Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permits to target a grafanaFolder in another namespace into the GrafanaDashboard CR #1646

Closed
aboulay-numspot opened this issue Aug 22, 2024 · 1 comment
Closed

Permits to target a grafanaFolder in another namespace into the GrafanaDashboard CR #1646

aboulay-numspot opened this issue Aug 22, 2024 · 1 comment
Labels
enhancement New feature or request needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@aboulay-numspot
Copy link
Contributor

aboulay-numspot commented Aug 22, 2024
edited
Loading

Is your feature request related to a problem?

Context: We are trying to permits developers to deploy there dashboards and create folders in a restricted Kubernetes environment. Developers can only access a dedicated namespace and create resources inside it. The folders and dashboards should be deployed only in a specific folder using a dedicated service account with specific permission on it.

The potential deployment pattern is the following:

Screenshot from 2024-08-22 15-56-16

The advantage of this pattern is that it permits to target a folder only by it name + namespace without having it information. This protects the content access to the Grafana with "sa" service account and avoid to potentially be compromised on other Team Folder.

Currently, this is not possible to target the folder because folderRef in the GrafanaDashboard CR could only target a Folder in the same namespace.

Describe the solution you'd like

I would like to make an evolution on the GrafanaDashboard CRD to have the possibility to declare a namespace in addition of the folderRef field.

Potential patterns (to debate):

<...>
folderRef:
  name: team-1
  namespace: operator
<...>
<...>
folderRef: team-1
folderRefNamespace: operator
<...>

Describe alternatives you've considered

I have try different pattern using the operator or not (Terraform) to create this architecture (the Grafana view).
However, problem happened when:

  • Folder Team-1 created using Terraform: A dashboard is destroyed and the parent folder destroyed at the same time (which mean I need to recreate it manually after this and an inconsistency in my Terraform state).
  • GrafanaFolder created in the operator namespace with folderUID: inconsistency of the UID which make impossible an automated replication of the GrafanaDashboard resource with multiple kubernetes clusters.

Additional context

Using this pattern, in case of deletion of the parent Folder by the operator, the reconciliation loop will recreate the folder few minutes later.

I can present this during the next maintainer meeting if you want.

Existing solutions

N/A
@aboulay-numspot aboulay-numspot added enhancement New feature or request needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 22, 2024
@theSuess
Copy link
Member

To reduce complexity, we'll focus on #1636 which allows stable UIDs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@theSuess @aboulay-numspot