openstack
/
openstack-helm-infra
Code Issues Proposed changes

Grafana: Add job to update admin password 

This change adds a job to the Grafana chart that  allows for the
changing of the grafana admin user password if required, as
Grafana only allows the changing of this password via the
grafana-admin CLI or via an http call that requires both the old
and new password

Change-Id: I59a5d26edc4aa4da16e80c5454ecdebbae3a1d15
This commit is contained in:
Steve Wilkerson 2019-02-01 17:43:29 -06:00
parent cf0ed142f6
commit 65ce9c73d7
5 changed files with 123 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
grafana/templates/bin/_set-admin-password.sh.tpl Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
echo "Attempting to update Grafana admin user password"
grafana-cli admin reset-admin-password --homepath "/usr/share/grafana" --config /etc/grafana/grafana.ini ${GF_SECURITY_ADMIN_PASSWORD}
if [ "$?" == 1 ]; then
echo "The Grafana admin user does not exist yet, so no need to update password"
exit 0;
else
exit 0;
fi

2
grafana/templates/configmap-bin.yaml
View File

@ -32,4 +32,6 @@ data:
{{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
grafana.sh: |
{{ tuple "bin/_grafana.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
set-admin-password.sh: |
{{ tuple "bin/_set-admin-password.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

79
grafana/templates/job-set-admin-user.yaml Normal file
View File

@ -0,0 +1,79 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_set_admin_user }}
{{- $envAll := . }}
{{- $serviceAccountName := "grafana-set-admin-user" }}
{{ tuple $envAll "set_admin_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: grafana-set-admin-user
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "grafana" "set-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value | quote }}
initContainers:
{{ tuple $envAll "set_admin_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: grafana-set-admin-password
{{ tuple $envAll "grafana" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.set_admin_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/set-admin-password.sh
env:
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
name: grafana-admin-creds
key: GRAFANA_ADMIN_USERNAME
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin-creds
key: GRAFANA_ADMIN_PASSWORD
volumeMounts:
- name: grafana-etc
mountPath: /etc/grafana/grafana.ini
subPath: grafana.ini
- name: grafana-bin
mountPath: /tmp/set-admin-password.sh
subPath: set-admin-password.sh
readOnly: true
volumes:
- name: pod-etc-grafana
emptyDir: {}
- name: grafana-bin
configMap:
name: grafana-bin
defaultMode: 0555
- name: grafana-etc
secret:
secretName: grafana-etc
defaultMode: 0444
{{- end }}

15
grafana/values.yaml
View File

@ -107,6 +107,13 @@ pod:
limits:
memory: "1024Mi"
cpu: "2000m"
set_admin_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
@ -264,6 +271,7 @@ dependencies:
jobs:
- grafana-db-init
- grafana-db-session-sync
- grafana-set-admin-user
services:
- endpoint: internal
service: oslo_db
@ -271,6 +279,12 @@ dependencies:
services:
- endpoint: internal
service: local_image_registry
set_admin_user:
jobs:
- grafana-db-init
services:
- endpoint: internal
service: oslo_db
tests:
services:
- endpoint: internal
@ -314,6 +328,7 @@ manifests:
job_db_init_session: true
job_db_session_sync: true
job_image_repo_sync: true
job_set_admin_user: true
network_policy: false
secret_db: true
secret_db_session: true

1
tools/deployment/armada/040-armada-update-passwords.sh
View File

@ -34,6 +34,7 @@ fi
export CEPH_NETWORK=$(./tools/deployment/multinode/kube-node-subnet.sh)
export CEPH_FS_ID="$(cat /tmp/ceph-fs-uuid.txt)"
export RELEASE_UUID=$(uuidgen)
export OSH_INFRA_PATH
# NOTE(srwilkers): We add this here due to envsubst expanding the ${tag} placeholder in