feat(lmlogs): user defined secret support for lmlogs (#541)

choudharypooja · web-flow · commit b38231d25cff · 2025-11-26T12:04:39.000+05:30
* feat(lmlogs): userDefinedSecret support for lmlogs

* feat(lmlogs): incrementing the chart version for logs

* feat(lmlogs): minor changes for adding chart validations

* feat(lmlogs): fixing linting error

* feat(lmlogs): lint validation fixes

* feat(lmlogs): adding default value for authMode and reerting image tag
diff --git a/charts/lm-logs/Chart.yaml b/charts/lm-logs/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for sending k8s logs to Logic Monitor
 name: lm-logs
-version: 0.8.0-rc01
+version: 0.9.0-rc01
 maintainers:
   - email: dev@logicmonitor.com
     name: LogicMonitor
diff --git a/charts/lm-logs/README.md b/charts/lm-logs/README.md
@@ -16,6 +16,20 @@ helm install -n <namespace> \
 lm-logs logicmonitor/lm-logs
 ```
 
+Install the lm-logs chart using a user defined secret for LM credentials.
+
+``` console
+# For LMv1
+helm install lm-logs logicmonitor/lm-logs -n <namespace> \
+  --set global.userDefinedSecret=lm-logs-credentials \
+  --set authMode=lmv1
+
+# For Bearer
+helm install lm-logs logicmonitor/lm-logs -n <namespace> \
+  --set global.userDefinedSecret=lm-logs-credentials \
+  --set authMode=bearer
+```
+
 #### Parameters
 The following tables lists the configurable parameters of the lm-logs chart and their default values.
 | Parameter                   | Description                                     | Default                                                 |
@@ -24,9 +38,11 @@ The following tables lists the configurable parameters of the lm-logs chart and
 | `global.nameOverride`       | Global storage class for dynamic provisioning   | `""`                                                    |
 | `global.fullnameOverride`   | Global storage class for dynamic provisioning   | `""`                                                    |
 | `global.lm_company_name`    | LogicMonitor account name                       | `nil`                                                   |
-| `global.lm_company_domain`  | LogicMonitor company domain name                | `logicmonitor.com`                                                   |
+| `global.userDefinedSecret`  | User Defined Secret for LM credentials          | `""`                                                    |
+| `global.lm_company_domain`  | LogicMonitor company domain name                | `logicmonitor.com`                                      |
 | `global.lm_access_id`       | LogicMonitor API Token Access ID                | `nil`                                                   |
 | `global.lm_access_key`      | LogicMonitor API Token Access Key               | `nil`                                                   |
+| `authMode`                  | Mode to use for authenticating requests sent to LM. Can we lmv1/bearer  | `lmv1`                          |
 | `image.repository`          | Container image repository                      | `logicmonitor/lm-logs-k8s-fluentd`                      |
 | `image.pullPolicy`          | Container image pull policy                     | `IfNotPresent`                                          |
 | `image.tag`                 | Container image tag                             | `""`                                                    |
@@ -61,6 +77,14 @@ For descriptions see: https://github.com/fabric8io/fluent-plugin-kubernetes_meta
 * FLUENT_KUBERNETES_METADATA_SKIP_MASTER_URL
 * FLUENT_KUBERNETES_METADATA_SKIP_NAMESPACE_METADATA
 
+#### User Defined Secret for LM credentials
+You can create a kubernetes secret with your LM credentials and pass the secret name to the chart.
+The secret must contain the following keys:
+- account
+- accessID
+- accessKey
+- bearerToken (if accessKey/accessID is not present in the secret)
+Also, the authMode needs to be set accordingly. If the secret contains accessID/accessKey, authMode should be set to lmv1, otherwise bearer (similarly it should be set for the configurable parameters).
 #### New deviceless logs k8s integration (beta)
 Note: This feature may not be available to all customers.
 To enable this feature set `fluent.device_less_logs=true`
diff --git a/charts/lm-logs/ci/base-sanity-values.yaml b/charts/lm-logs/ci/base-sanity-values.yaml
@@ -1,3 +1,8 @@
 lm_company_name: "dummy_company"
 lm_access_id: "dummy_id"
 lm_access_key: "dummy_key"
+authMode: "lmv1"
+global:
+  account: "dummyaccount"
+  accessID: "dummyid"
+  accessKey: "dummykey"
diff --git a/charts/lm-logs/templates/_helpers.tpl b/charts/lm-logs/templates/_helpers.tpl
@@ -23,6 +23,111 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+
+{{/*
+Did the user set global.userDefinedSecret?
+*/}}
+{{- define "lm-logs.userSecretSet" -}}
+{{- if .Values.global.userDefinedSecret }}true{{ end -}}
+{{- end -}}
+
+{{/*
+Return the credentials Secret name:
+- If global.userDefinedSecret is provided, use that.
+- Otherwise fall back to <fullname>-creds.
+*/}}
+{{- define "lm-logs.credsSecretName" -}}
+{{- if .Values.global.userDefinedSecret -}}
+{{- .Values.global.userDefinedSecret -}}
+{{- else -}}
+{{- printf "%s-creds" (include "fluentd.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/* True if we have any creds in any source (used by template fail-guard) */}}
+{{- define "lm-logs.credsProvided" -}}
+{{- $uds := default "" .Values.global.userDefinedSecret -}}
+{{- $ga := default "" .Values.global.accessID -}}
+{{- $gk := default "" .Values.global.accessKey -}}
+{{- $va := default "" .Values.lm_access_id -}}
+{{- $vk := default "" .Values.lm_access_key -}}
+{{- $vb := default "" .Values.lm_bearer_token -}}
+{{- if or (ne $uds "")
+          (and (ne $ga "") (ne $gk ""))
+          (and (ne $va "") (ne $vk ""))
+          (ne $vb "") -}}true{{- end -}}
+{{- end -}}
+
+{{/*
+Emit a secretKeyRef block given a key name.
+Usage:
+  {{ include "lm-logs.secretKeyRef" (dict "ctx" . "key" "bearerToken") | nindent 10 }}
+*/}}
+{{- define "lm-logs.secretKeyRef" -}}
+name: {{ include "lm-logs.credsSecretName" .ctx }}
+key: {{ .key }}
+optional: true
+{{- end -}}
+
+{{/* Validate credentials + account at render time */}}
+{{- define "lm-logs.assertInputs" -}}
+{{- $ns := .Release.Namespace -}}
+{{- $mode := default "" .Values.authMode -}}
+{{- $uds  := default "" .Values.global.userDefinedSecret -}}
+
+{{- /* Fetch Secret if configured */ -}}
+{{- $sec := dict -}}
+{{- if ne $uds "" -}}
+  {{- $sec = lookup "v1" "Secret" $ns $uds | default dict -}}
+  {{- if not $sec }}
+    {{- fail (printf "global.userDefinedSecret=%q not found in namespace %q" $uds $ns) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- /* Helper: what keys exist in Secret? */ -}}
+{{- $hasSecKey := (and (ne $uds "")
+                        $sec.data
+                        (kindIs "map" $sec.data)) -}}
+{{- $secHas := dict -}}
+{{- if $hasSecKey -}}
+  {{- $_ := set $secHas "account"     (hasKey $sec.data "account") -}}
+  {{- $_ := set $secHas "accessID"    (hasKey $sec.data "accessID") -}}
+  {{- $_ := set $secHas "accessKey"   (hasKey $sec.data "accessKey") -}}
+  {{- $_ := set $secHas "bearerToken" (hasKey $sec.data "bearerToken") -}}
+{{- end -}}
+
+{{- /* 1) Enforce account name presence (values OR global OR Secret) */ -}}
+{{- $hasAccount := or
+      (ne (default "" .Values.lm_company_name) "")
+      (ne (default "" .Values.global.account) "")
+      (and (ne $uds "") ($secHas.account | default false)) -}}
+{{- if not $hasAccount -}}
+  {{- fail "Account name missing: set lm_company_name or global.account, or provide Secret with key 'account' via global.userDefinedSecret." -}}
+{{- end -}}
+
+{{- /* 2) Enforce credentials per authMode */ -}}
+{{- if eq $mode "lmv1" -}}
+  {{- $haslmv1FromSecret := and (ne $uds "") ($secHas.accessID | default false) ($secHas.accessKey | default false) -}}
+  {{- $haslmv1FromGlobal := and (ne (default "" .Values.global.accessID) "")
+                                (ne (default "" .Values.global.accessKey) "") -}}
+  {{- $haslmv1FromValues := and (ne (default "" .Values.lm_access_id) "")
+                                (ne (default "" .Values.lm_access_key) "") -}}
+  {{- if not (or $haslmv1FromSecret $haslmv1FromGlobal $haslmv1FromValues) -}}
+    {{- fail "LM v1 auth selected (authMode=lmv1) but no lmv1 found. Provide either: Secret with 'accessID'+'accessKey', or global.accessID+global.accessKey, or lm_access_id+lm_access_key." -}}
+  {{- end -}}
+
+{{- else if eq $mode "bearer" -}}
+  {{- $hasBearerFromSecret := and (ne $uds "") ($secHas.bearerToken | default false) -}}
+  {{- $hasBearerFromValues := ne (default "" .Values.lm_bearer_token) "" -}}
+  {{- if not (or $hasBearerFromSecret $hasBearerFromValues) -}}
+    {{- fail "Bearer auth selected (authMode=bearer) but no token found. Provide either: Secret with 'bearerToken' or lm_bearer_token in values." -}}
+  {{- end -}}
+
+{{- else -}}
+  {{- fail "authMode must be 'lmv1' or 'bearer'." -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Adding validations for clustername for lm-logs to contain only lower alphanumeric or '-' and start and end with an alphanumeric character
 */}}
@@ -43,7 +148,8 @@ kubernetes.cluster_name {{ $cluster }}
 {{- end }}
 
 {{/*
-User-agent for log-ingest requests */}}
+User-agent for log-ingest requests
+*/}}
 {{- define "logsource.userAgent" -}}
 {{- $cluster := "" -}}
 {{- if .Values.kubernetes.cluster_name -}}
@@ -131,24 +237,71 @@ Return the appropriate apiVersion for rbac.
 "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
 {{- end -}}
 
+{{/*
+Emit auth lines. If .Values.authMode is set, honor it; else use auto priority.
+Auto priority: Secret(lmv1) → global lmv1 → values lmv1 → values bearer
+*/}}
+{{- define "lm-logs.authBlock" -}}
+{{- $mode := default "" .Values.authMode -}}
+{{- $uds := default "" .Values.global.userDefinedSecret -}}
+{{- $ga := default "" .Values.global.accessID -}}
+{{- $gk := default "" .Values.global.accessKey -}}
+{{- $va := default "" .Values.lm_access_id -}}
+{{- $vk := default "" .Values.lm_access_key -}}
+{{- $vb := default "" .Values.lm_bearer_token -}}
+
+{{- if eq $mode "lmv1" -}}
+  {{- if ne $uds "" -}}
+access_id "#{ENV['LM_ACCESS_ID']}"
+access_key "#{ENV['LM_ACCESS_KEY']}"
+  {{- else if and (ne $ga "") (ne $gk "") -}}
+access_id {{ $ga | quote }}
+access_key {{ $gk | quote }}
+  {{- else if and (ne $va "") (ne $vk "") -}}
+access_id {{ $va | quote }}
+access_key {{ $vk | quote }}
+  {{- end -}}
+
+{{- else if eq $mode "bearer" -}}
+  {{- if ne $uds "" -}}
+bearer_token "#{ENV['LM_BEARER_TOKEN']}"
+  {{- else if ne $vb "" -}}
+bearer_token {{ $vb | quote }}
+  {{- end -}}
+
+{{- else -}}
+  {{- if ne $uds "" -}}
+access_id "#{ENV['LM_ACCESS_ID']}"
+access_key "#{ENV['LM_ACCESS_KEY']}"
+  {{- else if and (ne $ga "") (ne $gk "") -}}
+access_id {{ $ga | quote }}
+access_key {{ $gk | quote }}
+  {{- else if and (ne $va "") (ne $vk "") -}}
+access_id {{ $va | quote }}
+access_key {{ $vk | quote }}
+  {{- else if ne $vb "" -}}
+bearer_token {{ $vb | quote }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Fluentd <match> block with company_name priority:
+ENV['LM_ACCOUNT'] → global.account → lm_company_name
+*/}}
 {{- define "fluentd.lmMatch" -}}
 <match {{ .tag }}>
   @type lm
-  company_name {{ if .context.Values.lm_company_name }}{{ .context.Values.lm_company_name }}{{ else }}{{ required "A valid .Values.lm_company_name or .Values.global.account entry is required!" .context.Values.global.account }}{{ end }}
+  {{ $fb := .context.Values.global.account | default .context.Values.lm_company_name | default "" }}
+  company_name "#{ENV['LM_ACCOUNT'].to_s != '' ? ENV['LM_ACCOUNT'] : '{{ $fb }}'}"
   company_domain {{ .context.Values.lm_company_domain | default .context.Values.global.companyDomain | default "logicmonitor.com" }}
   resource_mapping '{{ .resource_mapping }}'
-  resource_type {{ .context.Values.fluent.resource_type | default "" }}
-  {{- if and (or .context.Values.lm_access_id .context.Values.global.accessID) (or .context.Values.lm_access_key .context.Values.global.accessKey) }}
-  access_id {{ .context.Values.lm_access_id | default .context.Values.global.accessID }}
-  access_key {{ .context.Values.lm_access_key | default .context.Values.global.accessKey }}
-  {{- else if .context.Values.lm_bearer_token }}
-  bearer_token {{ .context.Values.lm_bearer_token }}
-  {{- else }}
-  {{ required "Either specify valid lm_access_id and lm_access_key both or lm_bearer_token for authentication with LogicMonitor." .context.Values.lm_bearer_token }}
-  {{- end }}
+  resource_type {{ .context.Values.fluent.resource_type | default "k8s" }}
+{{ include "lm-logs.authBlock" .context | nindent 2 }}
+
   debug false
   compression gzip
-  {{ include "logsource.userAgent" .context | nindent 8 }}
+  {{ include "logsource.userAgent" .context }}
   include_metadata {{ hasKey .context.Values.fluent "include_metadata" | ternary .context.Values.fluent.include_metadata true }}
   device_less_logs {{ .context.Values.fluent.device_less_logs | default false }}
   <buffer>
diff --git a/charts/lm-logs/templates/configmap.yaml b/charts/lm-logs/templates/configmap.yaml
@@ -1,3 +1,8 @@
+{{- /* Accept any of: userDefinedSecret, bearerToken value, or id+key values */ -}}
+{{- if not (include "lm-logs.credsProvided" .) -}}
+{{- fail "Provide credentials via Secret (global.userDefinedSecret) or via global.* / lm_* values." -}}
+{{- end -}}
+{{- include "lm-logs.assertInputs" . -}}
 kind: ConfigMap
 apiVersion: v1
 metadata:
diff --git a/charts/lm-logs/templates/deamonset.yaml b/charts/lm-logs/templates/deamonset.yaml
@@ -31,9 +31,25 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            {{ if gt (.Values.env | len) 0 }}
-            {{ include "ds-env" . | nindent 12 }}
-            {{ end }}
+            {{- if gt (len .Values.env) 0 }}
+            {{- include "ds-env" . | nindent 12 }}
+            {{- end }}
+            - name: LM_ACCOUNT
+              valueFrom:
+                secretKeyRef:
+                  {{- include "lm-logs.secretKeyRef" (dict "ctx" . "key" "account") | nindent 18 }}
+            - name: LM_ACCESS_ID
+              valueFrom:
+                secretKeyRef:
+                  {{- include "lm-logs.secretKeyRef" (dict "ctx" . "key" "accessID") | nindent 18 }}
+            - name: LM_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  {{- include "lm-logs.secretKeyRef" (dict "ctx" . "key" "accessKey") | nindent 18 }}
+            - name: LM_BEARER_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  {{- include "lm-logs.secretKeyRef" (dict "ctx" . "key" "bearerToken") | nindent 18 }}
           imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/charts/lm-logs/values.schema.json b/charts/lm-logs/values.schema.json
@@ -165,6 +165,15 @@
             ""
           ],
           "$comment": "ui:clusterName-ignore tf:"
+        },
+        "userDefinedSecret": {
+          "type": "string",
+          "title": "Existing Kubernetes Secret name",
+          "description": "Name of a Secret that contains credentials for lm-logs. Expected keys: 'account' and either ('accessID' + 'accessKey') or 'bearerToken'.",
+          "default": "",
+          "examples": [
+            "lm-logs-credentials"
+          ]
         }
       }
     },
@@ -427,13 +436,67 @@
       "type": "boolean",
       "default": true,
       "description": "If true and no custom systemd.conf is provided, a default configuration for systemd will be injected. If false, systemd will be disabled regardless of conf."
+    },
+    "authMode": {
+      "description": "If bearer then will use bearerToken if set, if lmv1 will use accessID/accessKey if set.",
+      "oneOf": [
+        { "enum": ["bearer", "lmv1"] },
+        { "type": "string", "maxLength": 0 }
+      ]
     }
   },
   "additionalProperties": false,
-  "required": [
-    "lm_access_id",
-    "lm_access_key",
-    "lm_company_name"
+
+  "required": ["authMode"],
+
+  "allOf": [
+    {
+      "anyOf": [
+        { "required": ["lm_bearer_token"] },
+        { "required": ["lm_access_id", "lm_access_key"] },
+        {
+          "required": ["global"],
+          "properties": {
+            "global": {
+              "type": "object",
+              "required": ["userDefinedSecret"]
+            }
+          }
+        },
+        {
+          "required": ["global"],
+          "properties": {
+            "global": {
+              "type": "object",
+              "required": ["accessID", "accessKey"]
+            }
+          }
+        }
+      ]
+    },
+    {
+      "anyOf": [
+        { "required": ["lm_company_name"] },
+        {
+          "required": ["global"],
+          "properties": {
+            "global": {
+              "type": "object",
+              "required": ["account"]
+            }
+          }
+        },
+        {
+          "required": ["global"],
+          "properties": {
+            "global": {
+              "type": "object",
+              "required": ["userDefinedSecret"]
+            }
+          }
+        }
+      ]
+    }
   ],
   "definitions": {
     "io.k8s.apimachinery.pkg.api.resource.Quantity": {
diff --git a/charts/lm-logs/values.yaml b/charts/lm-logs/values.yaml
