ARO-26057: add ADX Grafana datasource provisioning#4878
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds ARO-HCP support to provision and clean up Azure Data Explorer (Kusto) data sources in the shared Managed Grafana workspace, integrated into the existing geography rollout flow.
Changes:
- Extend Kusto IaC to optionally grant Grafana’s managed identity DB-level Viewer access and output the cluster URI.
- Add geography pipeline steps to fetch global Grafana outputs and provision/update ADX Grafana datasources via Azure CLI.
- Introduce configuration flags/schema + docs, and update the Kusto delete cleanup to remove the matching Grafana datasource.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/monitoring.md | Documents ADX/Kusto datasource provisioning gates, naming, validation, and teardown behavior. |
| dev-infrastructure/templates/kusto.bicep | Threads optional Grafana resource ID into the Kusto module and exposes kustoUri output. |
| dev-infrastructure/modules/logs/kusto/main.bicep | Grants Grafana MI Viewer on ServiceLogs when provided and surfaces cluster URI output. |
| dev-infrastructure/modules/logs/kusto/cluster.bicep | Exposes Kusto cluster uri as an output. |
| dev-infrastructure/geography-pipeline.yaml | Adds global output step and a shell step to create/update ADX Grafana datasources. |
| dev-infrastructure/configurations/kusto.tmpl.bicepparam | Adds grafanaResourceId parameter placeholder for pipeline substitution. |
| dev-infrastructure/cleanup/delete.kusto.instance.sh | Extends cleanup to also delete the corresponding Grafana datasource. |
| dev-infrastructure/cleanup/delete.kusto.instance.pipeline.yaml | Wires Grafana resource ID from global outputs into the cleanup script run. |
| config/rendered/dev/swft/uksouth.yaml | Adds default monitoring flags for ADX datasource provisioning (disabled). |
| config/rendered/dev/prow/westus3.yaml | Adds default monitoring flags for ADX datasource provisioning (disabled). |
| config/rendered/dev/pers/westus3.yaml | Adds default monitoring flags for ADX datasource provisioning (disabled). |
| config/rendered/dev/perf/westus3.yaml | Adds default monitoring flags for ADX datasource provisioning (disabled). |
| config/rendered/dev/dev/westus3.yaml | Adds default monitoring flags for ADX datasource provisioning (disabled). |
| config/rendered/dev/cspr/westus3.yaml | Adds default monitoring flags for ADX datasource provisioning (disabled). |
| config/config.yaml | Introduces new monitoring defaults for ADX provisioning flags. |
| config/config.schema.json | Defines schema/validation for the new monitoring configuration knobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
swiencki
changed the title
|
/hold |
|
Thanks for the feedback, I'll move this to On the "update once" concern: the existing |
swiencki
force-pushed
the
adx-grafana-datasource-upstream
branch
from
8d14303 to
a80a076
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
/unhold Updated to use grafanactl. |
swiencki
force-pushed
the
adx-grafana-datasource-upstream
branch
from
5d069ae to
c091e9c
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…peline Per PR #4878 review. Drops the new GrafanaDatasources call from geography-pipeline.yaml and extends the existing add-grafana-datasource in region-pipeline.yaml with the ADX block. clusterUrl sources from regional kusto-lookup output. AzureMonitor reconcile preserved via the ARO-Tools default-true. Triple-AND gate keeps the three feature flags agreeing by construction. No Go/Bicep/config/test changes.
…peline Per PR #4878 review. Drops the new GrafanaDatasources call from geography-pipeline.yaml and extends the existing add-grafana-datasource in region-pipeline.yaml with the ADX block. clusterUrl sources from regional kusto-lookup output. AzureMonitor reconcile preserved via the ARO-Tools default-true. Triple-AND gate keeps the three feature flags agreeing by construction. No Go/Bicep/config/test changes.
swiencki
force-pushed
the
adx-grafana-datasource-upstream
branch
from
ef9d6e8 to
656403e
Compare
SudoBrendan
left a comment
SudoBrendan
left a comment
There was a problem hiding this comment.
Overall looks clean, maybe some orphaned resources, can you validate? I'll have a look at the ARO-Tools change as well. Thanks Simon!
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: swiencki The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Replace the temporary shell datasource script with a direct grafanactl invocation and keep cleanup datasource deletion out of this rollout scope. Depends on Azure/ARO-Tools#228.
…peline Per PR #4878 review. Drops the new GrafanaDatasources call from geography-pipeline.yaml and extends the existing add-grafana-datasource in region-pipeline.yaml with the ADX block. clusterUrl sources from regional kusto-lookup output. AzureMonitor reconcile preserved via the ARO-Tools default-true. Triple-AND gate keeps the three feature flags agreeing by construction. No Go/Bicep/config/test changes.
Move the Grafana ServiceLogs Viewer grant out of the core Kusto deployment (main.bicep) into its own geography-pipeline step with automatedRetry on AAD principal errors. This follows the established pattern from kusto-grant-ingest.bicep (used in mgmt/svc pipelines with automatedRetry) so that a transient principal-not-found failure does not fail the entire Kusto rollout. Also add an early return in resolveGrafanaADXOptions when ADX is disabled: skip resolving cluster URL, datasource name, and other fields that are only needed for the create/update path. This keeps non-owner regions (where the triple-AND gate evaluates to false) from holding a resolved DatasourceName that could interact with deleteWhenDisabled. The delete-on-disable path for disallowed geographies is unaffected because enabled=true there and the geography allowlist check runs inside grafanactl Validate. Note: renaming grant-access.bicep resource names from grant-* to grant-ingest-*/grant-viewer-* (done in a prior commit) will leave the old principalAssignments in place as harmless duplicates.
swiencki
force-pushed
the
adx-grafana-datasource-upstream
branch
from
e3d6689 to
159012b
Compare
|
/hold - This PR requires Azure/ARO-Tools#228 to be merged first, CI is expected to fail without it |
|
@swiencki: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
ARO-26057
What
Adds ADX/Kusto Grafana datasource provisioning through the geography rollout using the typed
GrafanaDatasourcesaction. The step forwards ADX desired state tografanactl modify datasource reconcile, grants the Grafana managed identity Kusto Viewer access to ServiceLogs, and removes the prior rollout-timego runshell path.Why
This follows the existing typed/prebuilt-binary pattern for Grafana datasource rollout while enabling SRE dashboards to query Kusto data from Grafana.
Testing
GOWORK=/tmp/aro-hcp-adx-local.work go test ./pkg/pipelinefromtooling/templatizegit diff --checkSpecial notes for your reviewer
Depends on Azure/ARO-Tools#228. Downstream sdp-pipelines rollout packaging is https://dev.azure.com/msazure/AzureRedHatOpenShift/_git/sdp-pipelines/pullrequest/15393796.
Required merge order: ARO-Tools first, then this ARO-HCP PR with the ARO-Tools pin bump, then sdp-pipelines with the ARO-Tools/ARO-HCP pin bumps and
make -C hcp/ updaterun twice.The Kusto role-assignment rename fixes a name collision between ingest and viewer grants. After first deployment, old
grant-${guid(...)}Kusto role assignments may remain as harmless duplicates; ops can do a one-time cleanup if desired.