Skip to content

Commit

Permalink
HPCC-32240 Grafana/Loki logaccess client secret improvements
Browse files Browse the repository at this point in the history
- Removes checked-in secrets templates
- Adds secret manifest
- Adds detailed steps in readme

Signed-off-by: Rodrigo Pastrana <Rodrigo.Pastrana@lexisnexisrisk.com>
  • Loading branch information
rpastrana committed Jul 12, 2024
1 parent 58924f3 commit 49ea8da
Showing 5 changed files with 99 additions and 21 deletions.
70 changes: 65 additions & 5 deletions helm/managed/logging/loki-stack/README.md
Original file line number Diff line number Diff line change
@@ -85,27 +85,87 @@ The logAccess feature allows HPCC to query and package relevant logs for various

### Provide target Grafana/Loki access information

HPCC logAccess requires access to the Grafana username/password. Those values must be provided via a secure secret object.
HPCC logAccess requires access to the Grafana username/password credentials. Those values must be provided via a secure secret object.

The secret is expected to be in the 'esp' category, and be named 'grafana-logaccess'. The following key-value pairs are required (key names must be spelled exactly as shown here)

username - This should contain the Grafana username
password - This should contain the Grafana password

#### Create secret using script
The included 'create-grafana-logaccess-secret.sh' helper can be used to create the necessary secret.

Example scripted secret creation command (assuming ./secrets-templates contains a file named exactly as the above keys):
Example scripted secret creation command:

```
create-grafana-logaccess-secret.sh -d HPCC-Platform/helm/managed/logging/loki-stack/secrets-templates/ -n hpcc
create-grafana-logaccess-secret.sh -u admin -p somepass -n hpcc
```

#### Create secret manually from file
Otherwise, users can create the secret manually.

Example manual secret creation command (assuming ./secrets-templates contains a file named exactly as the above keys):
Example manual secret creation command (assuming ./secrets-templates contains files named exactly as the above keys):

```
kubectl create secret generic grafana-logaccess --from-file=HPCC-Platform/helm/managed//logging/loki-stack/secrets-templates/ -n hpcc
kubectl create secret generic grafana-logaccess --from-file=HPCC-Platform/helm/managed/logging/loki-stack/secrets-templates/ -n hpcc
```

#### Create secret manually from manifest
Otherwise, users can create the secret through a manifest file.

First, base64 encode the credentials:

```
echo -n 'admin' | base64
echo -n 'whatevergrafanapassword' | base64
```

Add the encoded values to the provided manifest file 'grafana-logaccess-secret.yaml'

```
apiVersion: v1
kind: Secret
metadata:
name: grafana-logaccess
type: Opaque
data:
#Base64 encoded username and password for Grafana
#can be encoded using the following command:
# echo -n 'admin' | base64
username: YWRtaW4=
# echo -n 'whatevergrafanapassword' | base64
password: d2hhdGV2ZXJncmFmYW5hcGFzc3dvcmQ=
```

Then apply the manifest values:

```
kubectl apply -f ./grafana-logaccess-secret.yaml --namespace hpcc --server-side
```

#### Verify secret

At this point, confirm the secret has been created with the expected key values:

```
kubectl describe secret grafana-logaccess -n hpcc
```

The output should be something like this:

```
kubectl describe secret grafana-logaccess -n hpcc
Name: grafana-logaccess
Namespace: hpcc
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 40 bytes
username: 5 bytes
```

### Configure HPCC logAccess
36 changes: 22 additions & 14 deletions helm/managed/logging/loki-stack/create-grafana-logaccess-secret.sh
Original file line number Diff line number Diff line change
@@ -1,30 +1,24 @@
#!/bin/bash
WORK_DIR=$(dirname $0)
source ${WORK_DIR}/env-loganalytics

k8scommand="kubectl"
secretname="grafana-logaccess"
secretsdir="${WORK_DIR}/secrets-templates"
namespace="default"
username="admin"
password=""

usage()
{
echo "Creates necessary k8s secret used by HPCC's logAccess to access Loki data source through Grafana"
echo "> create-grafana-logaccess-secret.sh [Options]"
echo ""
echo "Example: create-grafana-logaccess-secret.sh -u admin -p mypassword -n mynamespace"
echo ""
echo "Options:"
echo "-d Specifies directory containing required secret values in self named files."
echo " Defaults to <workingdir>/<${secretssubdir}>"
echo "-u Grafana user name (default: admin)"
echo "-p Grafana password (required)"
echo "-h Print Usage message"
echo "-n Specifies namespace for secret"
echo ""
echo "Requires directory containing secret values in dedicated files."
echo "Defaults to ${secretssubdir} if not specified via -d option."
echo ""
echo "Expected directory structure:"
echo "${secretsdir}/"
echo " password - Should contain Grafana user name"
echo " username - Should contain Grafana password"
echo "-n Specifies namespace for secret (default: default)"
}

while [ "$#" -gt 0 ]; do
@@ -37,13 +31,26 @@ while [ "$#" -gt 0 ]; do
-d) shift
secretsdir=$1
;;
-u) shift
username=$1
;;
-p) shift
password=$1
;;
-n) shift
namespace=$1
;;
esac
shift
done

if [ -z "${password}" ];
then
echo "Error: Missing required password!"
echo >&2
usage
exit 1
fi
echo "Creating '${namespace}/${secretname}' secret."

command -v ${k8scommand} >/dev/null 2>&1 || { echo >&2 "Aborting - '${k8scommand}' not found!"; exit 1; }
@@ -53,10 +60,11 @@ if [[ $? -eq 0 ]]
then
echo "WARNING: Target secret '${namespace}/${secretname}' already exists! Delete it and re-run if secret update desired."
echo "${errormessage}"
echo "use this command: '${k8scommand} delete secret ${secretname} -n ${namespace}'"
exit 1
fi

errormessage=$(${k8scommand} create secret generic ${secretname} --from-file=${secretsdir} -n ${namespace} )
errormessage=$(${k8scommand} create secret generic ${secretname} --from-literal=username=${username} --from-literal=password=${password} -n ${namespace})
if [[ $? -ne 0 ]]
then
echo "Error creating: Target secret '${namespace}/${secretname}'!"
12 changes: 12 additions & 0 deletions helm/managed/logging/loki-stack/grafana-logaccess-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: grafana-logaccess
type: Opaque
data:
#Base64 encoded username and password for Grafana
#can be encoded using the following command:
# echo -n 'admin' | base64
username: YWRtaW4=
# echo -n 'whatevergrafanapassword' | base64
password: d2hhdGV2ZXJncmFmYW5hcGFzc3dvcmQ=
1 change: 0 additions & 1 deletion helm/managed/logging/loki-stack/secrets-templates/password

This file was deleted.

1 change: 0 additions & 1 deletion helm/managed/logging/loki-stack/secrets-templates/username

This file was deleted.

0 comments on commit 49ea8da

Please sign in to comment.