diff --git a/helm/managed/logging/loki-stack/README.md b/helm/managed/logging/loki-stack/README.md index 6c4714e898c..e50a0437444 100644 --- a/helm/managed/logging/loki-stack/README.md +++ b/helm/managed/logging/loki-stack/README.md @@ -85,27 +85,87 @@ The logAccess feature allows HPCC to query and package relevant logs for various ### Provide target Grafana/Loki access information -HPCC logAccess requires access to the Grafana username/password. Those values must be provided via a secure secret object. +HPCC logAccess requires access to the Grafana username/password credentials. Those values must be provided via a secure secret object. The secret is expected to be in the 'esp' category, and be named 'grafana-logaccess'. The following key-value pairs are required (key names must be spelled exactly as shown here) username - This should contain the Grafana username password - This should contain the Grafana password +#### Create secret using script The included 'create-grafana-logaccess-secret.sh' helper can be used to create the necessary secret. -Example scripted secret creation command (assuming ./secrets-templates contains a file named exactly as the above keys): +Example scripted secret creation command: ``` - create-grafana-logaccess-secret.sh -d HPCC-Platform/helm/managed/logging/loki-stack/secrets-templates/ -n hpcc + create-grafana-logaccess-secret.sh -u admin -p somepass -n hpcc ``` +#### Create secret manually from file Otherwise, users can create the secret manually. -Example manual secret creation command (assuming ./secrets-templates contains a file named exactly as the above keys): +Example manual secret creation command (assuming ./secrets-templates contains files named exactly as the above keys): ``` - kubectl create secret generic grafana-logaccess --from-file=HPCC-Platform/helm/managed//logging/loki-stack/secrets-templates/ -n hpcc + kubectl create secret generic grafana-logaccess --from-file=HPCC-Platform/helm/managed/logging/loki-stack/secrets-templates/ -n hpcc +``` + +#### Create secret manually from manifest +Otherwise, users can create the secret through a manifest file. + +First, base64 encode the credentials: + +``` +echo -n 'admin' | base64 +echo -n 'whatevergrafanapassword' | base64 +``` + +Add the encoded values to the provided manifest file 'grafana-logaccess-secret.yaml' + +``` +apiVersion: v1 +kind: Secret +metadata: + name: grafana-logaccess +type: Opaque +data: + #Base64 encoded username and password for Grafana + #can be encoded using the following command: + # echo -n 'admin' | base64 + username: YWRtaW4= + # echo -n 'whatevergrafanapassword' | base64 + password: d2hhdGV2ZXJncmFmYW5hcGFzc3dvcmQ= +``` + +Then apply the manifest values: + +``` +kubectl apply -f ./grafana-logaccess-secret.yaml --namespace hpcc --server-side +``` + +#### Verify secret + +At this point, confirm the secret has been created with the expected key values: + +``` +kubectl describe secret grafana-logaccess -n hpcc +``` + +The output should be something like this: + +``` +kubectl describe secret grafana-logaccess -n hpcc +Name: grafana-logaccess +Namespace: hpcc +Labels: +Annotations: + +Type: Opaque + +Data +==== +password: 40 bytes +username: 5 bytes ``` ### Configure HPCC logAccess diff --git a/helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh b/helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh index f4c7efbed09..e1246b1f62e 100755 --- a/helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh +++ b/helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh @@ -1,30 +1,24 @@ #!/bin/bash WORK_DIR=$(dirname $0) -source ${WORK_DIR}/env-loganalytics k8scommand="kubectl" secretname="grafana-logaccess" -secretsdir="${WORK_DIR}/secrets-templates" namespace="default" +username="admin" +password="" usage() { echo "Creates necessary k8s secret used by HPCC's logAccess to access Loki data source through Grafana" echo "> create-grafana-logaccess-secret.sh [Options]" echo "" + echo "Example: create-grafana-logaccess-secret.sh -u admin -p mypassword -n mynamespace" + echo "" echo "Options:" - echo "-d Specifies directory containing required secret values in self named files." - echo " Defaults to /<${secretssubdir}>" + echo "-u Grafana user name (default: admin)" + echo "-p Grafana password (required)" echo "-h Print Usage message" - echo "-n Specifies namespace for secret" - echo "" - echo "Requires directory containing secret values in dedicated files." - echo "Defaults to ${secretssubdir} if not specified via -d option." - echo "" - echo "Expected directory structure:" - echo "${secretsdir}/" - echo " password - Should contain Grafana user name" - echo " username - Should contain Grafana password" + echo "-n Specifies namespace for secret (default: default)" } while [ "$#" -gt 0 ]; do @@ -37,6 +31,12 @@ while [ "$#" -gt 0 ]; do -d) shift secretsdir=$1 ;; + -u) shift + username=$1 + ;; + -p) shift + password=$1 + ;; -n) shift namespace=$1 ;; @@ -44,6 +44,13 @@ while [ "$#" -gt 0 ]; do shift done +if [ -z "${password}" ]; +then + echo "Error: Missing required password!" + echo >&2 + usage + exit 1 +fi echo "Creating '${namespace}/${secretname}' secret." command -v ${k8scommand} >/dev/null 2>&1 || { echo >&2 "Aborting - '${k8scommand}' not found!"; exit 1; } @@ -53,10 +60,11 @@ if [[ $? -eq 0 ]] then echo "WARNING: Target secret '${namespace}/${secretname}' already exists! Delete it and re-run if secret update desired." echo "${errormessage}" + echo "use this command: '${k8scommand} delete secret ${secretname} -n ${namespace}'" exit 1 fi -errormessage=$(${k8scommand} create secret generic ${secretname} --from-file=${secretsdir} -n ${namespace} ) +errormessage=$(${k8scommand} create secret generic ${secretname} --from-literal=username=${username} --from-literal=password=${password} -n ${namespace}) if [[ $? -ne 0 ]] then echo "Error creating: Target secret '${namespace}/${secretname}'!" diff --git a/helm/managed/logging/loki-stack/grafana-logaccess-secret.yaml b/helm/managed/logging/loki-stack/grafana-logaccess-secret.yaml new file mode 100644 index 00000000000..2e1cec96eae --- /dev/null +++ b/helm/managed/logging/loki-stack/grafana-logaccess-secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-logaccess +type: Opaque +data: + #Base64 encoded username and password for Grafana + #can be encoded using the following command: + # echo -n 'admin' | base64 + username: YWRtaW4= + # echo -n 'whatevergrafanapassword' | base64 + password: d2hhdGV2ZXJncmFmYW5hcGFzc3dvcmQ= \ No newline at end of file diff --git a/helm/managed/logging/loki-stack/secrets-templates/password b/helm/managed/logging/loki-stack/secrets-templates/password deleted file mode 100644 index 6b3a9a39380..00000000000 --- a/helm/managed/logging/loki-stack/secrets-templates/password +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/helm/managed/logging/loki-stack/secrets-templates/username b/helm/managed/logging/loki-stack/secrets-templates/username deleted file mode 100644 index f77b00407e0..00000000000 --- a/helm/managed/logging/loki-stack/secrets-templates/username +++ /dev/null @@ -1 +0,0 @@ -admin \ No newline at end of file