Merge pull request #92 from grafana/use_secret_for_minio

Use a secret for the Minio access
2024-05-07 12:37:07 +01:00 · 2024-05-07 12:37:07 +01:00 · 56cab04af8
commit 56cab04af8
parent b99140d3f4 ab42a96949
3 changed files with 80 additions and 26 deletions
--- a/charts/meta-monitoring/templates/ruler/ruler.yaml
+++ b/charts/meta-monitoring/templates/ruler/ruler.yaml
@ -49,6 +49,9 @@ spec:
            - containerPort: 7946
              name: memberlist
              protocol: TCP
+          envFrom:
+          - secretRef:
+             name: mmc-minio
          readinessProbe:
            failureThreshold: 3
            httpGet:
--- a/charts/meta-monitoring/values.yaml
+++ b/charts/meta-monitoring/values.yaml
@ -229,9 +229,9 @@ loki:
      common:
        storage:
          s3:
-            access_key_id: "{{ .Values.global.minio.rootUser }}"
+            access_key_id: "${rootUser}"
            endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-            secret_access_key: "{{ .Values.global.minio.rootPassword }}"
+            secret_access_key: "${rootPassword}"
      compactor:
        retention_enabled: true
        delete_request_store: s3
@ -254,8 +254,24 @@ loki:
        installOperator: false
    lokiCanary:
      enabled: false
-  test:
-    enabled: false
+  write:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  read:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  backend:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"

 alloy:
  alloy:
@ -292,30 +308,31 @@ alloy:
 mimir-distributed:
  minio:
    enabled: false
+  global:
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
  mimir:
    structuredConfig:
      alertmanager_storage:
        s3:
          bucket_name: mimir-ruler
-          access_key_id: "{{ .Values.global.minio.rootUser }}"
-          endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-          secret_access_key: "{{ .Values.global.minio.rootPassword }}"
-          insecure: true
      blocks_storage:
        backend: s3
        s3:
          bucket_name: mimir-tsdb
-          access_key_id: "{{ .Values.global.minio.rootUser }}"
-          endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-          secret_access_key: "{{ .Values.global.minio.rootPassword }}"
-          insecure: true
      ruler_storage:
        s3:
          bucket_name: mimir-ruler
-          access_key_id: "{{ .Values.global.minio.rootUser }}"
-          endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-          secret_access_key: "{{ .Values.global.minio.rootPassword }}"
-          insecure: true
+      common:
+        storage:
+          backend: s3
+          s3:
+            bucket_name: mimir-ruler
+            access_key_id: "${rootUser}"
+            endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
+            secret_access_key: "${rootPassword}"
+            insecure: true
      limits:
        compactor_blocks_retention_period: 30d

@ -328,12 +345,39 @@ tempo-distributed:
          s3:
            bucket: tempo
            endpoint: "{{ .Release.Name }}-minio.{{ .Release.Namespace }}.svc:9000"
-            access_key: "{{ .Values.global.minio.rootUser }}"
-            secret_key: "{{ .Values.global.minio.rootPassword }}"
+            access_key: "${rootUser}"
+            secret_key: "${rootPassword}"
            insecure: true
-      compactor:
-        compaction:
-          block_retention: 30d
+  distributor:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  ingester:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  compactor:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  querier:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
+  queryFrontend:
+    extraArgs:
+    - "-config.expand-env=true"
+    extraEnvFrom:
+    - secretRef:
+        name: "mmc-minio"
  traces:
    otlp:
      http:
@ -342,8 +386,7 @@ tempo-distributed:
        enabled: true

 minio:
-  rootUser: rootuser
-  rootPassword: rootpassword
+  existingSecret: "minio"
  buckets:
    - name: loki-chunks
      policy: none
--- a/docs/installation.md
+++ b/docs/installation.md
@ -25,17 +25,17 @@
   ```
   kubectl create secret generic logs -n meta \
    --from-literal=username=<logs username> \
-    --from-literal=password=<token>
+    --from-literal=password=<token> \
    --from-literal=endpoint='https://logs-prod-us-central1.grafana.net/loki/api/v1/push'

   kubectl create secret generic metrics -n meta \
    --from-literal=username=<metrics username> \
-    --from-literal=password=<token>
+    --from-literal=password=<token> \
    --from-literal=endpoint='https://prometheus-us-central1.grafana.net/api/prom/push'

   kubectl create secret generic traces -n meta \
    --from-literal=username=<OTLP instance ID> \
-    --from-literal=password=<token>
+    --from-literal=password=<token> \
    --from-literal=endpoint='https://otlp-gateway-prod-us-east-0.grafana.net/otlp'
   ```

@ -67,6 +67,14 @@
   kubectl create namespace meta
   ```

+1. Create a secret with the user and password for the local Minio:
+
+   ```
+   kubectl create secret generic minio -n meta \
+    --from-literal=rootPassword=<password> \
+    --from-literal=rootUser=<user>
+   ```
+
 1. Create a values.yaml file based on the [default one](../charts/meta-monitoring/values.yaml). An example minimal values.yaml looks like this:

   ```