DEV Community

Cover image for Grafana Cloud PDC agent and Istio
Yevhen Tienkaiev
Yevhen Tienkaiev

Posted on

Grafana Cloud PDC agent and Istio

#istio #pdc #kubernetes #grafanacloud

When you need to setup Grafana Private Data source Connect in Kubernetes you need to apply some tricks in order to make it work.

Here I will describe what I did in order to use it.

Used links:

I created my custom helm chart that contains next deployment.yaml:

apiVersion: apps/v1 kind: Deployment metadata: labels: app: {{ .Release.Name }} name: {{ .Release.Name }} name: {{ .Release.Name }} spec: replicas: {{ .Values.minReplicas }} selector: matchLabels: name: {{ .Release.Name }} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: labels: name: {{ .Release.Name }} annotations: proxy.istio.io/config: | holdApplicationUntilProxyStarts: true spec: containers: - name: {{ .Release.Name }} env: - name: CLUSTER valueFrom: secretKeyRef: key: cluster name: {{ .Release.Name }} - name: HOSTED_GRAFANA_ID valueFrom: secretKeyRef: key: hostedGrafanaId name: {{ .Release.Name }} - name: TOKEN valueFrom: secretKeyRef: key: token name: {{ .Release.Name }} args: - -cluster - "$(CLUSTER)" - -gcloud-hosted-grafana-id - "$(HOSTED_GRAFANA_ID)" - -token - "$(TOKEN)" - -ssh-key-file - "/home/pdc/.ssh/grafana_pdc_v3" image: grafana/pdc-agent:{{ .Values.version }} imagePullPolicy: Always resources: limits: cpu: 1024m memory: 1Gi requests: cpu: 1024m memory: 1Gi securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true capabilities: drop: - all securityContext: runAsUser: 30000 runAsGroup: 30000 fsGroup: 30000 topologySpreadConstraints: - labelSelector: matchLabels: app: {{ .Release.Name }} maxSkew: 1 minDomains: {{ .Values.minReplicas }} topologyKey: "kubernetes.io/hostname" whenUnsatisfiable: DoNotSchedule matchLabelKeys: - pod-template-hash nodeAffinityPolicy: Honor nodeTaintsPolicy: Honor - labelSelector: matchLabels: app: {{ .Release.Name }} maxSkew: 1 minDomains: {{ .Values.minReplicas }} topologyKey: "topology.kubernetes.io/zone" whenUnsatisfiable: DoNotSchedule matchLabelKeys: - pod-template-hash nodeAffinityPolicy: Honor nodeTaintsPolicy: Honor
Enter fullscreen mode Exit fullscreen mode

Nuances

Istio

Sidecar

Set holdApplicationUntilProxyStarts: true for the pods, so they will not start until istio sidecar not starts.

Access (optional)

If you not allow outbound traffic - set ServiceEntry that will allow several urls.
What I have for API access:

apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: {{ .Values.name }}-api spec: hosts: - private-datasource-connect-api-<cluster>.grafana.net location: MESH_EXTERNAL ports: - name: https number: 443 protocol: HTTPS resolution: DNS
Enter fullscreen mode Exit fullscreen mode

What I have for ssh access:

apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: {{ .Values.name }}-ssh spec: hosts: - private-datasource-connect-<cluster>.grafana.net location: MESH_EXTERNAL ports: - name: tcp number: 22 protocol: TCP resolution: DNS
Enter fullscreen mode Exit fullscreen mode

Grafana PDC config

Key Pair force regeneration

I set -ssh-key-file to /home/pdc/.ssh/grafana_pdc_v3 because if there already host in allowed list(for ssh access) - then it not starts and fail in constant restarts.
This should be addressed in GitHub issue

Log level

Currently, in PDC agent log level set to debug level.
Unfortunately, as of today, when you use -ssh-key-file parameter you cannot change it.
This should be addressed in GitHub issue

Top comments (0)