search

grafana / helm-charts

Apache License 2.0
1.66k stars 2.28k forks source link

Grafana extraContainers volumes #2863

Open Mattie112 opened 11 months ago

Mattie112 commented 11 months ago

I would like to go and use the proxy-auth option of grafana: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

We already have an nginx-config that should be able to do this so I thought let's try it out. However I am having some trouble getting it to work.

From the docs: https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml#L318

## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
extraContainers: ""
# extraContainers: |
# - name: proxy
#   image: quay.io/gambol99/keycloak-proxy:latest
#   args:
#   - -provider=github
#   - -client-id=
#   - -client-secret=
#   - -github-org=<ORG_NAME>
#   - -email-domain=*
#   - -cookie-secret=
#   - -http-address=http://0.0.0.0:4181
#   - -upstream-url=http://127.0.0.1:3000
#   ports:
#     - name: proxy-web
#       containerPort: 4181

## Volumes that can be used in init containers that will not be mounted to deployment pods
extraContainerVolumes: []
#  - name: volume-from-secret
#    secret:
#      secretName: secret-to-mount
#  - name: empty-dir-volume
#    emptyDir: {}

I now have the following in my prometheus-values.yaml

grafana:
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: alb
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS":443}]'
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/ip-address-type: dualstack
      alb.ingress.kubernetes.io/success-codes: 200-499
      alb.ingress.kubernetes.io/ssl-redirect: '443'
      alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-FS-1-2-Res-2020-10"
    paths:
      - /
  extraContainers: |
    - name: "proxy"
      image: nginx:latest
      ports:
        - name: proxy-web
          containerPort: 4181
      volumeMounts:
        - mountPath: "/etc/nginx/conf.d/default.conf"
          subPath: "default.conf"
          name: nginx-config
      volumes:
        - name: nginx-config
          configMap:
            name: nginx-config
            items:
              - key: default.conf
                path: default.conf
## It does not make a difference if I have the extraContainerVolumes or not
  extraContainerVolumes:
      - name: nginx-config
        secret:
          secretName: secret-to-mount
  sidecar:
    dashboards:
      enabled: true
      searchNamespace: ALL
    alerts:
      enabled: true
      searchNamespace: ALL
      label: "grafana_dashboard"

I do have a ConfigMap (and a secret for that matter) with some nginx config. However I am now getting:

╷
│ Error: cannot patch "kube-prometheus-stack-grafana" with kind Deployment: Deployment.apps "kube-prometheus-stack-grafana" is invalid: spec.template.spec.containers[4].volumeMounts[0].name: Not found: "nginx-config"
│ 
│   with module.shared.helm_release.prometheus,
│   on ../shared/k8s_monitoring.tf line 21, in resource "helm_release" "prometheus":
│   21: resource "helm_release" "prometheus" {
│ 
╵

Am I misreading the docs? Is this not possible? Do I have to build an docker image that includes the config so I don't need the volume?

Just to be sure: I have no idea of our current "nginx auth module" works for Grafana, but that is what I would like to test :)

Any tips would be appreciated!

bdalpe commented 10 months ago

Should mention this is the prometheus-community/kube-prometheus-stack chart using a sub chart for Grafana...

Which one contains the config you need? The ConfigMap or Secret?

The volumes definition under extraContainers is invalid. It needs to be moved to extraContainerVolumes. Like this:

grafana:
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: alb
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS":443}]'
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/ip-address-type: dualstack
      alb.ingress.kubernetes.io/success-codes: 200-499
      alb.ingress.kubernetes.io/ssl-redirect: '443'
      alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-FS-1-2-Res-2020-10"
    paths:
      - /
  extraContainers: |
    - name: "proxy"
      image: nginx:latest
      ports:
        - name: proxy-web
          containerPort: 4181
      volumeMounts:
        - mountPath: "/etc/nginx/conf.d/default.conf"
          subPath: "default.conf"
          name: nginx-config
  extraContainerVolumes:
    - name: nginx-config
      configMap:
        name: nginx-config
        items:
          - key: default.conf
            path: default.conf
  sidecar:
    dashboards:
      enabled: true
      searchNamespace: ALL
    alerts:
      enabled: true
      searchNamespace: ALL
      label: "grafana_dashboard"