[stable/grafana] datasource provisioning with sidecar should be done trough secrets

[seboudry]

We can define sidecar.datasources.enabled to deploy a sidecar that use configmaps with corresponding label for Grafana datasources provisioning.

This datasource configuration may contains sensitive data in secureJsonData field (other sensitive fields are now deprecated) : passwords, private keys, etc...

So, it'll be more secure to store these datasource configuration on Kubernetes using a secret and not a configmap.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[maximbaz]

activity!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[maximbaz]

activity!

[fr-ser]

I would like to work on this, but the upstream sidecar PR is not being merged...

kiwigrid/k8s-sidecar#32

[fr-ser]

Since the sidecar PR has been merged, I could take a stab at adding this feature (should be fairly easy now), if this is in line with the maintainers goals.
I wouldn't want to work on this if it is not something the repo owners want to merge...

[maximbaz]

To confirm that there is a desire to merge this, pinging maintainers: @zanhsieh, @rtluckie, @maorfr

[maorfr]

yeah go for it!

[kyschouv]

Would this make it possible to have most of the provisioning details in a configmap, but load just the secret values from a secret? Right now we have secrets (api keys, etc.) in Kubernetes secrets, but the rest of our details in configmaps, and it'd be great to be able to have the sidecar merge those automatically (instead of us having to write something to do it).

[fr-ser]

That PR (and the sidecar behind it) do not support that.

[bailsman]

https://github.com/helm/charts/blob/master/stable/grafana/templates/clusterrole.yaml and
https://github.com/helm/charts/blob/master/stable/grafana/templates/role.yaml have the following lines:

{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }}
- apiGroups: [""] # "" indicates the core API group
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]
{{- end }}

With this change, does the role need to include secrets in addition to configmaps?

[fr-ser]

Good point. I somehow missed the normal role and only updated the clusterrole

https://github.com/helm/charts/blob/master/stable/grafana/templates/clusterrole.yaml and
https://github.com/helm/charts/blob/master/stable/grafana/templates/role.yaml have the following lines:

{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }}
- apiGroups: [""] # "" indicates the core API group
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]
{{- end }}

With this change, does the role need to include secrets in addition to configmaps?