Switch grafana secret to TF, update to new DB credentials

spack · Oct 23, 2024 · d4fe55a · d4fe55a
1 parent 0f4cd9b
commit d4fe55a
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 28 deletions.
diff --git a/k8s/production/prometheus/sealed-secrets.yaml b/k8s/production/prometheus/sealed-secrets.yaml
@@ -45,20 +45,6 @@ spec:
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
-metadata:
-  name: grafana-additional-datasources
-  namespace: monitoring
-spec:
-  encryptedData:
-    values.yaml: AgBbtbcr4NqaoAb/pV7X7uUJsHiLCD3mpSXutE0krEjzXlx/2iLTBxuq2G56BpOqX5Ytn7QfyhfvxWAlu2TB4bXqhjLsNQYlRXhOOiGklymfRSSqy9+L0w//Ei8lcEBNi1wYVWXpEzeNdiPWl+dhd3fiji+sPbXnq6JlZcCik7usZYIWvUTZX9hnMslgdduX0pDRoY1U6A5ho7CgZ0e25TZUXfpsM8f3Njb88H1gKEtSyDR/EfAosYtYJyYhyq/+zAIoiU5VXR9/HhnaqlZ0Su9ogfCSqSklAM1LCkUZp9tIw1/z5lZmvjaND1QHCqbV51OhNy1L1U9Y645APWvw9pMz/AASKm3OGAbFtzlaDQwPNCz/UQtC3Md3kX64prrbiolPQbfRjjVN8XKt7Pq9/hbu5I/dCgxX9IIT+IpGX2p9xfXH2U/QCWRA5N9UK9UKKFPoRYjkIspRE+y0Cp1Xk6rH0YT8A+aY0h/9zUzFXc46mtKfNwCZAS6W2uoO8ykzLnCRn5bPbCkeM1HrNjB3K82j6D5ZhNs0XaTJK/nfx0uoJVHXrSrn0s5ODaMNHegG8x5Tg5w5ToISS9lBjLIUtdGndBl/8zgr7TQRNTWEADCINk+acQ8qP+Pk2/c55W0lxRYk5IinecOxaS01OnmZjn2QvwZU5v01yfBM1+1dJj7eGPqXqzsD6k4xa5GyJIwedz7uE3gDUBV31AobFoJmspQPiaMyW5p2nbIvIfajhZ7T3UNHFNkVEiAdBoY6gnWIZABpRaFxfZZdpOeea6BAncGoF3dAKLiZqjbKgJOB4X7A5o/8AsjNHG/phx+LG0LkehudbJ0kcC+eFZqRLNUuyfHkhw1CIz0S3gV5a7HbiU1NHnKbFDhlXy6ySe8J3WBzJPhVHK5WFOhFtnpWC4dKe9upge7NS+yzUzPR/9mJvNLyT05pcWGFFPA7MyXSax3XX464gr3+R9FzFvqz+vnbbGZcuKroDZVpx/jut11/oedCh2hzy2uTX0TPXYnHlT2aNYodAdC3C2FR1C+1fReSQsr9aMoOtmos+eCS2kACt2C0qdWlO/4qozsBYL1C8fmwwXczypj8J451Q7d1nnPkMf6IlI8k+5TRD7MZ6PpdB+vk110WKbwBLAV4gE4V2qPz/Jb/11AEAE1WPIUIJWZgvO47hHqup5bULw3DFKfyJaC2z2kf+D7k+dWUAXYZrN2o6nOmSrz4FKxqRXGfFMBUs+xkvtlFYBvcWRmD95mns36a7PldyLw98PvAXeAuGroVxW/7ttHA5AiLo1We1iTysWvJtnQ8vn0X3cmUlmO4Z58UzizDVLjzzRpn+xuvfTLLZJiCsNvB6sB6ssyw3/93ESr/ZT3A86jwds82A2mCVAC9Bz8Lp21wTQ56pinWwI4M9iz6+9Hms1w7P4WhWcrYkHkJ1UwZNpwwckHIFzq3M8FLg/layiK5JVRxeJPHfpxUuTfXgEDw9t1ewkxbH8dv7vSolAEkxKnh9uNmVgwntpCYq9eyOo7zTeXa/YFdMLCYkmYL1IWAuacW/dvZ8JO4OFIZMR3PuFlIGHZXojca7mXbRic8yX/WEaFoW5zje5ZS/Qio7Dr/OwLgnKoePLOnRw8ilFUG3JL4HazpUcvd2uLgfVarrGDRaCrlovNKJZzINBTCs844FKh5OPMcm5BIIpIgY/EBGit2Q/7v2ie5Q4WYejDo3FVSnVqKpkvc045YgYVriN1/SIT5hBrDds3Sk7Cp/OsnMyk9WzDjQ2RoeNCablOkJ66WlUJtDQ4Vz/r4/1vSPRtg+11Nmk6FKyFRRTqOPjd969OUyLuopQEp4Si3Wsaa6YGRt9lzsQDNs91d8HKsZ1e41vf4MXOhChSGqpEHdS/L5UFRmbcxNRSN1Ru+/pH7lQrFjkVJ/bFcN+T8GXGJIWIgoaXqBTb8oYTFIOxvnE1ZZcw90HznaKyw0B1lvBy5bLEfi1whKAGzW4XSWlHPt/e+WTvcNzxnF2GfDJSIGdZu8umANLJ/HSuguu7OR7+MVFOfpPdYPdiuHaW20MB+Hsz7x0fKwKB438IqBciudB7k7nWBK4Nj+t3sNBJ+kJHWb7j/CuIJgETB7tvef1pgq4VZ2HFBZg3Se7bWpbPBIlLjvnziCubXKYgoyjmWb3YQQ5QUAhV259RtDek8ClRK1osA/O/wCPgeUpCSvefJjSgZXrgEKJJwvI4zCQbLtw3vPno3/GTpH6IrHufMeKqv+g==
-  template:
-    metadata:
-      annotations:
-        kustomize.toolkit.fluxcd.io/reconcile: disabled
-        sealedsecrets.bitnami.com/managed: "true"
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
 metadata:
   name: client-ca
   namespace: monitoring

diff --git a/k8s/staging/prometheus/sealed-secrets.yaml b/k8s/staging/prometheus/sealed-secrets.yaml
@@ -31,20 +31,6 @@ spec:
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
-metadata:
-  name: grafana-additional-datasources
-  namespace: monitoring
-spec:
-  encryptedData:
-    values.yaml: AgCSaYuqXhVDz2h8fC76d4SbWI/lDdzR2nrtGnY9ahGem60PoSEMzZngJvPv4A8hAYF5NMPzeqilOZmsTK4ITFaKuGsYNCi8lu3hL9ZMTIfKrZMyY7WDf5ehe15WCKF+uz0KN34uc88fVQL7CFGiCc4dtsCi8maljSW/0Vz0t4e3R6j6uq/3BUeagTBAVItNROLeByOl73nBNwQOPqedPhF4NNgiafTKlZ8qDmuPOUBE6wJRx2rUH0lSgcEEeNej35J+XgHWnU6CYhXK1/ctwAkJJZaGDzfdS5vcUvvstfN90pnaOkeOwAVdYLN1p6KKv3Lvo1O5Y8xqV9bcRz81eEZxUq5rEngDdObbou7aiVPb26k6lvVVMgKE/CkoNx3G3LHPEPW6Ij3OGRmz2+YZBX3VqR3Tq9PsT2GNvEbk1+J1LDmkB7IFfpMjfTvxChDmRXECOvimWBG0h9K54aQEyFO5woVelwcDGuHbLYxk9nF1KDLrNgyUEAcIcTbMFrH8E8YSAvmZKv1+RtmyNUob3e4eYQ6orgqOLfxEs6AtcWUrrkdU2YWAMVfXYX+2ZwPF3sCHRwrR3+QS7pA7aDuwR4UyyJ+4Vvf5SA6f9WZzLoZhdAN7vv3fMXgiaa4fYqmpZReTJWW4UPr4UrzHen/OTOJ/t48953X4bmP6qXD4ermqc0c9rFs+Q83kyOh8xJ8w70Nh/23Hs9nCotGzwZGtLg3YvzdswlzJaZET2g1AA1X/CKl94T0=
-  template:
-    metadata:
-      annotations:
-        kustomize.toolkit.fluxcd.io/reconcile: disabled
-        sealedsecrets.bitnami.com/managed: "true"
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
 metadata:
   name: oauth2-proxy
   namespace: monitoring

diff --git a/terraform/modules/spack_aws_k8s/prometheus.tf b/terraform/modules/spack_aws_k8s/prometheus.tf
@@ -0,0 +1,54 @@
+data "aws_secretsmanager_secret_version" "gitlab_db_ro_credentials" {
+  secret_id = "gitlab-${var.deployment_name}-readonly-credentials"
+}
+
+resource "kubectl_manifest" "prometheus_additional_datasources_secret" {
+  yaml_body = <<-YAML
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: grafana-additional-datasources
+      namespace: monitoring
+    stringData:
+      values.yaml: |-
+        grafana:
+          additionalDataSources:
+            - name: OpenSearch
+              editable: "false"
+              type: grafana-opensearch-datasource
+              url: "https://${aws_opensearch_domain.spack.endpoint}"
+              version: "1"
+              access: proxy
+              basicAuth: "true"
+              basicAuthUser: ${local.opensearch_master_user_name}
+              secureJsonData:
+                basicAuthPassword: "${random_password.opensearch_password.result}"
+              jsonData:
+                database: "gitlab-job-failures-*"
+                timeField: timestamp
+                flavor: opensearch
+                version: "1.3.0"
+            - name: PostgreSQL
+              type: postgres
+              access: proxy
+              url: ${module.gitlab_db.db_instance_address}
+              user: ${jsondecode(data.aws_secretsmanager_secret_version.gitlab_db_ro_credentials.secret_string)["username"]}
+              database: gitlabhq_production
+              secureJsonData:
+                password: "${jsondecode(data.aws_secretsmanager_secret_version.gitlab_db_ro_credentials.secret_string)["password"]}"
+              jsonData:
+                postgresVersion: 14
+            - name: AnalyticsDB
+              type: postgres
+              uid: XCh6DDkSz
+              access: proxy
+              url: ${module.analytics_db.db_instance_address}
+              user: postgres
+              database: analytics
+              secureJsonData:
+                password: "${random_password.analytics_db_password.result}"
+              jsonData:
+                postgresVersion: 15
+
+  YAML
+}