Add grafana-auth Kubernetes secret to handle pgsql connection for Grafana securely (#568)

* Adding grafana-auth db secret for grafana to connect to pgsql
* Added sslmode key to Helm helper function, for only grafana, but this conditional could be removed and `optional:true` added to allow this for other database connections
* Regenerated docs via scripts/helm-docs.sh

Author: marcleblanc2

charts/sourcegraph/README.md

@@ -119,6 +119,14 @@ In addition to the documented values, all services also support the following va
 | gitserver.serviceAccount.name | string | `""` | Name of the ServiceAccount to be created or an existing ServiceAccount |
 | gitserver.sshSecret | string | `""` | Name of existing Secret that contains SSH credentials to clone repositories. It usually contains keys, such as `id_rsa` (private key) and `known_hosts`. Learn more from [documentation](https://docs.sourcegraph.com/admin/install/kubernetes/helm#using-ssh-to-clone-repositories) |
 | gitserver.storageSize | string | `"200Gi"` | PVC Storage Request for `gitserver` data volume |
+| grafana.auth | object | `{"database":"","existingSecret":"","host":"","password":"","port":"","sslmode":"","user":""}` | NOTE: Create a separate user in the pgsql database with read-only perms on the minimum set of tables |
+| grafana.auth.database | string | `""` | Sets postgres database name |
+| grafana.auth.existingSecret | string | `""` | Name of existing secret to for Grafana to use to connect to the pgsql database The secret must contain the keys `user`, `password`, `database`, `host` and `port`. `auth.user`, `auth.password`, etc. are ignored if this is enabled |
+| grafana.auth.host | string | `""` | Sets postgres host |
+| grafana.auth.password | string | `""` | Sets postgres password |
+| grafana.auth.port | string | `""` | Sets postgres port |
+| grafana.auth.sslmode | string | `""` | Sets postgres sslmode |
+| grafana.auth.user | string | `""` | Sets postgres username |
 | grafana.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":472,"runAsUser":472}` | Security context for the `grafana` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | grafana.enabled | bool | `true` | Enable `grafana` dashboard (recommended) |
 | grafana.existingConfig | string | `""` | Name of existing ConfigMap for `grafana`. It must contain a `datasources.yml` key. |

charts/sourcegraph/templates/_helpers.tpl

@@ -211,6 +211,13 @@ app.kubernetes.io/name: jaeger
     secretKeyRef:
       key: user
       name: {{ $secretName }}
+{{- if eq $service "grafana" }}
+- name: {{ printf "%sSSLMODE" $prefix }}
+  valueFrom:
+    secretKeyRef:
+      key: sslmode
+      name: {{ $secretName }}
+{{- end }}
 {{- end }}
 
 {{- define "sourcegraph.dataSource" -}}

charts/sourcegraph/templates/grafana/grafana.ConfigMap.yaml

@@ -17,13 +17,13 @@ data:
         url: http://{{ default "jaeger-query" .Values.jaeger.query.name }}:16686/-/debug/jaeger
       - name: pgsql
         type: postgres
-        url: $PGHOST:$PGPORT
-        user: $PGGRAFANAUSER
-        database: $PGDATABASE
+        url: $GRAFANA_PGSQL_HOST:$GRAFANA_PGSQL_PORT
+        user: $GRAFANA_PGSQL_USER
+        database: $GRAFANA_PGSQL_DATABASE
         secureJsonData:
-          password: $PGGRAFANAPASSWORD
+          password: $GRAFANA_PGSQL_PASSWORD
         jsonData:
-          sslmode: $PGSSLMODE
+          sslmode: $GRAFANA_PGSQL_SSLMODE
 kind: ConfigMap
 metadata:
   labels:

charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml

@@ -52,6 +52,7 @@ spec:
         {{- end }}
         terminationMessagePolicy: FallbackToLogsOnError
         env:
+        {{- include "sourcegraph.databaseAuth" (list . "grafana" "GRAFANA_PGSQL_") | nindent 8 }}
         {{- range $name, $item := .Values.grafana.env}}
         - name: {{ $name }}
           {{- $item | toYaml | nindent 10 }}

charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.grafana.name }}-auth
+  labels:
+    app: grafana
+    deploy: sourcegraph
+    app.kubernetes.io/component: grafana
+type: Opaque
+data:
+  database: {{ .Values.grafana.auth.database | toString | b64enc | quote }}
+  host: {{ .Values.grafana.auth.host | toString | b64enc | quote }}
+  password: {{ .Values.grafana.auth.password | toString | b64enc | quote }}
+  port: {{ .Values.grafana.auth.port | toString | b64enc | quote }}
+  sslmode: {{ .Values.grafana.auth.sslmode | toString | b64enc | quote }}
+  user: {{ .Values.grafana.auth.user | toString | b64enc | quote }}
+{{- end -}}

charts/sourcegraph/values.yaml

@@ -424,6 +424,25 @@ gitserver:
 grafana:
   # -- Enable `grafana` dashboard (recommended)
   enabled: true
+  # -- Sourcegraph Internal - Enable grafana to query pgsql database
+  # -- NOTE: Create a separate user in the pgsql database with read-only perms on the minimum set of tables
+  auth:
+    # -- Name of existing secret to for Grafana to use to connect to the pgsql database
+    # The secret must contain the keys `user`, `password`, `database`, `host` and `port`.
+    # `auth.user`, `auth.password`, etc. are ignored if this is enabled
+    existingSecret: ""
+    # -- Sets postgres database name
+    database: ""
+    # -- Sets postgres host
+    host: ""
+    # -- Sets postgres username
+    user: ""
+    # -- Sets postgres password
+    password: ""
+    # -- Sets postgres port
+    port: ""
+    # -- Sets postgres sslmode
+    sslmode: ""
   # -- Name of existing ConfigMap for `grafana`. It must contain a `datasources.yml` key.
   existingConfig: "" # Name of an existing configmap
   image: