Add the ability to get config remotely (#805)

Signed-off-by: Pete Wall <[email protected]>

.github/workflows/platform-test.yml

@@ -0,0 +1,92 @@
+---
+name: Platform Test
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - 'charts/**'
+      - '!charts/k8s-monitoring-v1/**'
+  pull_request:
+    paths:
+      - 'charts/**'
+      - '!charts/k8s-monitoring-v1/**'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  list-tests:
+    name: List tests
+    runs-on: ubuntu-latest
+    outputs:
+      tests: ${{ steps.list_tests.outputs.tests }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: List tests
+        id: list_tests
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ] && [ "${{contains(github.event.pull_request.labels.*.name, 'run-platform-tests')}}" != "true" ]; then
+            echo "Skipping platform tests"
+            exit 0
+          fi
+
+          tests=$(ls charts/k8s-monitoring/tests/platform)
+          echo "Tests: ${tests}"
+          echo "tests=$(echo "${tests}" | jq --raw-input --slurp --compact-output 'split("\n") | map(select(. != ""))')" >> "${GITHUB_OUTPUT}"
+
+  run-tests:
+    name: Platform Test
+    needs: list-tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test: ${{ fromJson(needs.list-tests.outputs.tests) }}
+      fail-fast: false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Check for cluster config
+        id: check-cluster-config
+        run: |
+          if [ -f "charts/k8s-monitoring/tests/integration/${{ matrix.test }}/cluster.yaml" ]; then
+            echo "has-cluster-config=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "has-cluster-config=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Create kind cluster
+        if: ${{ steps.check-cluster-config.outputs.has-cluster-config == 'false' }}
+        uses: helm/kind-action@v1
+
+      - name: Create kind cluster with special config
+        if: ${{ steps.check-cluster-config.outputs.has-cluster-config == 'true' }}
+        uses: helm/kind-action@v1
+        with:
+          config: charts/k8s-monitoring/tests/integration/${{ matrix.test }}/cluster.yaml
+
+      - name: Random number
+        id: random-number
+        uses: yakubique/[email protected]
+        with:
+          min: 100000
+          max: 999999
+
+      - name: Run test
+        env:
+          CREATE_CLUSTER: "false"
+          DEPLOY_GRAFANA: "false"
+          GRAFANA_CLOUD_FLEET_MGMT_USER: ${{ secrets.GRAFANA_CLOUD_FLEET_MGMT_USER }}
+          GRAFANA_CLOUD_FLEET_MGMT_TOKEN: ${{ secrets.GRAFANA_CLOUD_FLEET_MGMT_TOKEN }}
+          GRAFANA_CLOUD_METRICS_USERNAME: ${{ secrets.GRAFANA_CLOUD_METRICS_USERNAME }}
+          GRAFANA_CLOUD_LOGS_USERNAME: ${{ secrets.GRAFANA_CLOUD_LOGS_USERNAME }}
+          GRAFANA_CLOUD_RW_POLICY_TOKEN: ${{ secrets.GRAFANA_CLOUD_RW_POLICY_TOKEN }}
+          RANDOM_NUMBER: ${{ steps.random-number.outputs.number }}
+
+        run: ./scripts/run-integration-test.sh "charts/k8s-monitoring/tests/platform/${{ matrix.test }}"

charts/k8s-monitoring-test/.helmignore

@@ -1,23 +1,5 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
+docs
+schema-mods
+Makefile
+README.md
+README.md.gotmpl

charts/k8s-monitoring-test/schema-mods/test-definition.json

@@ -41,6 +41,20 @@
             "PROFILECLI_PASS": {"type": "string"}
           }
         },
+        "envFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "secretKeyRef": {
+                "type": "object",
+                "properties": {
+                  "name": {"type": "string"}
+                }
+              }
+            }
+          }
+        },
         "queries": {
           "type": "array",
           "items": {"$ref": "#/definitions/query"}

charts/k8s-monitoring-test/templates/configmap.yaml

@@ -8,7 +8,6 @@ metadata:
 data:
   queries.json: |-
     {
-      "queries":
-      {{- index $test "queries" | toPrettyJson | nindent 6 }}
+      "queries": {{ index $test "queries" | toPrettyJson | nindent 6 }}
     }
 {{- end }}

charts/k8s-monitoring-test/templates/secret.yaml

@@ -1,4 +1,5 @@
 {{- range $i, $test := .Values.tests }}
+{{- if hasKey $test "env" }}
 ---
 apiVersion: v1
 kind: Secret
@@ -10,3 +11,4 @@ stringData:
   {{ $key }}: {{ $value | quote }}
   {{- end }}
 {{- end }}
+{{- end }}

charts/k8s-monitoring-test/templates/tests/test-pod.yaml

@@ -63,8 +63,13 @@ spec:
           done
           exit 1
       envFrom:
+{{- if hasKey $test "env" }}
         - secretRef:
             name: {{ include "k8s-monitoring-test.fullname" $ }}-{{ $i }}
+{{- end }}
+{{- if hasKey $test "envFrom" }}
+{{ (index $test "envFrom") | toYaml | indent 8 }}
+{{- end }}
       volumeMounts:
         - name: queries
           mountPath: /etc/test

charts/k8s-monitoring-test/tests/secret_sources_test.yaml

@@ -0,0 +1,80 @@
+# yamllint disable rule:document-start rule:line-length rule:trailing-spaces
+suite: Various methods for loading secrets
+templates:
+  - secret.yaml
+  - tests/test-pod.yaml
+tests:
+  - it: creates its own secret when env is set
+    set:
+      tests:
+        - env:
+            PROMETHEUS_URL: http://prometheus.monitoring.svc.cluster.local:9090
+            PROMETHEUS_USER: prometheus
+            PROMETHEUS_PASSWORD: prompassword
+          queries:
+            - query: kube_node_info
+              type: promql
+    asserts:
+      - template: secret.yaml
+        isKind:
+          of: Secret
+      - template: secret.yaml
+        equal:
+          path: stringData["PROMETHEUS_URL"]
+          value: http://prometheus.monitoring.svc.cluster.local:9090
+      - template: tests/test-pod.yaml
+        hasDocuments:
+          count: 1
+      - template: tests/test-pod.yaml
+        equal:
+          path: spec.containers[0].envFrom[0].secretRef.name
+          value: RELEASE-NAME-k8s-monitoring-test-0
+  - it: does not create a secret when only using envFrom
+    set:
+      tests:
+        - envFrom:
+            - secretRef:
+                name: grafana-cloud-credentials
+          queries:
+            - query: kube_node_info
+              type: promql
+    asserts:
+      - template: tests/test-pod.yaml
+        hasDocuments:
+          count: 1
+      - template: tests/test-pod.yaml
+        equal:
+          path: spec.containers[0].envFrom[0].secretRef.name
+          value: grafana-cloud-credentials
+  - it: uses both
+    set:
+      tests:
+        - env:
+            PROMETHEUS_URL: http://prometheus.monitoring.svc.cluster.local:9090
+            PROMETHEUS_USER: prometheus
+            PROMETHEUS_PASSWORD: prompassword
+          envFrom:
+            - secretRef:
+                name: grafana-cloud-credentials
+          queries:
+            - query: kube_node_info
+              type: promql
+    asserts:
+      - template: secret.yaml
+        isKind:
+          of: Secret
+      - template: secret.yaml
+        equal:
+          path: stringData["PROMETHEUS_URL"]
+          value: http://prometheus.monitoring.svc.cluster.local:9090
+      - template: tests/test-pod.yaml
+        hasDocuments:
+          count: 1
+      - template: tests/test-pod.yaml
+        equal:
+          path: spec.containers[0].envFrom[0].secretRef.name
+          value: RELEASE-NAME-k8s-monitoring-test-0
+      - template: tests/test-pod.yaml
+        equal:
+          path: spec.containers[0].envFrom[1].secretRef.name
+          value: grafana-cloud-credentials

charts/k8s-monitoring-test/values.schema.json

@@ -181,6 +181,22 @@
                         }
                     }
                 },
+                "envFrom": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "secretKeyRef": {
+                                "type": "object",
+                                "properties": {
+                                    "name": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                },
                 "queries": {
                     "type": "array",
                     "items": {

charts/k8s-monitoring/Chart.lock

@@ -39,4 +39,4 @@ dependencies:
   repository: https://grafana.github.io/helm-charts
   version: 0.9.1
 digest: sha256:4cac24fb5b4c8dba5508a79980ae781c65da75bcf2a279967bc8c5d7f9e4fad4
-generated: "2024-10-25T15:57:55.519739+02:00"
+generated: "2024-10-28T18:15:53.905284-05:00"

charts/k8s-monitoring/README.md

@@ -150,6 +150,19 @@ podLogs:
 | alloy-logs.liveDebugging.enabled | bool | `false` | Enable live debugging for the Alloy instance. Requires stability level to be set to "experimental". |
 | alloy-logs.logging.format | string | `"logfmt"` | Format to use for writing Alloy log lines. |
 | alloy-logs.logging.level | string | `"info"` | Level at which Alloy log lines should be written. |
+| alloy-logs.remoteConfig.auth.password | string | `""` | The password to use for the remote config server. |
+| alloy-logs.remoteConfig.auth.passwordFrom | string | `""` | Raw config for accessing the password. |
+| alloy-logs.remoteConfig.auth.passwordKey | string | `"password"` | The key for storing the username in the secret. |
+| alloy-logs.remoteConfig.auth.type | string | `"none"` | The type of authentication to use for the remote config server. |
+| alloy-logs.remoteConfig.auth.username | string | `""` | The username to use for the remote config server. |
+| alloy-logs.remoteConfig.auth.usernameFrom | string | `""` | Raw config for accessing the username. |
+| alloy-logs.remoteConfig.auth.usernameKey | string | `"username"` | The key for storing the username in the secret. |
+| alloy-logs.remoteConfig.enabled | bool | `false` | Enable fetching configuration from a remote config server. |
+| alloy-logs.remoteConfig.secret.create | bool | `true` | Whether to create a secret for the remote config server. |
+| alloy-logs.remoteConfig.secret.embed | bool | `false` | If true, skip secret creation and embed the credentials directly into the configuration. |
+| alloy-logs.remoteConfig.secret.name | string | `""` | The name of the secret to create. |
+| alloy-logs.remoteConfig.secret.namespace | string | `""` | The namespace for the secret. |
+| alloy-logs.remoteConfig.url | string | `""` | The URL of the remote config server. |
 
 ### Collectors - Alloy Metrics
 
@@ -162,6 +175,22 @@ podLogs:
 | alloy-metrics.liveDebugging.enabled | bool | `false` | Enable live debugging for the Alloy instance. Requires stability level to be set to "experimental". |
 | alloy-metrics.logging.format | string | `"logfmt"` | Format to use for writing Alloy log lines. |
 | alloy-metrics.logging.level | string | `"info"` | Level at which Alloy log lines should be written. |
+| alloy-metrics.remoteConfig.auth.password | string | `""` | The password to use for the remote config server. |
+| alloy-metrics.remoteConfig.auth.passwordFrom | string | `""` | Raw config for accessing the password. |
+| alloy-metrics.remoteConfig.auth.passwordKey | string | `"password"` | The key for storing the password in the secret. |
+| alloy-metrics.remoteConfig.auth.type | string | `"none"` | The type of authentication to use for the remote config server. |
+| alloy-metrics.remoteConfig.auth.username | string | `""` | The username to use for the remote config server. |
+| alloy-metrics.remoteConfig.auth.usernameFrom | string | `""` | Raw config for accessing the password. |
+| alloy-metrics.remoteConfig.auth.usernameKey | string | `"username"` | The key for storing the username in the secret. |
+| alloy-metrics.remoteConfig.enabled | bool | `false` | Enable fetching configuration from a remote config server. |
+| alloy-metrics.remoteConfig.extraAttributes | object | `{}` | Attributes to be added to this collector when requesting configuration. |
+| alloy-metrics.remoteConfig.id | string | `<cluster>-<namespace>-<pod-name>` | The unique identifier for this Alloy instance. |
+| alloy-metrics.remoteConfig.pollFrequency | string | `"5m"` | The frequency at which to poll the remote config server for updates. |
+| alloy-metrics.remoteConfig.secret.create | bool | `true` | Whether to create a secret for the remote config server. |
+| alloy-metrics.remoteConfig.secret.embed | bool | `false` | If true, skip secret creation and embed the credentials directly into the configuration. |
+| alloy-metrics.remoteConfig.secret.name | string | `""` | The name of the secret to create. |
+| alloy-metrics.remoteConfig.secret.namespace | string | `""` | The namespace for the secret. |
+| alloy-metrics.remoteConfig.url | string | `""` | The URL of the remote config server. |
 
 ### Collectors - Alloy Profiles
 
@@ -173,6 +202,19 @@ podLogs:
 | alloy-profiles.liveDebugging.enabled | bool | `false` | Enable live debugging for the Alloy instance. Requires stability level to be set to "experimental". |
 | alloy-profiles.logging.format | string | `"logfmt"` | Format to use for writing Alloy log lines. |
 | alloy-profiles.logging.level | string | `"info"` | Level at which Alloy log lines should be written. |
+| alloy-profiles.remoteConfig.auth.password | string | `""` | The password to use for the remote config server. |
+| alloy-profiles.remoteConfig.auth.passwordFrom | string | `""` | Raw config for accessing the password. |
+| alloy-profiles.remoteConfig.auth.passwordKey | string | `"password"` | The key for storing the password in the secret. |
+| alloy-profiles.remoteConfig.auth.type | string | `"none"` | The type of authentication to use for the remote config server. |
+| alloy-profiles.remoteConfig.auth.username | string | `""` | The username to use for the remote config server. |
+| alloy-profiles.remoteConfig.auth.usernameFrom | string | `""` | Raw config for accessing the username. |
+| alloy-profiles.remoteConfig.auth.usernameKey | string | `"username"` | The key for storing the username in the secret. |
+| alloy-profiles.remoteConfig.enabled | bool | `false` | Enable fetching configuration from a remote config server. |
+| alloy-profiles.remoteConfig.secret.create | bool | `true` | Whether to create a secret for the remote config server. |
+| alloy-profiles.remoteConfig.secret.embed | bool | `false` | If true, skip secret creation and embed the credentials directly into the configuration. |
+| alloy-profiles.remoteConfig.secret.name | string | `""` | The name of the secret to create. |
+| alloy-profiles.remoteConfig.secret.namespace | string | `""` | The namespace for the secret. |
+| alloy-profiles.remoteConfig.url | string | `""` | The URL of the remote config server. |
 
 ### Collectors - Alloy Receiver
 
@@ -185,6 +227,19 @@ podLogs:
 | alloy-receiver.liveDebugging.enabled | bool | `false` | Enable live debugging for the Alloy instance. Requires stability level to be set to "experimental". |
 | alloy-receiver.logging.format | string | `"logfmt"` | Format to use for writing Alloy log lines. |
 | alloy-receiver.logging.level | string | `"info"` | Level at which Alloy log lines should be written. |
+| alloy-receiver.remoteConfig.auth.password | string | `""` | The password to use for the remote config server. |
+| alloy-receiver.remoteConfig.auth.passwordFrom | string | `""` | Raw config for accessing the password. |
+| alloy-receiver.remoteConfig.auth.passwordKey | string | `"password"` | The key for storing the password in the secret. |
+| alloy-receiver.remoteConfig.auth.type | string | `"none"` | The type of authentication to use for the remote config server. |
+| alloy-receiver.remoteConfig.auth.username | string | `""` | The username to use for the remote config server. |
+| alloy-receiver.remoteConfig.auth.usernameFrom | string | `""` | Raw config for accessing the username. |
+| alloy-receiver.remoteConfig.auth.usernameKey | string | `"username"` | The key for storing the username in the secret. |
+| alloy-receiver.remoteConfig.enabled | bool | `false` | Enable fetching configuration from a remote config server. |
+| alloy-receiver.remoteConfig.secret.create | bool | `true` | Whether to create a secret for the remote config server. |
+| alloy-receiver.remoteConfig.secret.embed | bool | `false` | If true, skip secret creation and embed the credentials directly into the configuration. |
+| alloy-receiver.remoteConfig.secret.name | string | `""` | The name of the secret to create. |
+| alloy-receiver.remoteConfig.secret.namespace | string | `""` | The namespace for the secret. |
+| alloy-receiver.remoteConfig.url | string | `""` | The URL of the remote config server. |
 
 ### Collectors - Alloy Singleton
 
@@ -197,6 +252,19 @@ podLogs:
 | alloy-singleton.liveDebugging.enabled | bool | `false` | Enable live debugging for the Alloy instance. Requires stability level to be set to "experimental". |
 | alloy-singleton.logging.format | string | `"logfmt"` | Format to use for writing Alloy log lines. |
 | alloy-singleton.logging.level | string | `"info"` | Level at which Alloy log lines should be written. |
+| alloy-singleton.remoteConfig.auth.password | string | `""` | The password to use for the remote config server. |
+| alloy-singleton.remoteConfig.auth.passwordFrom | string | `""` | Raw config for accessing the password. |
+| alloy-singleton.remoteConfig.auth.passwordKey | string | `"password"` | The key for storing the password in the secret. |
+| alloy-singleton.remoteConfig.auth.type | string | `"none"` | The type of authentication to use for the remote config server. |
+| alloy-singleton.remoteConfig.auth.username | string | `""` | The username to use for the remote config server. |
+| alloy-singleton.remoteConfig.auth.usernameFrom | string | `""` | Raw config for accessing the username. |
+| alloy-singleton.remoteConfig.auth.usernameKey | string | `"username"` | The key for storing the username in the secret. |
+| alloy-singleton.remoteConfig.enabled | bool | `false` | Enable fetching configuration from a remote config server. |
+| alloy-singleton.remoteConfig.secret.create | bool | `true` | Whether to create a secret for the remote config server. |
+| alloy-singleton.remoteConfig.secret.embed | bool | `false` | If true, skip secret creation and embed the credentials directly into the configuration. |
+| alloy-singleton.remoteConfig.secret.name | string | `""` | The name of the secret to create. |
+| alloy-singleton.remoteConfig.secret.namespace | string | `""` | The namespace for the secret. |
+| alloy-singleton.remoteConfig.url | string | `""` | The URL of the remote config server. |
 
 ### Features - Annotation Autodiscovery