Allow provisioner to be namespaced

In the Grafana Federal Cloud we have clusters where we cannot create ClusterRole/ClusterRoleBinding due to an increased security posture. To ensure we can deploy the provisioner in these clusters, this PR conditionally generates Role instead of ClusterRole if enterprise and enterprise.provisioner are enabled and rbac.namespaced is true. This PR also updates the provisioner job helm hooks to allow it to be customized to run on other hookTypes. This still defaults to post-install and should have no impact to current usage. This will allow the Grafana Federal Cloud to use the provisioner after helm post-upgrades to attempt to create tenants as required. Closes deployment_tools/#185454 Signed-off-by: Ryan Brady <[email protected]>
grafana · Feb 4, 2025 · 1c6f271 · 1c6f271
1 parent 9ddc756
commit 1c6f271
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 7 deletions.
diff --git a/docs/sources/setup/install/helm/reference.md b/docs/sources/setup/install/helm/reference.md
@@ -3075,6 +3075,7 @@ null
     "enabled": true,
     "env": [],
     "extraVolumeMounts": [],
+    "hookType": "post-install",
     "image": {
       "digest": null,
       "pullPolicy": "IfNotPresent",
@@ -3263,6 +3264,7 @@ null
   "enabled": true,
   "env": [],
   "extraVolumeMounts": [],
+  "hookType": "post-install",
   "image": {
     "digest": null,
     "pullPolicy": "IfNotPresent",

diff --git a/production/helm/loki/README.md b/production/helm/loki/README.md
@@ -15,7 +15,7 @@ Helm chart for Grafana Loki and Grafana Enterprise Logs supporting both simple,
 | Repository | Name | Version |
 |------------|------|---------|
 | https://charts.min.io/ | minio(minio) | 5.4.0 |
-| https://grafana.github.io/helm-charts | grafana-agent-operator(grafana-agent-operator) | 0.5.0 |
+| https://grafana.github.io/helm-charts | grafana-agent-operator(grafana-agent-operator) | 0.5.1 |
 | https://grafana.github.io/helm-charts | rollout_operator(rollout-operator) | 0.23.0 |
 
 Find more information in the Loki Helm Chart [documentation](https://grafana.com/docs/loki/next/installation/helm).

diff --git a/production/helm/loki/templates/provisioner/job-provisioner.yaml b/production/helm/loki/templates/provisioner/job-provisioner.yaml
@@ -14,7 +14,7 @@ metadata:
     {{- with .Values.enterprise.provisioner.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-    "helm.sh/hook": post-install
+    "helm.sh/hook": {{ .Values.enterprise.provisioner.hookType | default "post-install" | quote }}
     "helm.sh/hook-weight": "15"
 spec:
   backoffLimit: 6

diff --git a/production/helm/loki/templates/provisioner/role-provisioner.yaml b/production/helm/loki/templates/provisioner/role-provisioner.yaml
@@ -1,6 +1,6 @@
-{{ if and (and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled) (not .Values.rbac.namespaced)}}
+{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ if not .Values.rbac.namespaced }}Cluster{{ end }}Role
 metadata:
   name: {{ template "enterprise-logs.provisionerFullname" . }}
   namespace: {{ $.Release.Namespace }}

diff --git a/production/helm/loki/templates/provisioner/rolebinding-provisioner.yaml b/production/helm/loki/templates/provisioner/rolebinding-provisioner.yaml
@@ -1,7 +1,7 @@
-{{ if and (and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled) (not .Values.rbac.namespaced)}}
+{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ if not .Values.rbac.namespaced }}Cluster{{ else }}Role{{ end }}Binding
 metadata:
   name: {{ template "enterprise-logs.provisionerFullname" . }}
   namespace: {{ $.Release.Namespace }}
@@ -17,7 +17,7 @@ metadata:
     "helm.sh/hook": post-install
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ if not .Values.rbac.namespaced }}Cluster{{ end }}Role
   name: {{ template "enterprise-logs.provisionerFullname" . }}
 subjects:
   - kind: ServiceAccount

diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml
@@ -575,6 +575,8 @@ enterprise:
     enabled: true
     # -- Name of the secret to store provisioned tokens in
     provisionedSecretPrefix: null
+    #-- Hook type(s) to customize when the job runs.  defaults to post-install
+    hookType: "post-install"
     # -- Additional tenants to be created. Each tenant will get a read and write policy
     # and associated token. Tenant must have a name and a namespace for the secret containting
     # the token to be created in. For example