Add mysql backend #13
Conversation
| stringData: | ||
| username: ocfgrafana | ||
| password: "<%= prometheus_pass %>" | ||
| GF_SERVER_ROOT_URL: "https://grafana.ocf.berkeley.edu" |
There was a problem hiding this comment.
I don't know what the established convention is here, though I have assumed Kubernetes secrets should be reserved for... things that are actually secret.
Grafana makes this even easier for us-- we don't have to use Kubernetes "Secrets" at all, since we can place passwords in individual files in the Puppet private share and point to them with GF_SETTINGNAME__FILE options (see GF_DATABASE_PASSWORD__FILE above for an example). I slightly prefer this because I think our templating code for secrets is a little weird (I don't like how it passes through Jenkins).
It's probably not a huge deal either way, though I'd recommend consolidating on one way instead of the awkward hybrid we have now.
There was a problem hiding this comment.
agree that non-secrets should just be specified in a configmap or directly in the pod template, not in a Secret resource. I don't think there is a problem with templates over files (in fact I like the templating system better, it's more clear what's going on).
There was a problem hiding this comment.
You need to fix the grafana.yml in the private share to use the correct variables names before merging this. The changes to that file were breaking deploys for prod. https://irclogs.ocf.berkeley.edu/rebuild-spam/2020-04-22#454679;
| stringData: | ||
| username: ocfgrafana | ||
| password: "<%= prometheus_pass %>" | ||
| GF_SERVER_ROOT_URL: "https://grafana.ocf.berkeley.edu" |
There was a problem hiding this comment.
agree that non-secrets should just be specified in a configmap or directly in the pod template, not in a Secret resource. I don't think there is a problem with templates over files (in fact I like the templating system better, it's more clear what's going on).
We also move the secrets from files to environment variables so the mysql backend can access it.