-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mysql backend #13
base: master
Are you sure you want to change the base?
Conversation
type: Opaque | ||
stringData: | ||
username: ocfgrafana | ||
password: "<%= prometheus_pass %>" | ||
GF_SERVER_ROOT_URL: "https://grafana.ocf.berkeley.edu" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know what the established convention is here, though I have assumed Kubernetes secrets should be reserved for... things that are actually secret.
Grafana makes this even easier for us-- we don't have to use Kubernetes "Secrets" at all, since we can place passwords in individual files in the Puppet private share and point to them with GF_SETTINGNAME__FILE
options (see GF_DATABASE_PASSWORD__FILE
above for an example). I slightly prefer this because I think our templating code for secrets is a little weird (I don't like how it passes through Jenkins).
It's probably not a huge deal either way, though I'd recommend consolidating on one way instead of the awkward hybrid we have now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree that non-secrets should just be specified in a configmap or directly in the pod template, not in a Secret resource. I don't think there is a problem with templates over files (in fact I like the templating system better, it's more clear what's going on).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to fix the grafana.yml in the private share to use the correct variables names before merging this. The changes to that file were breaking deploys for prod. https://irclogs.ocf.berkeley.edu/rebuild-spam/2020-04-22#454679;
type: Opaque | ||
stringData: | ||
username: ocfgrafana | ||
password: "<%= prometheus_pass %>" | ||
GF_SERVER_ROOT_URL: "https://grafana.ocf.berkeley.edu" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree that non-secrets should just be specified in a configmap or directly in the pod template, not in a Secret resource. I don't think there is a problem with templates over files (in fact I like the templating system better, it's more clear what's going on).
We also move the secrets from files to environment variables so the mysql backend can access it.