Add permissions

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>
Add secret step
2024-05-31 14:56:32 +01:00 · 2024-05-31 14:53:22 +01:00 · 2024-05-31 14:49:41 +01:00 · 2024-05-31 14:36:05 +01:00 · 2024-05-31 14:29:24 +01:00 · 2024-05-31 14:06:06 +01:00
8 changed files with 80 additions and 176 deletions
--- a/.github/workflows/check-for-dependency-updates.yaml
+++ b/.github/workflows/check-for-dependency-updates.yaml
@@ -19,6 +19,9 @@ jobs:
    updateVersions:
        name: Update the subcharts
        runs-on: "ubuntu-latest"
+        permissions:
+          contents: write
+          id-token: write
        steps:
            - name: Checkout
              uses: actions/checkout@v2
@@ -66,6 +69,20 @@ jobs:
                  echo "changed=true" >> "${GITHUB_OUTPUT}"
                fi

+            - id: get-secrets
+              uses: grafana/shared-workflows/actions/get-vault-secrets@main
+              with:
+                # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+                repo_secrets: |
+                  APP_ID=github-app:app-id
+                  PRIVATE_KEY=github-app:private-key
+
+            - uses: actions/create-github-app-token@v1
+              id: app-token
+              with:
+                app-id: ${{ env.APP_ID }}
+                private-key: ${{ env.PRIVATE_KEY }}
+
            - name: Create pull request
              if: steps.update-loki.outputs.changed == 'true' || steps.update-grafana-alloy.outputs.changed == 'true' || steps.update-mimir-distributed.outputs.changed == 'true' || steps.update-tempo-distributed.outputs.changed == 'true' || steps.update-minio.outputs.changed == 'true'
              uses: peter-evans/create-pull-request@v5
@@ -79,10 +96,15 @@ jobs:
                labels: dependencies
                branch: chore/update-dependencies
                delete-branch: true
+                team-reviewers: "@grafana/loki-squad"
+                token: ${{ steps.app-token.outputs.token }}

    updateGrafana:
        name: Update the Grafana version
        runs-on: "ubuntu-latest"
+        permissions:
+          contents: write
+          id-token: write
        steps:
            - name: Checkout
              uses: actions/checkout@v2
@@ -98,6 +120,20 @@ jobs:
                  echo "changed=true" >> "${GITHUB_OUTPUT}"
                fi

+            - id: get-secrets
+              uses: grafana/shared-workflows/actions/get-vault-secrets@main
+              with:
+                # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+                repo_secrets: |
+                  APP_ID=github-app:app-id
+                  PRIVATE_KEY=github-app:private-key
+
+            - uses: actions/create-github-app-token@v1
+              id: app-token
+              with:
+                app-id: ${{ env.APP_ID }}
+                private-key: ${{ env.PRIVATE_KEY }}
+
            - name: Create pull request
              if: steps.update-grafana.outputs.changed == 'true'
              uses: peter-evans/create-pull-request@v5
@@ -111,3 +147,5 @@ jobs:
                labels: dependencies
                branch: chore/update-minio
                delete-branch: true
+                team-reviewers: "@grafana/loki-squad"
+                token: ${{ steps.app-token.outputs.token }}
--- a/.github/workflows/helm-ci.yml
+++ b/.github/workflows/helm-ci.yml
@@ -20,48 +20,48 @@ jobs:
      - name: Lint Yaml
        run: make helm-lint

-  call-test:
-    name: Test Helm Chart
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+  # call-test:
+  #   name: Test Helm Chart
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
+  #       with:
+  #         fetch-depth: 0

-      - name: Set up Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.14.0
+  #     - name: Set up Helm
+  #       uses: azure/setup-helm@v3
+  #       with:
+  #         version: v3.8.2

-      # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
-      # yamllint (https://github.com/adrienverge/yamllint) which require Python
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.9
+  #     # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
+  #     # yamllint (https://github.com/adrienverge/yamllint) which require Python
+  #     - name: Set up Python
+  #       uses: actions/setup-python@v4
+  #       with:
+  #         python-version: 3.9

-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2
+  #     - name: Set up chart-testing
+  #       uses: helm/chart-testing-action@v2

-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --config "${CT_CONFIGFILE}")
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> $GITHUB_OUTPUT
-          fi
+  #     - name: Run chart-testing (list-changed)
+  #       id: list-changed
+  #       run: |
+  #         changed=$(ct list-changed --config "${CT_CONFIGFILE}")
+  #         if [[ -n "$changed" ]]; then
+  #           echo "changed=true" >> $GITHUB_OUTPUT
+  #         fi

-      - name: Run chart-testing (lint)
-        run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment=false
+  #     - name: Run chart-testing (lint)
+  #       run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment=false

-      - name: Create kind cluster
-        uses: helm/kind-action@v1
-        if: steps.list-changed.outputs.changed == 'true'
-        with:
-           config: "${{ github.workspace }}/.github/configs/cluster-config.yaml"
+  #     - name: Create kind cluster
+  #       uses: helm/kind-action@v1
+  #       if: steps.list-changed.outputs.changed == 'true'
+  #       with:
+  #         config: "${{ github.workspace }}/.github/configs/cluster-config.yaml"

-      - name: Run chart-testing (install)
-        run: |
-          changed=$(ct list-changed --config "${CT_CONFIGFILE}")
-          ct install --config "${CT_CONFIGFILE}"
+  #     - name: Run chart-testing (install)
+  #       run: |
+  #         changed=$(ct list-changed --config "${CT_CONFIGFILE}")
+  #         ct install --config "${CT_CONFIGFILE}"
--- a/charts/meta-monitoring/ci/local-values.yaml
+++ b/charts/meta-monitoring/ci/local-values.yaml
@@ -1,116 +0,0 @@
-namespacesToMonitor:
- loki
-
-local:
-  grafana:
-    enabled: true
-  logs:
-    enabled: true
-  metrics:
-    enabled: true
-  traces:
-    enabled: true
-  minio:
-    enabled: true
-    createSecret: false
-
-cloud:
-  logs:
-    enabled: false
-    secret: logs
-  metrics:
-    enabled: false
-    secret: metrics
-  traces:
-    enabled: false
-    secret: traces
-
-grafana:
-  ingress:
-    hosts:
-      - host: monitoring.example.com
-        paths:
-          - path: /
-            pathType: Prefix
-
-minio:
-  existingSecret: ""
-  rootUser: "abcdefghi"
-  rootPassword: "defghijkl"
-
-loki:
-  deploymentMode: SingleBinary
-  singleBinary:
-    replicas: 1
-    resources:
-      limits:
-        cpu: 3
-        memory: 4Gi
-      requests:
-        cpu: 2
-        memory: 2Gi
-    extraEnv:
-      # Keep a little bit lower than memory limits
-      - name: GOMEMLIMIT
-        value: 3750MiB
-
-  chunksCache:
-    # default is 500MB, with limited memory keep this smaller
-    writebackSizeLimit: 10MB
-
-  # Zero out replica counts of other deployment modes
-  backend:
-    replicas: 0
-  read:
-    replicas: 0
-  write:
-    replicas: 0
-
-  ingester:
-    replicas: 0
-  querier:
-    replicas: 0
-  queryFrontend:
-    replicas: 0
-  queryScheduler:
-    replicas: 0
-  distributor:
-    replicas: 0
-  compactor:
-    replicas: 0
-  indexGateway:
-    replicas: 0
-  bloomCompactor:
-    replicas: 0
-  bloomGateway:
-    replicas: 0
-
-mimir-distributed:
-  minio:
-    enabled: false
-  global:
-    extraEnvFrom:
-    - secretRef:
-        name: "meta-minio"
-
-tempo-distributed:
-  distributor:
-    extraEnvFrom:
-    - secretRef:
-        name: "meta-minio"
-  ingester:
-    extraEnvFrom:
-    - secretRef:
-        name: "meta-minio"
-  compactor:
-    extraEnvFrom:
-    - secretRef:
-        name: "meta-minio"
-  querier:
-    extraEnvFrom:
-    - secretRef:
-        name: "meta-minio"
-  queryFrontend:
-    extraEnvFrom:
-    - secretRef:
-        name: "meta-minio"
--- a/charts/meta-monitoring/ct.yaml
+++ b/charts/meta-monitoring/ct.yaml
@@ -6,5 +6,6 @@ chart-dirs:
 chart-repos:
  - grafana=https://grafana.github.io/helm-charts
  - minio=https://charts.min.io
+helm-extra-args: --timeout 1200s
 check-version-increment: false
 validate-maintainers: false
--- a/charts/meta-monitoring/templates/minio/secret.yaml
+++ b/charts/meta-monitoring/templates/minio/secret.yaml
@@ -1,13 +0,0 @@
-{{- if .Values.local.minio.createSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: minio
-  namespace: {{ $.Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-data:
-  rootUser: dmFsdWUtMg0KDQo=
-  rootPassword: dmFsdWUtMg0KDQo=
-{{- end }}
--- a/charts/meta-monitoring/templates/ruler/ruler.yaml
+++ b/charts/meta-monitoring/templates/ruler/ruler.yaml
@@ -51,11 +51,7 @@ spec:
              protocol: TCP
          envFrom:
          - secretRef:
-{{- if .Values.local.minio.enabled }}
-             name: {{ $.Release.Namespace }}-minio
-{{- else }}
             name: minio
-{{- end }}
          readinessProbe:
            failureThreshold: 3
            httpGet:
--- a/charts/meta-monitoring/templates/validate.yaml
+++ b/charts/meta-monitoring/templates/validate.yaml
@@ -41,4 +41,3 @@
 {{- if empty .Values.metrics.retain -}}
  {{- fail "All metrics will be collected, please specify some in metrics.retain" -}}
 {{- end -}}
-
--- a/charts/meta-monitoring/values.yaml
+++ b/charts/meta-monitoring/values.yaml
@@ -26,8 +26,7 @@ local:
  traces:
    enabled: false
  minio:
-    enabled: false  # This should be set to true if any of the previous is enabled
-    createSecret: false  # This is used for testing, do not use in production
+    enabled: false # This should be set to true if any of the previous is enabled
 grafana:
  version: 10.4.2
  # Gateway ingress configuration
@@ -53,14 +52,14 @@ grafana:
            #     port:
            #       number: TODO
    # -- TLS configuration for the gateway ingress. Hosts passed through the `tpl` function to allow templating
-    # tls:
+    #tls:
    #  - secretName: grafana-tls
    #    hosts:
    #      - monitoring.example.com
 logs:
  # Adding regexes here will add a stage.replace block for logs. For more information see
  # https://grafana.com/docs/agent/latest/flow/reference/components/loki.process/#stagereplace-block
-  piiRegexes: null  # This example replaces the word after password with *****
+  piiRegexes: null # This example replaces the word after password with *****
 # - expression: "password (\\\\S+)"
 #   source: ""         # Empty uses the log message
 #   replace: "*****""
Author	SHA1	Message	Date
Michel Hollands	0ef850e96c	Add permissions Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:56:32 +01:00
Michel Hollands	c91a819e77	Add secret step Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:53:22 +01:00
Michel Hollands	71462a9f93	Use other token Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:49:41 +01:00
Michel Hollands	c5f1daf8f0	Use team-reviewers Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:36:05 +01:00
Michel Hollands	952c3e85d9	Use @ Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:29:24 +01:00
Michel Hollands	f6b72897cd	Use other form Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:06:06 +01:00
Michel Hollands	8b6314fde3	Add loki-squad as PR reviewers Signed-off-by: Michel Hollands <michel.hollands@gmail.com>	2024-05-31 14:03:07 +01:00