Grafana Chart Update (#126)

* Update to grafana chart Made updates to the grafana rbac chart and added creating a service account into the chart since that was removed from the operator. Using token rendering from vault in order to create the bearer token inside the prometheus datasource * Updated datasource and values for rbac * add dc rbac to values * adding role rbac for dc * fixing typo * update sa * updated job to use correct serviceaccount
validatedpatterns · Dec 4, 2024 · 5e8e00b · 5e8e00b
1 parent e150ce1
commit 5e8e00b
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 13 deletions.
diff --git a/charts/all/medical-diagnosis/grafana/templates/eso-grafana-sa-token.yaml b/charts/all/medical-diagnosis/grafana/templates/eso-grafana-sa-token.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.rbac.serviceAccountName }}-token
+  namespace: xraylab-1
+  annotations:
+    kubernetes.io/service-account.name: {{ .Values.rbac.serviceAccountName }}
+    argocd.argoproj.io/sync-wave: "1"
+type: kubernetes.io/service-account-token
diff --git a/charts/all/medical-diagnosis/grafana/templates/job-create-prometheus-datasource.yaml b/charts/all/medical-diagnosis/grafana/templates/job-create-prometheus-datasource.yaml
@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: create-prometheus-datasource-object
-  namespace: {{ .Values.global.xraylab.namespace }}
+  namespace: xraylab-1
   annotations:
     argocd.argoproj.io/hook: PostSync
 spec:
@@ -14,9 +14,9 @@ spec:
         - /bin/bash
         - -c
         - |
-          #!/usr/bin/env bash
-          SECRET=$(oc get secret | grep xraylab-grafana-sa-token | head -n1 | awk '{print $1}')
-          TOKEN=$(oc extract secret/$SECRET --keys=token --to=-)
+          #TOKEN=$(oc create token {{ .Values.rbac.serviceAccountName }}-token --duration=$((365*24))h)
+          #SECRET=$(oc get secret | grep xraylab-grafana-sa-token | head -n1 | awk '{print $1}')
+          TOKEN=$(oc extract secret/{{ .Values.rbac.serviceAccountName }}-token --keys=token --to=-)
           cat <<EOF | oc create -f -
            apiVersion: grafana.integreatly.org/v1beta1
            kind: GrafanaDatasource
@@ -46,5 +46,5 @@ spec:
         name: get-grafana-token
       dnsPolicy: ClusterFirst
       restartPolicy: Never
-      serviceAccount: xraylab-grafana-sa
+      serviceAccount: {{ .Values.rbac.serviceAccountName }}
       terminationGracePeriodSeconds: 60
diff --git a/charts/all/medical-diagnosis/grafana/templates/job-wait-for-database.yaml b/charts/all/medical-diagnosis/grafana/templates/job-wait-for-database.yaml
@@ -18,6 +18,6 @@ spec:
         name: wait-for-xraylab-database
       dnsPolicy: ClusterFirst
       restartPolicy: Never
-      serviceAccount: {{ .Values.global.xraylab.namespace }}-sa
-      serviceAccountName: {{ .Values.global.xraylab.namespace }}-sa
+      serviceAccount: {{ .Values.rbac.serviceAccountName }}
+      serviceAccountName: {{ .Values.rbac.serviceAccountName }}
       terminationGracePeriodSeconds: 60
diff --git a/charts/all/medical-diagnosis/grafana/templates/rbac/rolebinding.yaml b/charts/all/medical-diagnosis/grafana/templates/rbac/rolebinding.yaml
@@ -15,12 +15,12 @@ metadata:
     argocd.argoproj.io/sync-wave: "-15"
 subjects:
 - kind: {{ $value.subjects.kind | default "ServiceAccount" }}
-  name: {{ $value.subjects.name }}
+  name: {{ $.Values.rbac.serviceAccountName }}
   namespace: {{ $value.subjects.namespace | default $.Values.global.xraylab.namespace }}
   apiGroup: ""
 roleRef:
   kind: {{ $value.roleRef.kind }}
   name: {{ $value.roleRef.name }}
   apiGroup: rbac.authorization.k8s.io
 ---
-{{- end }}
+{{- end }}
diff --git a/charts/all/medical-diagnosis/grafana/templates/rbac/serviceAccount.yaml b/charts/all/medical-diagnosis/grafana/templates/rbac/serviceAccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.rbac.createServiceAccount }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.rbac.serviceAccountName }}
+  namespace: xraylab-1
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/sync-hook: "-15"
+{{- end }}
+
diff --git a/charts/all/medical-diagnosis/grafana/values.yaml b/charts/all/medical-diagnosis/grafana/values.yaml
@@ -22,6 +22,8 @@ job:
   image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
 
 rbac:
+  createServiceAccount: true
+  serviceAccountName: "grafana-sa"
   roles:
     - name: grafana-mgmt
       apiGroups:
@@ -37,6 +39,19 @@ rbac:
         - "patch"
         - "create"
         - "update"
+    - name: grafana-serviceAccount-token
+      apiGroups:
+        - '""'
+      scope:
+        cluster: false
+        namespace: xraylab-1
+      resources:
+        - "serviceaccounts/tokens"
+      verbs:
+        - "get"
+        - "list"
+        - "create"
+        - "update"
     - name: grafana-read-secrets
       apiGroups:
         - '""'
@@ -49,6 +64,18 @@ rbac:
         - "get"
         - "list"
         - "watch"
+    - name: grafana-view-deployments
+      apiGroups: 
+        - apps
+      scope:
+        cluster: false
+        namespace: xraylab-1
+      resources:
+        - deployments
+      verbs:
+        - "get"
+        - "list"
+        - "watch"
     - name: grafana-view-deploymentconfigs
       apiGroups: 
         - apps.openshift.io
@@ -68,7 +95,7 @@ rbac:
         namespace: xraylab-1
       subjects:
         kind: ServiceAccount
-        name: xraylab-grafana-sa
+        name: grafana-sa
         namespace: xraylab-1
         apiGroup: ""
       roleRef:
@@ -80,7 +107,7 @@ rbac:
         namespace: xraylab-1
       subjects:
         kind: ServiceAccount
-        name: xraylab-grafana-sa
+        name: grafana-sa
         namespace: xraylab-1
         apiGroup: ""
       roleRef:
@@ -92,19 +119,43 @@ rbac:
         namespace: ""
       subjects:
         kind: ServiceAccount
-        name: xraylab-grafana-sa
+        name: grafana-sa
         namespace: xraylab-1
         apiGroup: ""
       roleRef:
         kind: ClusterRole
         name: cluster-monitoring-view
+    - name: grafana-view-deployments
+      scope:
+        cluster: false
+        namespace: xraylab-1
+      subjects:
+        kind: ServiceAccount
+        name: grafana-sa
+        namespace: xraylab-1
+        apiGroup: ""
+      roleRef:
+        kind: Role
+        name: grafana-view-deployments
+    - name: grafana-image-puller
+      scope:
+        cluster: false
+        namespace: xraylab-1
+      subjects:
+        kind: ServiceAccount
+        name: grafana-sa
+        namespace: xraylab-1
+        apiGroup: "image.openshift.io"
+      roleRef:
+        kind: ClusterRole
+        name: "system:image-puller"
     - name: grafana-view-deploymentconfigs
       scope:
         cluster: false
         namespace: xraylab-1
       subjects:
         kind: ServiceAccount
-        name: xraylab-1-sa
+        name: grafana-sa
         namespace: xraylab-1
         apiGroup: ""
       roleRef: