feat(helm): Allow provisioner to be namespaced (#16091)

Signed-off-by: Ryan Brady <[email protected]>
grafana · Feb 12, 2025 · 40458f9 · 40458f9
1 parent c427a0c
commit 40458f9
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 6 deletions.
diff --git a/docs/sources/setup/install/helm/reference.md b/docs/sources/setup/install/helm/reference.md
@@ -3075,6 +3075,7 @@ null
     "enabled": true,
     "env": [],
     "extraVolumeMounts": [],
+    "hookType": "post-install",
     "image": {
       "digest": null,
       "pullPolicy": "IfNotPresent",
@@ -3263,6 +3264,7 @@ null
   "enabled": true,
   "env": [],
   "extraVolumeMounts": [],
+  "hookType": "post-install",
   "image": {
     "digest": null,
     "pullPolicy": "IfNotPresent",
@@ -3337,6 +3339,15 @@ true
 			<td><pre lang="json">
 []
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.provisioner.hookType</td>
+			<td>string</td>
+			<td>Hook type(s) to customize when the job runs.  defaults to post-install</td>
+			<td><pre lang="json">
+"post-install"
+</pre>
 </td>
 		</tr>
 		<tr>

diff --git a/production/helm/loki/templates/provisioner/job-provisioner.yaml b/production/helm/loki/templates/provisioner/job-provisioner.yaml
@@ -14,7 +14,7 @@ metadata:
     {{- with .Values.enterprise.provisioner.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-    "helm.sh/hook": post-install
+    "helm.sh/hook": {{ .Values.enterprise.provisioner.hookType | default "post-install" | quote }}
     "helm.sh/hook-weight": "15"
 spec:
   backoffLimit: 6

diff --git a/production/helm/loki/templates/provisioner/role-provisioner.yaml b/production/helm/loki/templates/provisioner/role-provisioner.yaml
@@ -1,6 +1,6 @@
-{{ if and (and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled) (not .Values.rbac.namespaced)}}
+{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ if not .Values.rbac.namespaced }}Cluster{{ end }}Role
 metadata:
   name: {{ template "enterprise-logs.provisionerFullname" . }}
   namespace: {{ $.Release.Namespace }}

diff --git a/production/helm/loki/templates/provisioner/rolebinding-provisioner.yaml b/production/helm/loki/templates/provisioner/rolebinding-provisioner.yaml
@@ -1,7 +1,7 @@
-{{ if and (and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled) (not .Values.rbac.namespaced)}}
+{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ if not .Values.rbac.namespaced }}Cluster{{ else }}Role{{ end }}Binding
 metadata:
   name: {{ template "enterprise-logs.provisionerFullname" . }}
   namespace: {{ $.Release.Namespace }}
@@ -17,7 +17,7 @@ metadata:
     "helm.sh/hook": post-install
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ if not .Values.rbac.namespaced }}Cluster{{ end }}Role
   name: {{ template "enterprise-logs.provisionerFullname" . }}
 subjects:
   - kind: ServiceAccount

diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml
@@ -611,6 +611,8 @@ enterprise:
     enabled: true
     # -- Name of the secret to store provisioned tokens in
     provisionedSecretPrefix: null
+    # -- Hook type(s) to customize when the job runs.  defaults to post-install
+    hookType: "post-install"
     # -- Additional tenants to be created. Each tenant will get a read and write policy
     # and associated token. Tenant must have a name and a namespace for the secret containting
     # the token to be created in. For example