Merge pull request #18877 from rpastrana/HPCC-32240-NEWGrafanaLogacce…

…ssSecretImprovement HPCC-32240 Grafana/Loki logaccess client secret improvements Reviewed-by: Gavin Halliday <[email protected]> Merged-by: Gavin Halliday <[email protected]>
hpcc-systems · Jul 16, 2024 · 466476f · 466476f
2 parents c5e22ef + 49ea8da
commit 466476f
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 21 deletions.
diff --git a/helm/managed/logging/loki-stack/README.md b/helm/managed/logging/loki-stack/README.md
@@ -85,27 +85,87 @@ The logAccess feature allows HPCC to query and package relevant logs for various
 
 ### Provide target Grafana/Loki access information 
 
-HPCC logAccess requires access to the Grafana username/password. Those values must be provided via a secure secret object.
+HPCC logAccess requires access to the Grafana username/password credentials. Those values must be provided via a secure secret object.
 
 The secret is expected to be in the 'esp' category, and be named 'grafana-logaccess'. The following key-value pairs are required (key names must be spelled exactly as shown here)
 
     username - This should contain the Grafana username
     password - This should contain the Grafana password
 
+#### Create secret using script
 The included 'create-grafana-logaccess-secret.sh' helper can be used to create the necessary secret.
 
-Example scripted secret creation command (assuming ./secrets-templates contains a file named exactly as the above keys):
+Example scripted secret creation command:
 
 ```
-  create-grafana-logaccess-secret.sh -d HPCC-Platform/helm/managed/logging/loki-stack/secrets-templates/ -n hpcc
+  create-grafana-logaccess-secret.sh -u admin -p somepass -n hpcc
 ```
 
+#### Create secret manually from file
 Otherwise, users can create the secret manually.
 
-Example manual secret creation command (assuming ./secrets-templates contains a file named exactly as the above keys):
+Example manual secret creation command (assuming ./secrets-templates contains files named exactly as the above keys):
 
 ```
-  kubectl create secret generic grafana-logaccess --from-file=HPCC-Platform/helm/managed//logging/loki-stack/secrets-templates/ -n hpcc
+  kubectl create secret generic grafana-logaccess --from-file=HPCC-Platform/helm/managed/logging/loki-stack/secrets-templates/ -n hpcc
+```
+
+#### Create secret manually from manifest
+Otherwise, users can create the secret through a manifest file.
+
+First, base64 encode the credentials:
+
+```
+echo -n 'admin' | base64
+echo -n 'whatevergrafanapassword' | base64
+```
+
+Add the encoded values to the provided manifest file 'grafana-logaccess-secret.yaml'
+
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-logaccess
+type: Opaque
+data:
+  #Base64 encoded username and password for Grafana
+  #can be encoded using the following command:
+  # echo -n 'admin' | base64
+  username: YWRtaW4=
+  # echo -n 'whatevergrafanapassword' | base64
+  password: d2hhdGV2ZXJncmFmYW5hcGFzc3dvcmQ=
+```
+
+Then apply the manifest values:
+
+```
+kubectl apply -f ./grafana-logaccess-secret.yaml --namespace hpcc --server-side
+```
+
+#### Verify secret
+
+At this point, confirm the secret has been created with the expected key values:
+
+```
+kubectl describe secret grafana-logaccess -n hpcc
+```
+
+The output should be something like this:
+
+```
+kubectl describe secret grafana-logaccess -n hpcc
+Name:         grafana-logaccess
+Namespace:    hpcc
+Labels:       <none>
+Annotations:  <none>
+
+Type:  Opaque
+
+Data
+====
+password:  40 bytes
+username:  5 bytes
 ```
 
 ### Configure HPCC logAccess

diff --git a/helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh b/helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh
@@ -1,30 +1,24 @@
 #!/bin/bash
 WORK_DIR=$(dirname $0)
-source ${WORK_DIR}/env-loganalytics
 
 k8scommand="kubectl"
 secretname="grafana-logaccess"
-secretsdir="${WORK_DIR}/secrets-templates"
 namespace="default"
+username="admin"
+password=""
 
 usage()
 {
     echo "Creates necessary k8s secret used by HPCC's logAccess to access Loki data source through Grafana"
     echo "> create-grafana-logaccess-secret.sh [Options]"
     echo ""
+    echo "Example: create-grafana-logaccess-secret.sh -u admin -p mypassword -n mynamespace"
+    echo ""
     echo "Options:"
-    echo "-d       Specifies directory containing required secret values in self named files."
-    echo "         Defaults to <workingdir>/<${secretssubdir}>"
+    echo "-u       Grafana user name (default: admin)"
+    echo "-p       Grafana password (required)"
     echo "-h       Print Usage message"
-    echo "-n       Specifies namespace for secret"
-    echo ""
-    echo "Requires directory containing secret values in dedicated files."
-    echo "Defaults to  ${secretssubdir} if not specified via -d option."
-    echo ""
-    echo "Expected directory structure:"
-    echo "${secretsdir}/"
-    echo "   password  - Should contain Grafana user name"
-    echo "   username  - Should contain Grafana password"
+    echo "-n       Specifies namespace for secret (default: default)"
 }
 
 while [ "$#" -gt 0 ]; do
@@ -37,13 +31,26 @@ while [ "$#" -gt 0 ]; do
       -d) shift
          secretsdir=$1
          ;;
+      -u) shift
+         username=$1
+         ;;
+      -p) shift
+          password=$1
+          ;;
       -n) shift
          namespace=$1
          ;;
     esac
   shift
 done
 
+if [ -z "${password}" ];
+then
+  echo "Error: Missing required password!"
+  echo >&2
+  usage
+  exit 1
+fi
 echo "Creating '${namespace}/${secretname}' secret."
 
 command -v ${k8scommand} >/dev/null 2>&1 || { echo >&2 "Aborting - '${k8scommand}' not found!"; exit 1; }
@@ -53,10 +60,11 @@ if [[ $? -eq 0 ]]
 then
   echo "WARNING: Target secret '${namespace}/${secretname}' already exists! Delete it and re-run if secret update desired."
   echo "${errormessage}"
+  echo "use this command: '${k8scommand} delete secret ${secretname} -n ${namespace}'"
   exit 1
 fi
 
-errormessage=$(${k8scommand} create secret generic ${secretname} --from-file=${secretsdir} -n ${namespace} )
+errormessage=$(${k8scommand} create secret generic ${secretname} --from-literal=username=${username} --from-literal=password=${password} -n ${namespace})
 if [[ $? -ne 0 ]]
 then
   echo "Error creating: Target secret '${namespace}/${secretname}'!"

diff --git a/helm/managed/logging/loki-stack/grafana-logaccess-secret.yaml b/helm/managed/logging/loki-stack/grafana-logaccess-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-logaccess
+type: Opaque
+data:
+  #Base64 encoded username and password for Grafana
+  #can be encoded using the following command:
+  # echo -n 'admin' | base64
+  username: YWRtaW4=
+  # echo -n 'whatevergrafanapassword' | base64
+  password: d2hhdGV2ZXJncmFmYW5hcGFzc3dvcmQ=
diff --git a/helm/managed/logging/loki-stack/secrets-templates/password b/helm/managed/logging/loki-stack/secrets-templates/password
diff --git a/helm/managed/logging/loki-stack/secrets-templates/username b/helm/managed/logging/loki-stack/secrets-templates/username