From 95ab88203736ecb72994ef57f41cd2d32e62edcf Mon Sep 17 00:00:00 2001
From: alespour <42931850+alespour@users.noreply.github.com>
Date: Wed, 30 Mar 2022 10:50:21 +0200
Subject: [PATCH] [influxdb] set default user without job (#450)
---
charts/influxdb/Chart.yaml | 2 +-
charts/influxdb/README.md | 6 +--
.../influxdb/ci/auth-init-script-values.yaml | 13 +++++
charts/influxdb/ci/default-values.yaml | 1 +
.../templates/post-install-set-auth.yaml | 49 -------------------
charts/influxdb/templates/statefulset.yaml | 26 +++++++++-
charts/influxdb/values.yaml | 33 +------------
7 files changed, 43 insertions(+), 87 deletions(-)
create mode 100644 charts/influxdb/ci/auth-init-script-values.yaml
create mode 100644 charts/influxdb/ci/default-values.yaml
delete mode 100644 charts/influxdb/templates/post-install-set-auth.yaml
diff --git a/charts/influxdb/Chart.yaml b/charts/influxdb/Chart.yaml
index 26ff1ed..eb55093 100755
--- a/charts/influxdb/Chart.yaml
+++ b/charts/influxdb/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v1
name: influxdb
-version: 4.10.6
+version: 4.10.7
appVersion: 1.8.10
description: Scalable datastore for metrics, events, and real-time analytics.
keywords:
diff --git a/charts/influxdb/README.md b/charts/influxdb/README.md
index a34de74..de8b5b6 100644
--- a/charts/influxdb/README.md
+++ b/charts/influxdb/README.md
@@ -192,11 +192,9 @@ If persistence is enabled, a [Persistent Volume](http://kubernetes.io/docs/user-
In `values.yaml`, change `.Values.config.http.auth-enabled` to `true`.
-> **Note:** To enforce authentication, InfluxDB requires an admin user to be set up. For details, see [Set up authentication](https://docs.influxdata.com/influxdb/v1.2/query_language/authentication_and_authorization/#set-up-authentication).
+To handle this set up during startup, set `.Values.setDefaultUser.enabled` to `true`.
-To handle this set up during startup, enable a job in `values.yaml` by setting `.Values.setDefaultUser.enabled` to `true`.
-
-Make sure to uncomment or configure the job settings after enabling it. If a password is not set, a random password will be generated.
+Make sure to uncomment or configure default user settings after enabling it. If a password is not set, a random password will be generated.
Alternatively, if `.Values.setDefaultUser.user.existingSecret` is set the user and password are obtained from an existing Secret, the expected keys are `influxdb-user` and `influxdb-password`. Use this variable if you need to check in the `values.yaml` in a repository to avoid exposing your secrets.
diff --git a/charts/influxdb/ci/auth-init-script-values.yaml b/charts/influxdb/ci/auth-init-script-values.yaml
new file mode 100644
index 0000000..dc6de5f
--- /dev/null
+++ b/charts/influxdb/ci/auth-init-script-values.yaml
@@ -0,0 +1,13 @@
+config:
+ http:
+ auth-enabled: true
+
+setDefaultUser:
+ enabled: true
+
+initScripts:
+ enabled: true
+ scripts:
+ init.iql: |+
+ CREATE DATABASE "telegraf" WITH DURATION 30d REPLICATION 1 NAME "rp_30d"
+ CREATE DATABASE "iot" WITH DURATION 7d REPLICATION 1 NAME "rp_7d"
diff --git a/charts/influxdb/ci/default-values.yaml b/charts/influxdb/ci/default-values.yaml
new file mode 100644
index 0000000..986b68f
--- /dev/null
+++ b/charts/influxdb/ci/default-values.yaml
@@ -0,0 +1 @@
+# Default values only, no overrides
diff --git a/charts/influxdb/templates/post-install-set-auth.yaml b/charts/influxdb/templates/post-install-set-auth.yaml
deleted file mode 100644
index aa77667..0000000
--- a/charts/influxdb/templates/post-install-set-auth.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-{{- if .Values.setDefaultUser.enabled -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "influxdb.fullname" . }}-set-auth
- labels:
- {{- include "influxdb.labels" . | nindent 4 }}
- annotations:
- "helm.sh/hook": post-install
- "helm.sh/hook-delete-policy": {{ .Values.setDefaultUser.hookDeletePolicy }}
-spec:
- activeDeadlineSeconds: {{ .Values.setDefaultUser.activeDeadlineSeconds }}
- backoffLimit: {{ .Values.setDefaultUser.backoffLimit }}
- template:
- metadata:
- labels:
- {{- include "influxdb.selectorLabels" . | nindent 8 }}
- spec:
- containers:
- - name: {{ include "influxdb.fullname" . }}-set-auth
- image: "{{ .Values.setDefaultUser.image }}"
- env:
- - name: INFLUXDB_USER
- valueFrom:
- secretKeyRef:
- {{- if .Values.setDefaultUser.user.existingSecret }}
- name: {{ .Values.setDefaultUser.user.existingSecret -}}
- {{ else }}
- name: {{ include "influxdb.fullname" . }}-auth
- {{- end }}
- key: influxdb-user
- - name: INFLUXDB_PASSWORD
- valueFrom:
- secretKeyRef:
- {{- if .Values.setDefaultUser.user.existingSecret }}
- name: {{ .Values.setDefaultUser.user.existingSecret -}}
- {{ else }}
- name: {{ include "influxdb.fullname" . }}-auth
- {{- end }}
- key: influxdb-password
- args:
- - "/bin/sh"
- - "-c"
- - |
- curl -X POST http://{{ include "influxdb.fullname" . }}:{{ .Values.config.http.bind_address | default 8086 }}/query \
- --data-urlencode \
- "q=CREATE USER \"${INFLUXDB_USER}\" WITH PASSWORD '${INFLUXDB_PASSWORD}' {{ .Values.setDefaultUser.user.privileges }}"
- restartPolicy: {{ .Values.setDefaultUser.restartPolicy }}
-{{- end -}}
diff --git a/charts/influxdb/templates/statefulset.yaml b/charts/influxdb/templates/statefulset.yaml
index e022b04..38c91ff 100644
--- a/charts/influxdb/templates/statefulset.yaml
+++ b/charts/influxdb/templates/statefulset.yaml
@@ -56,8 +56,10 @@ spec:
- name: {{ include "influxdb.fullname" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.resources }}
resources:
{{ toYaml .Values.resources | indent 10 }}
+ {{- end }}
ports:
- name: api
containerPort: {{ .Values.config.http.bind_address | default 8086 }}
@@ -85,13 +87,35 @@ spec:
- name: meta
containerPort: {{ .Values.config.meta.bind_address | default 8091 }}
{{- end }}
- {{- if .Values.env }}
+ {{- if or .Values.env .Values.setDefaultUser.enabled }}
env:
+ {{- if .Values.env }}
{{ toYaml .Values.env | indent 10 }}
+ {{- end }}
{{- if .Values.enterprise.enabled }}
- name: INFLUXDB_HOSTNAME # Values.env's HOSTNAME isn't fundamentally different from $HOSTNAME, but this way weg get a distinguished name at runtime.
value: "$(_HOSTNAME).{{ include "influxdb.fullname" . }}"
{{- end }}
+ {{- if .Values.setDefaultUser.enabled }}
+ - name: INFLUXDB_ADMIN_USER
+ valueFrom:
+ secretKeyRef:
+ {{- if .Values.setDefaultUser.user.existingSecret }}
+ name: {{ .Values.setDefaultUser.user.existingSecret -}}
+ {{ else }}
+ name: {{ include "influxdb.fullname" . }}-auth
+ {{- end }}
+ key: influxdb-user
+ - name: INFLUXDB_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ {{- if .Values.setDefaultUser.user.existingSecret }}
+ name: {{ .Values.setDefaultUser.user.existingSecret -}}
+ {{ else }}
+ name: {{ include "influxdb.fullname" . }}-auth
+ {{- end }}
+ key: influxdb-password
+ {{- end }}
{{- end }}
{{- if .Values.envFromSecret }}
envFrom:
diff --git a/charts/influxdb/values.yaml b/charts/influxdb/values.yaml
index b435b8c..c93eb88 100644
--- a/charts/influxdb/values.yaml
+++ b/charts/influxdb/values.yaml
@@ -98,38 +98,11 @@ enterprise:
# memory: 1Gi
# cpu: 4
-## Create default user through Kubernetes job
-## Defaults indicated below
+## Set default user
##
setDefaultUser:
enabled: false
-
- ## Image of the container used for job
- ## Default: appropriate/curl:latest
- ##
- image: appropriate/curl:latest
-
- ## Deadline for job so it does not retry forever.
- ## Default: activeDeadline: 300
- ##
- activeDeadline: 300
-
- ## Specify the number of retries before considering job as failed.
- ## https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#pod-backoff-failure-policy
- ##
- backoffLimit: 6
-
- ## Hook delete policy for helm.
- ## Default: hookDeletePolicy: hook-succeeded
- ##
- hookDeletePolicy: hook-succeeded
-
- ## Restart policy for job
- ## Default: OnFailure
- restartPolicy: OnFailure
-
user:
-
## The user name
## Default: "admin"
username: "admin"
@@ -144,10 +117,6 @@ setDefaultUser:
## If set, the username and password values above are ignored.
# existingSecret: influxdb-auth
- ## User privileges
- ## Default: "WITH ALL PRIVILEGES"
- privileges: "WITH ALL PRIVILEGES"
-
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources: {}
--
2.24.1