resource "kubernetes_persistent_volume" "chronograf" { metadata { name = "pv-p9hostpath-chronograf" } spec { capacity = { storage = "8Gi" } access_modes = ["ReadWriteMany"] persistent_volume_source { host_path { path = "/mnt/datastore/chronograf" } } } } resource "random_password" "chronograf_token_secret" { length = 80 special = true } resource "helm_release" "chronograf" { name = "chronograf" namespace = kubernetes_namespace.this.metadata.0.name repository = "https://helm.influxdata.com/" chart = "chronograf" version = "1.2.5" values = [ jsonencode({ ingress = { enabled = true className = "traefik" hostname = local.chronograf_domain tls = true secretName = "chronograf-tls" annotations = { "cert-manager.io/cluster-issuer" = "acme-thomasklein-me" # "kubernetes.io/ingress.class" = "traefik" # "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" # "traefik.ingress.kubernetes.io/router.tls" = "true" # "traefik.ingress.kubernetes.io/router.tls.certresolver" = "acme-thomasklein-me" # "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain # "traefik.ingress.kubernetes.io/router.middlewares" = "redirect-metrics@file" # hide /metrics from the internet } labels = {} } }), jsonencode({ updateStrategy = { type = "Recreate" }, persistence = { enabled = "true" accessMode = "ReadWriteMany" storageClass = "-" } }), jsonencode({ oauth = { enabled = true token_secret = random_password.chronograf_token_secret.result jwks = local.jwks_url generic = { enabled = true name = "Cognito" public_url = "https://${local.chronograf_domain}/" auth_url = local.cognito_authz_url token_url = local.cognito_token_url api_url = "${local.cognito_userinfo_url}" api_key = "email" scopes = "email openid profile" } } }) ] set_sensitive { name = "oauth.generic.client_id" value = aws_cognito_user_pool_client.this.id } set_sensitive { name = "oauth.generic.client_secret" value = aws_cognito_user_pool_client.this.client_secret } }