[influxdb] set default user without job (#450)

95ab8820 · alespour · GitHub · ba3a97d5 · 95ab8820 · 95ab8820
Unverified Commit 95ab8820 authored Mar 30, 2022 by alespour Committed by GitHub Mar 30, 2022
7 changed files
--- a/charts/influxdb/Chart.yaml
+++ b/charts/influxdb/Chart.yaml
 apiVersion: v1
 name: influxdb
-version: 4.10.6
+version: 4.10.7
 appVersion: 1.8.10
 description: Scalable datastore for metrics, events, and real-time analytics.
 keywords:

--- a/charts/influxdb/README.md
+++ b/charts/influxdb/README.md
@@ -192,11 +192,9 @@ If persistence is enabled, a [Persistent Volume](http://kubernetes.io/docs/user-

 In `values.yaml`, change `.Values.config.http.auth-enabled` to `true`.

-> **Note:** To enforce authentication, InfluxDB requires an admin user to be set up. For details, see [Set up authentication](https://docs.influxdata.com/influxdb/v1.2/query_language/authentication_and_authorization/#set-up-authentication).
+To handle this set up during startup, set `.Values.setDefaultUser.enabled` to `true`.

-To handle this set up during startup, enable a job in `values.yaml` by setting `.Values.setDefaultUser.enabled` to `true`.
-
-Make sure to uncomment or configure the job settings after enabling it. If a password is not set, a random password will be generated.
+Make sure to uncomment or configure default user settings after enabling it. If a password is not set, a random password will be generated.

 Alternatively, if `.Values.setDefaultUser.user.existingSecret` is set the user and password are obtained from an existing Secret, the expected keys are `influxdb-user` and `influxdb-password`. Use this variable if you need to check in the `values.yaml` in a repository to avoid exposing your secrets.


--- a/charts/influxdb/ci/auth-init-script-values.yaml
+++ b/charts/influxdb/ci/auth-init-script-values.yaml
+config:
+  http:
+    auth-enabled: true
+
+setDefaultUser:
+  enabled: true
+
+initScripts:
+  enabled: true
+  scripts:
+    init.iql: |+
+      CREATE DATABASE "telegraf" WITH DURATION 30d REPLICATION 1 NAME "rp_30d"
+      CREATE DATABASE "iot" WITH DURATION 7d REPLICATION 1 NAME "rp_7d"
--- a/charts/influxdb/ci/default-values.yaml
+++ b/charts/influxdb/ci/default-values.yaml
+# Default values only, no overrides
--- a/charts/influxdb/templates/post-install-set-auth.yaml
+++ b/charts/influxdb/templates/post-install-set-auth.yaml
-{{- if .Values.setDefaultUser.enabled -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "influxdb.fullname" . }}-set-auth
-  labels:
-    {{- include "influxdb.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install
-    "helm.sh/hook-delete-policy": {{ .Values.setDefaultUser.hookDeletePolicy }}
-spec:
-  activeDeadlineSeconds: {{ .Values.setDefaultUser.activeDeadlineSeconds }}
-  backoffLimit: {{ .Values.setDefaultUser.backoffLimit }}
-  template:
-    metadata:
-      labels:
-        {{- include "influxdb.selectorLabels" . | nindent 8 }}
-    spec:
-      containers:
-      - name: {{ include "influxdb.fullname" . }}-set-auth
-        image: "{{ .Values.setDefaultUser.image }}"
-        env:
-          - name: INFLUXDB_USER
-            valueFrom:
-              secretKeyRef:
-                {{- if .Values.setDefaultUser.user.existingSecret }}
-                name: {{ .Values.setDefaultUser.user.existingSecret -}}
-                {{ else }}
-                name: {{ include "influxdb.fullname" . }}-auth
-                {{- end }}
-                key: influxdb-user
-          - name: INFLUXDB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                {{- if .Values.setDefaultUser.user.existingSecret }}
-                name: {{ .Values.setDefaultUser.user.existingSecret -}}
-                {{ else }}
-                name: {{ include "influxdb.fullname" . }}-auth
-                {{- end }}
-                key: influxdb-password
-        args:
-          - "/bin/sh"
-          - "-c"
-          - |
-             curl -X POST http://{{ include "influxdb.fullname" . }}:{{ .Values.config.http.bind_address | default 8086 }}/query \
-             --data-urlencode \
-             "q=CREATE USER \"${INFLUXDB_USER}\" WITH PASSWORD '${INFLUXDB_PASSWORD}' {{ .Values.setDefaultUser.user.privileges }}"
-      restartPolicy: {{ .Values.setDefaultUser.restartPolicy }}
-{{- end -}}
--- a/charts/influxdb/templates/statefulset.yaml
+++ b/charts/influxdb/templates/statefulset.yaml
@@ -56,8 +56,10 @@ spec:
      - name: {{ include "influxdb.fullname" . }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+        {{- if .Values.resources }}
        resources:
 {{ toYaml .Values.resources | indent 10 }}
+        {{- end }}
        ports:
        - name: api
          containerPort: {{ .Values.config.http.bind_address | default 8086 }}
@@ -85,13 +87,35 @@ spec:
        - name: meta
          containerPort: {{ .Values.config.meta.bind_address | default 8091 }}
        {{- end }}
-        {{- if .Values.env }}
+        {{- if or .Values.env .Values.setDefaultUser.enabled }}
        env:
+        {{- if .Values.env }}
 {{ toYaml .Values.env | indent 10 }}
+        {{- end }}
        {{- if .Values.enterprise.enabled }}
          - name: INFLUXDB_HOSTNAME # Values.env's HOSTNAME isn't fundamentally different from $HOSTNAME, but this way weg get a distinguished name at runtime.
            value: "$(_HOSTNAME).{{ include "influxdb.fullname" . }}"
        {{- end }}
+        {{- if .Values.setDefaultUser.enabled }}
+          - name: INFLUXDB_ADMIN_USER
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.setDefaultUser.user.existingSecret }}
+                name: {{ .Values.setDefaultUser.user.existingSecret -}}
+                {{ else }}
+                name: {{ include "influxdb.fullname" . }}-auth
+                {{- end }}
+                key: influxdb-user
+          - name: INFLUXDB_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.setDefaultUser.user.existingSecret }}
+                name: {{ .Values.setDefaultUser.user.existingSecret -}}
+                {{ else }}
+                name: {{ include "influxdb.fullname" . }}-auth
+                {{- end }}
+                key: influxdb-password
+        {{- end }}
        {{- end }}
        {{- if .Values.envFromSecret }}
        envFrom:

--- a/charts/influxdb/values.yaml
+++ b/charts/influxdb/values.yaml
@@ -98,38 +98,11 @@ enterprise:
  #      memory: 1Gi
  #      cpu: 4

-## Create default user through Kubernetes job
-## Defaults indicated below
+## Set default user
 ##
 setDefaultUser:
  enabled: false
-
-  ## Image of the container used for job
-  ## Default: appropriate/curl:latest
-  ##
-  image: appropriate/curl:latest
-
-  ## Deadline for job so it does not retry forever.
-  ## Default: activeDeadline: 300
-  ##
-  activeDeadline: 300
-
-  ## Specify the number of retries before considering job as failed.
-  ## https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#pod-backoff-failure-policy
-  ##
-  backoffLimit: 6
-
-  ## Hook delete policy for helm.
-  ## Default: hookDeletePolicy: hook-succeeded
-  ##
-  hookDeletePolicy: hook-succeeded
-
-  ## Restart policy for job
-  ## Default: OnFailure
-  restartPolicy: OnFailure
-
  user:
-
    ## The user name
    ## Default: "admin"
    username: "admin"
@@ -144,10 +117,6 @@ setDefaultUser:
    ## If set, the username and password values above are ignored.
    # existingSecret: influxdb-auth

-    ## User privileges
-    ## Default: "WITH ALL PRIVILEGES"
-    privileges: "WITH ALL PRIVILEGES"
-
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
 resources: {}