Open wotd opened 3 years ago
hi, Can you prove your values.yaml file ? I think I am having a similar issue ?
hi, Can you prove your values.yaml file ? I think I am having a similar issue ?
Sure, but I am using loki-stack. Are you interested with my values for grafana only? What exactly you are looking for?
hi, Can you prove your values.yaml file ? I think I am having a similar issue ?
Sure, but I am using loki-stack. Are you interested with my values for grafana only? What exactly you are looking for?
I am not using loki stack, just curious about grafana section. Having a hard time adding redis password
and redis-tls secrets
, using env
, envFromSecrets
parameters. An example would greatly benefit me
hi, Can you prove your values.yaml file ? I think I am having a similar issue ?
Sure, but I am using loki-stack. Are you interested with my values for grafana only? What exactly you are looking for?
I am not using loki stack, just curious about grafana section. Having a hard time adding
redis password
andredis-tls secrets
, usingenv
,envFromSecrets
parameters. An example would greatly benefit me
I will paste code snippet once I will be back home (late evening). Cheers :)
hi, Can you prove your values.yaml file ? I think I am having a similar issue ?
Sure, but I am using loki-stack. Are you interested with my values for grafana only? What exactly you are looking for?
I am not using loki stack, just curious about grafana section. Having a hard time adding
redis password
andredis-tls secrets
, usingenv
,envFromSecrets
parameters. An example would greatly benefit me
image:
tag: 7.5.0
enabled: true
deploymentStrategy: { "type": "Recreate" }
ingress:
enabled: true
# ingressClassName: nginx
hosts:
- dashboard.example.com
tls:
- hosts:
- dashboard.example.com
secretName: grafana-tls
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/enable-cors: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'ds1'
orgId: 1
folder: 'infrastructure'
type: file
disableDeletion: false
editable: true
options:
path: /var/lib/grafana/dashboards/ds1
dashboardsConfigMaps:
ds1: "nginx-ingress-controller.json"
env:
GF_SERVER_DOMAIN: "dashboard.example.com"
GF_SERVER_ROOT_URL: "https://dashboard.example.com/"
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
GF_AUTH_GENERIC_OAUTH_NAME: "Login Keycloak"
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true"
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana"
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: 12345678-a123-123e-abcd-123456abc789
GF_AUTH_GENERIC_OAUTH_SCOPES: openid email profile
GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://keycloak.example.com/auth/realms/realmID/protocol/openid-connect/auth"
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://keycloak.example.com/auth/realms/realmID/protocol/openid-connect/token"
GF_AUTH_GENERIC_OAUTH_API_URL: "https://keycloak.example.com/auth/realms/realmID/protocol/openid-connect/userinfo"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
# envFromSecret: oauth-client-secret
persistence:
enabled: true
plugins:
- grafana-polystat-panel
hi, Can you prove your values.yaml file ? I think I am having a similar issue ?
Sure, but I am using loki-stack. Are you interested with my values for grafana only? What exactly you are looking for?
I am not using loki stack, just curious about grafana section. Having a hard time adding
redis password
andredis-tls secrets
, usingenv
,envFromSecrets
parameters. An example would greatly benefit meimage: tag: 7.5.0 enabled: true deploymentStrategy: { "type": "Recreate" } ingress: enabled: true # ingressClassName: nginx hosts: - dashboard.example.com tls: - hosts: - dashboard.example.com secretName: grafana-tls annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/cors-allow-origin: "*" nginx.ingress.kubernetes.io/enable-cors: "true" cert-manager.io/cluster-issuer: "letsencrypt-prod" dashboardProviders: dashboardproviders.yaml: apiVersion: 1 providers: - name: 'ds1' orgId: 1 folder: 'infrastructure' type: file disableDeletion: false editable: true options: path: /var/lib/grafana/dashboards/ds1 dashboardsConfigMaps: ds1: "nginx-ingress-controller.json" env: GF_SERVER_DOMAIN: "dashboard.example.com" GF_SERVER_ROOT_URL: "https://dashboard.example.com/" GF_AUTH_GENERIC_OAUTH_ENABLED: "true" GF_AUTH_GENERIC_OAUTH_NAME: "Login Keycloak" GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "true" GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana" GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: 12345678-a123-123e-abcd-123456abc789 GF_AUTH_GENERIC_OAUTH_SCOPES: openid email profile GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://keycloak.example.com/auth/realms/realmID/protocol/openid-connect/auth" GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://keycloak.example.com/auth/realms/realmID/protocol/openid-connect/token" GF_AUTH_GENERIC_OAUTH_API_URL: "https://keycloak.example.com/auth/realms/realmID/protocol/openid-connect/userinfo" GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" # envFromSecret: oauth-client-secret persistence: enabled: true plugins: - grafana-polystat-panel
Thank you that is very helpful, after couple of days of reading figured it out. For reference see configuration file, corresponding secrets and exported envvars on the pod shell. This documentation seems to be missing on grafana repo. I plan to create a PR
grafana:
additionalDataSources:
- name: Redis
type: redis-datasource
url: redis://redis-master.default.svc.cluster.local:6379
editable: true
jsonData:
client: standalone
tlsAuth: true
tlsSkipVerify: true
secureJsonData:
password: $redis-password
tlsClientCert: $redis.crt
tlsClientKey: $redis.key
tlsCACert: $ca.crt
plugins:
- redis-datasource
- redis-app
envFromSecrets:
- name: redis-password-secret
- name: redis-tls-secret
kubectl get secrets -n redis-password-secret -oyaml
apiVersion: v1
data:
redis-password: UGFzc3dvcmQxMjM=
kind: Secret
metadata:
name: redis-password-secret
type: Opaque
kubectl get secrets redis-tls-secret -oyaml
apiVersion: v1
data:
ca.crt: LS0tLS1..tLS0tLQo=
redis.crt: LS0t..tLS0tLQo=
redis.dh: LS0tLS..=
redis.key: LS0tL..FJJ
kind: Secret
metadata:
name: redis-tls-secret
type: Opaque
kubectl exec -it deploy/kube-prometheus-stack-grafana -c grafana -- /bin/bash
bash-5.1$ env | grep redis
redis.key=-----BEGIN RSA PRIVATE KEY-----
redis.crt=-----BEGIN CERTIFICATE-----
redis.dh=-----BEGIN DH PARAMETERS-----
redis-password=Password123
GF_INSTALL_PLUGINS=redis-datasource,redis-app,grafana-polystat-panel,grafana-clock-panel
bash-5.1$
Hi, I am trying to configure oauth for Grafana and Keycloak. I've configured everything and my deployment works, however I would like move environment variable from env section to envFromSecret.
I've deployed secret:
but when I remove my variable from env I cannot login to grafana anymore. The error I've got:
The only change is using envFromSecret instead of regular env.
On pods both variable looks exactly the same. Anyone had similar issue?