grafana · NissesSenap · Apr 19, 2024 · Apr 14, 2024 · Apr 16, 2024 · Apr 17, 2024
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grafana-deployment
+  ownerReferences:
+  - apiVersion: grafana.integreatly.org/v1beta1
+    kind: Grafana
+    name: grafana
+status:
+  availableReplicas: 1
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: thanos
+spec:
+  datasource:
+    secureJsonData:
+      httpHeaderValue1: 'Bearer ${token}'
+  valuesFrom:
+    - targetPath: "secureJsonData.httpHeaderValue1"
+      valueFrom:
+        secretKeyRef:
+          name: grafana-instance-sa-token
+          key: token
+status:
+  uid:
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: thanos-querier
+status:
+  availableReplicas: 1
@@ -0,0 +1,103 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: Grafana
+metadata:
+  name: grafana
+  labels:
+    dashboards: "grafana"
+spec:
+  config:
+    log:
+      mode: "console"
+    auth:
+      disable_login_form: "false"
+    security:
+      admin_user: root
+      admin_password: secret
+  deployment:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: grafana
+              image: grafana/grafana:10.4.2 # Not all grafana versions support the API to test the datasource
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-instance-sa-token
+stringData:
+  token: "token-content"
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: thanos
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  datasource:
+    access: proxy
+    basicAuth: false
+    editable: true
+    isDefault: true
+    jsonData:
+      httpHeaderName1: 'Authorization'
+      timeInterval: 5s
+      tlsSkipVerify: true
+    secureJsonData:
+      httpHeaderValue1: 'Bearer ${token}'
+    name: Prometheus
+    orgId: 1
+    type: prometheus
+    url: (join('',['http://thanos-querier.',$namespace,'.svc',':8080']))
+  valuesFrom:
+    - targetPath: "secureJsonData.httpHeaderValue1"
+      valueFrom:
+        secretKeyRef:
+          name: grafana-instance-sa-token
+          key: token
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: thanos-querier
+  labels:
+    app: thanos-querier
+spec:
+  selector:
+    matchLabels:
+      app: thanos-querier
+  template:
+    metadata:
+      labels:
+        app: thanos-querier
+    spec:
+      terminationGracePeriodSeconds: 3
+      containers:
+        - name: netcat
+          image: alpine
+          command:
+            - sh
+            - -c
+            - |
+              set -eu
+              echo "Starting pod"
+              while true; do echo -e 'HTTP/1.1 200 OK\n\n{"asdf":"date"}' | nc -l -p 8080; done
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: thanos-querier
+spec:
+  selector:
+    app: thanos-querier
+  ports:
+    - port: 8080
+      name: http
+      protocol: TCP
+      targetPort: 8080
@@ -0,0 +1,6 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: grafana-querier
+status:
+  succeeded: 1
@@ -0,0 +1,27 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: grafana-querier
+  labels:
+    app: grafana-querier
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: netcat
+          image: dwdraju/alpine-curl-jq #alpine
+          env:
+            - name: BASEURL
+              value: (join('',['http://root:secret@grafana-service.',$namespace,'.svc',':3000']))
+          command:
+            - sh
+            - -c
+            - |
+              set -eu
+              sleep 15
+              echo "The base URL for grafana: ${BASEURL}"
+              export DATASOURCE_UID=$(curl -v "${BASEURL}/api/datasources" -H "Accept: application/json" | jq -r '.[0].uid')
+              echo "Datasource UID: ${DATASOURCE_UID}"
+              RESULT=$(curl -s "${BASEURL}/api/datasources/uid/${DATASOURCE_UID}/health" -H "Accept: application/json" | jq -r '.')
+              echo "Result: ${RESULT}"
@@ -0,0 +1,28 @@
+# Testing GrafanaDatasource secureJsonData
+
+This test creates a GrafanaDatasource with a reference
+to a secret (which is normally created by a serviceAccount)
+and makes sure it's inserted correctly into
+grafana.
+
+## Step 00
+
+This step creates a number of resources:
+- Grafana (to create a new grafana)
+- GrafanaDatasource (with secureJsonData and a secret)
+- A thanos emulator pod, using netcat, with a service
+
+## Step 01
+
+This step starts a pod which query the grafana to test it's datasource,
+which in turn forces the grafana to query thanos.
+
+## Step 02
+
+Verify in the log that grafana is happy with the response from
+the datasource.
+
+## Step 03
+
+Verify in the log that grafana sent the authorization header with
+the token.
@@ -0,0 +1,59 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: secure-json-datasource
+spec:
+  concurrent: false
+  steps:
+  # This starts the grafana and the netcat simulating thanos.
+  - name: step-00
+    try:
+    - apply:
+        template: true
+        file: 00-resources.yaml
+    - assert:
+        template: true
+        file: 00-assertions.yaml
+  # This queries the grafana to trigger a query to the netcat simulating thanos.
+  - name: step-01
+    try:
+      - apply:
+          template: true
+          file: 01-resources.yaml
+      - assert:
+          file: 01-assertions.yaml
+  # This step verifies that grafana is happy with the datasource
+  - name: step-02
+    timeouts:
+      assert: 5s
+    try:
+      - script:
+          content: 'kubectl logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."'
+          env:
+            - name: namespace
+              value: ($namespace)
+          outputs:
+            - name: grafana_response
+              value: (json_parse($stdout))
+      - assert:
+          resource:
+            ($grafana_response):
+              status: OK
+    # This step verifies that netcat/thanos got a call with a token
+  - name: step-03
+    timeouts:
+      assert: 5s
+    try:
+      - script:
+          content: 'kubectl logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1'
+          env:
+            - name: namespace
+              value: ($namespace)
+          outputs:
+            - name: thanos_request_log
+              value: ($stdout)
+      - assert:
+          resource:
+            ($thanos_request_log):
+              "Authorization: Bearer token-content"