Adding optional sslmode to db secrets, adding grafana-auth db secret to connect to pgsql

Author: marcleblanc2

charts/sourcegraph/templates/_helpers.tpl

@@ -211,6 +211,12 @@ app.kubernetes.io/name: jaeger
     secretKeyRef:
       key: user
       name: {{ $secretName }}
+- name: {{ printf "%sSSLMODE" $prefix }}
+  valueFrom:
+    secretKeyRef:
+      key: sslmode
+      name: {{ $secretName }}
+      optional: true
 {{- end }}
 
 {{- define "sourcegraph.dataSource" -}}

charts/sourcegraph/templates/grafana/grafana.ConfigMap.yaml

@@ -17,13 +17,13 @@ data:
         url: http://{{ default "jaeger-query" .Values.jaeger.query.name }}:16686/-/debug/jaeger
       - name: pgsql
         type: postgres
-        url: $PGHOST:$PGPORT
-        user: $PGGRAFANAUSER
-        database: $PGDATABASE
+        url: $GRAFANA_PGSQL_HOST:$GRAFANA_PGSQL_PORT
+        user: $GRAFANA_PGSQL_USER
+        database: $GRAFANA_PGSQL_DATABASE
         secureJsonData:
-          password: $PGGRAFANAPASSWORD
+          password: $GRAFANA_PGSQL_PASSWORD
         jsonData:
-          sslmode: $PGSSLMODE
+          sslmode: $GRAFANA_PGSQL_SSLMODE
 kind: ConfigMap
 metadata:
   labels:

charts/sourcegraph/templates/grafana/grafana.StatefulSet.yaml

@@ -53,6 +53,7 @@ spec:
         terminationMessagePolicy: FallbackToLogsOnError
         env:
         {{- range $name, $item := .Values.grafana.env}}
+        {{- include "sourcegraph.databaseAuth" (list . "grafana" "GRAFANA_PGSQL_") | nindent 8 }}
         - name: {{ $name }}
           {{- $item | toYaml | nindent 10 }}
         {{- end }}

charts/sourcegraph/templates/grafana/grafana.pgsql.Secret.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.grafana.auth (not .Values.grafana.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.grafana.name }}-auth
+  labels:
+    app: grafana
+    deploy: sourcegraph
+    app.kubernetes.io/component: grafana
+type: Opaque
+data:
+  database: {{ .Values.grafana.auth.database | toString | b64enc | quote }}
+  host: {{ .Values.grafana.auth.host | toString | b64enc | quote }}
+  password: {{ .Values.grafana.auth.password | toString | b64enc | quote }}
+  port: {{ .Values.grafana.auth.port | toString | b64enc | quote }}
+  sslmode: {{ .Values.grafana.auth.sslmode | toString | b64enc | quote }}
+  user: {{ .Values.grafana.auth.user | toString | b64enc | quote }}
+{{- end -}}

charts/sourcegraph/values.yaml

@@ -424,6 +424,25 @@ gitserver:
 grafana:
   # -- Enable `grafana` dashboard (recommended)
   enabled: true
+  # -- Sourcegraph Internal - Enable grafana to query pgsql database
+  # -- NOTE: Create a separate user in the pgsql database with read-only perms on the minimum set of tables
+  auth:
+    # -- Name of existing secret to for Grafana to use to connect to the pgsql database
+    # The secret must contain the keys `user`, `password`, `database`, `host` and `port`.
+    # `auth.user`, `auth.password`, etc. are ignored if this is enabled
+    existingSecret: ""
+    # -- Sets postgres database name
+    database: ""
+    # -- Sets postgres host
+    host: ""
+    # -- Sets postgres username
+    user: ""
+    # -- Sets postgres password
+    password: ""
+    # -- Sets postgres port
+    port: ""
+    # -- Sets postgres sslmode
+    sslmode: ""
   # -- Name of existing ConfigMap for `grafana`. It must contain a `datasources.yml` key.
   existingConfig: "" # Name of an existing configmap
   image: