search

grafana / helm-charts

Apache License 2.0
1.67k stars 2.29k forks source link

Service Account created via helm chart doesn't work with REST API #2189

Open ojswedbank opened 1 year ago

ojswedbank commented 1 year ago

I am creating/configuring a service account(SA) in the helm chart.

It is created(in the k8s namespace as a secret), however, when I try to use its token in a HTTP/REST API call e.g. get folders, it says: "invalid API key"

The idea is whenever Grafana is installed from scratch, an SA should be provisioned. This SA token will be then used for accessing the REST API.

Chart.yaml

apiVersion: v2
name: kraken-observability-stack
version:  0.1.0
#We don't have a built-in-house app so we dont set 
#appVersion: 0.1.0
kubeVersion: "^1.20.0-0"
description: The kraken observability stack for collecting and visualizing metrics, logs and traces related to CI pipelines.
home: https://docs.net/
dependencies:
  - name: grafana
    repository: https://grafana.github.io/helm-charts
    version:  6.50.x
  - name: mimir-distributed
    repository: https://grafana.github.io/helm-charts
    version: 3.2.x
  - name: loki-distributed
    repository: https://grafana.github.io/helm-charts
    version:  0.68.x
  - name: tempo-distributed
    repository: https://grafana.github.io/helm-charts
    version: 1.0.x
  - name: opentelemetry-collector
    repository: https://open-telemetry.github.io/opentelemetry-helm-charts                                      
    version: 0.47.x

(partial) values.yaml

grafana:
  testFramework:
    enabled: false
  resources:
    limits:
      #maybe we shouldn't set cpu limits to avoid overbooking of resources.
      #cpu: 1000m
      memory: 1Gi
    requests:
      memory: 200Mi
      cpu: 200m

  grafana.ini:
    force_migration: true
    data_proxy:
      timeout: 60s
    #feature_toggles:
    #  enable: tempoServiceGraph,tempoSearch,tempoBackendSearch,tempoApmTable
    auth:
      login_cookie_name: "kraken_grafana_session"
    auth.anonymous:
      enabled: true
      org_name: 'CICDS Pipelines User'
      org_role: 'Viewer'
    analytics:
      reporting_enabled: false
      check_for_updates: false
      check_for_plugin_updates: false
      enable_feedback_links: false
    log:
      level: warn
      mode: console
    plugins:
      enable_alpha: true
      app_tls_skip_verify_insecure: true
      allow_loading_unsigned_plugins: true

  #podAnnotations for grafana to expose its own metrics
  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/schema: "http"
    prometheus.io/port: "http"
    prometheus.io/path: "/metrics"
  rbac:
    #disable Create and use RBAC resources
    create: false
    #disable Create PodSecurityPolicy (we don't have privileges for that)
    pspEnabled: false
    #disable to enforce AppArmor in created PodSecurityPolicy
    pspUseAppArmor: false
  serviceAccount:
    create: true
    name: grafana-init-sa
    labels: {kraken-init}

  replicas: 3

  image:
    #repository: docker-virtual.repository.net/grafana/grafana
    repository: grafana/grafana

  downloadDashboardsImage:
    repository: docker-virtual.repository.net/curlimages/curl
    tag: 7.85.0
    pullPolicy: IfNotPresent

  persistence:
    type: statefulset
    enabled: true

  initChownData:

    ## This allows the prometheus-server to be run with an arbitrary user
    ##
    enabled: false
    #image:
    #  repository: docker-virtual.repository.net/busybox

  # Administrator credentials when not using an existing secret (see below)
  adminUser: admin
  adminPassword: changeit

  # Use an existing secret for the admin user.
  # grafana-admin-credentials name is reserved by the operator and thus -creds
  admin:
    existingSecret: "grafana-admin-user"
    userKey: ADMIN_USER
    passwordKey: ADMIN_PASSWORD

  env:
    HTTP_PROXY: http://p985nst:p985nst@proxyvip-se.sbcore.net:8080/
    HTTPS_PROXY: http://p985nst:p985nst@proxyvip-se.sbcore.net:8080/
    NO_PROXY: .cluster.local,.net,.sbcore.net,.svc,10.0.0.0/8,172.30.0.0/16,localhost

#  ## Pass the plugins you want installed as a list.
#  ##
#  plugins:
#    - digrich-bubblechart-panel
#    - grafana-clock-panel
#    - grafana-piechart-panel
#    - natel-discrete-panel

  extraSecretMounts:
     - name: loki-credentials-secret-mount
       secretName: loki-credentials
       defaultMode: 0440
       mountPath: /etc/secrets/.loki_credentials
       readOnly: true
r-gunasekaran commented 1 year ago

I think from the config, the service account refers to this block. 

serviceAccount:
  create: true
  name: grafana-init-sa
  labels: {kraken-init}

If yes, it does not refer Service account of Grafana instead it refers to Service Account of Kubernetes as seen from this helm chart template.