm/loki/README.md b/production/helm/loki/README.md
@@ -1,6 +1,6 @@
 # loki
 
-![Version: 3.10.0](https://img.shields.io/badge/Version-3.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
+![Version: 4.0.0](https://img.shields.io/badge/Version-4.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
 
 Helm chart for Grafana Loki in simple, scalable mode
 
@@ -17,4 +17,4 @@ Helm chart for Grafana Loki in simple, scalable mode
 | https://charts.min.io/ | minio(minio) | 4.0.12 |
 | https://grafana.github.io/helm-charts | grafana-agent-operator(grafana-agent-operator) | 0.2.3 |
 
-[Find more information in the Loki Helm Chart documentation](https://grafana.com/docs/loki/next/installation/helm).
+Find more information in the Loki Helm Chart [documentation](https://grafana.com/docs/loki/next/installation/helm).
diff --git a/production/helm/loki/README.md.gotmpl b/production/helm/loki/README.md.gotmpl
@@ -8,4 +8,4 @@
 
 {{ template "chart.requirementsSection" . }}
 
-[Find more information in the Loki Helm Chart [documentation](https://grafana.com/docs/loki/next/installation/helm).
+Find more information in the Loki Helm Chart [documentation](https://grafana.com/docs/loki/next/installation/helm).
diff --git a/production/helm/loki/ci/default-values.yaml b/production/helm/loki/ci/default-values.yaml
@@ -6,6 +6,8 @@ read:
   replicas: 1
 write:
   replicas: 1
+backend:
+  replicas: 1
 monitoring:
   serviceMonitor:
     labels:

diff --git a/production/helm/loki/ci/enterprise.yaml b/production/helm/loki/ci/enterprise.yaml
@@ -15,10 +15,12 @@ storage:
   type: local
 read:
   replicas: 1
+write:
+  replicas: 1
   persistence:
     enabled: true
     size: 100Mi
-write:
+backend:
   replicas: 1
   persistence:
     enabled: true

diff --git a/production/helm/loki/ci/ingress-values.yaml b/production/helm/loki/ci/ingress-values.yaml
@@ -15,6 +15,8 @@ read:
   replicas: 1
 write:
   replicas: 1
+backend:
+  replicas: 1
 monitoring:
   lokiCanary:
     enabled: false

diff --git a/production/helm/loki/ci/three-targets.yaml b/production/helm/loki/ci/three-targets.yaml
diff --git a/production/helm/loki/templates/_helpers.tpl b/production/helm/loki/templates/_helpers.tpl
@@ -475,12 +475,17 @@ Create the service endpoint including port for MinIO.
 
 {{/* Name of kubernetes secret to persist GEL admin token to */}}
 {{- define "enterprise-logs.adminTokenSecret" }}
-{{- .Values.enterprise.adminTokenSecret | default (printf "%s-admin-token" (include "loki.name" . )) -}}
+{{- .Values.enterprise.adminToken.secret | default (printf "%s-admin-token" (include "loki.name" . )) -}}
+{{- end -}}
+
+{{/* Prefix for provisioned secrets created for each provisioned tenant */}}
+{{- define "enterprise-logs.provisionedSecretPrefix" }}
+{{- .Values.enterprise.provisioner.provisionedSecretPrefix | default (printf "%s-provisioned" (include "loki.name" . )) -}}
 {{- end -}}
 
 {{/* Name of kubernetes secret to persist canary credentials in */}}
-{{- define "enterprise-logs.canarySecret" }}
-{{- .Values.enterprise.canarySecret | default (printf "%s-canary-secret" (include "loki.name" . )) -}}
+{{- define "enterprise-logs.selfMonitoringTenantSecret" }}
+{{- .Values.enterprise.canarySecret | default (printf "%s-%s" (include "enterprise-logs.provisionedSecretPrefix" . ) .Values.monitoring.selfMonitoring.tenant.name) -}}
 {{- end -}}
 
 {{/* Snippet for the nginx file used by gateway */}}

diff --git a/production/helm/loki/templates/gateway/configmap-gateway.yaml b/production/helm/loki/templates/gateway/configmap-gateway.yaml
@@ -8,11 +8,5 @@ metadata:
     {{- include "loki.gatewayLabels" . | nindent 4 }}
 data:
   nginx.conf: |
-    {{- if .Values.enterprise.enabled }}
-    {{- $file := ( .Values.enterprise.nginxConfig.file | default .Values.gateway.nginxConfig.file) }}
-    {{- $indent := ternary 2 4 (empty .Values.enterprise.nginxConfig.file) }}
-    {{- tpl $file  . | nindent $indent }}
-    {{- else }}
     {{- tpl .Values.gateway.nginxConfig.file . | indent 2 }}
-    {{- end }}
 {{- end }}