Merge pull request #5894 from influxdata/jstirnaman/issue5869

fix(cloudv2): Doesn't support environment references in templates

Author: jstirnaman

Dockerfile.pytest

@@ -10,6 +10,15 @@ RUN echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c influ
 
 RUN echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | tee /etc/apt/sources.list.d/influxdata.list
 
+# Vault is used for testing InfluxDB 2.0 Secrets
+# Fetch vault package information from HashiCorp repository
+ADD https://apt.releases.hashicorp.com/gpg /tmp/hashicorp.gpg
+RUN apt-get update && apt-get install -y lsb-release && \
+    cat /tmp/hashicorp.gpg | gpg --dearmor > /usr/share/keyrings/hashicorp-archive-keyring.gpg && \
+    echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
+    tee /etc/apt/sources.list.d/hashicorp.list
+
+
 # Install depedencies for clients and tests.
 # - InfluxData clients to use in tests.
 # - apt-utils for verification tools
@@ -32,6 +41,7 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
   python3-venv \
   rsync \
   telegraf \
+  vault \
   wget \
   yq
 
@@ -55,6 +65,7 @@ WORKDIR /app
 
 RUN mkdir -p /app/log && chmod +w /app/log
 RUN mkdir -p /app/assets && chmod +w /app/assets
+RUN mkdir -p /root/influxdb/templates && chmod +rw /root/influxdb/templates
 
 # Some Python test dependencies (pytest-dotenv and pytest-codeblocks) aren't
 # available as packages in apt-cache, so use pip to download dependencies in a # separate step and use Docker's caching.
@@ -78,6 +89,7 @@ RUN echo '#!/bin/bash' > /usr/local/bin/xdg-open \
     && chmod +x /usr/local/bin/xdg-open
 
 RUN service influxdb start
+RUN vault server -dev > ~/.vault-server-log 2>&1 &
 
 # Copy test scripts and make them executable.
 COPY --chmod=755 ./test/scripts/parse_yaml.sh /usr/local/bin/parse_yaml

api-docs/influxdb/cloud/v2/ref.yml

@@ -10564,13 +10564,12 @@ paths:
         template and generates the resource diff, but doesn’t make any
         changes to your instance.
 
+        **Important**: InfluxDB Cloud doesn't support all template features. We recommend using InfluxDB OSS v2 if you need full template support.
+
         #### Custom values for templates
 
-        - Some templates may contain [environment references](/influxdb/cloud/influxdb-templates/create/#include-user-definable-resource-names) for custom metadata.
-          To provide custom values for environment references, pass the _`envRefs`_
-          property in the request body.
-          For more information and examples, see how to
-          [define environment references](/influxdb/cloud/influxdb-templates/use/#define-environment-references).
+        - **Not supported**: InfluxDB Cloud doesn't
+        support environment reference substitution in templates. Variable names you define in templates aren't replaced by user-defined values.
 
         - Some templates may contain queries that use
           [secrets](/influxdb/cloud/security/secrets/).
@@ -10782,67 +10781,6 @@ paths:
                   ]
                 }
             EOF
-        - label: 'cURL: Apply template objects with environment references'
-          lang: Shell
-          source: |
-            curl --request POST "http://localhost:8086/api/v2/templates/apply" \
-              --header "Authorization: Token INFLUX_API_TOKEN" \
-              --data @- << EOF
-              { "orgID": "INFLUX_ORG_ID",
-                "envRefs": {
-                  "linux-cpu-label": "MY_CPU_LABEL",
-                  "docker-bucket": "MY_DOCKER_BUCKET",
-                  "docker-spec-1": "MY_DOCKER_SPEC"
-                },
-                "templates": [
-                  { "contents": [{
-                      "apiVersion": "influxdata.com/v2alpha1",
-                      "kind": "Label",
-                      "metadata": {
-                        "name": {
-                          "envRef": {
-                            "key": "linux-cpu-label"
-                          }
-                        }
-                      },
-                      "spec": {
-                        "color": "#326BBA",
-                        "name": "inputs.cpu"
-                      }
-                    }]
-                  },
-                  "templates": [
-                    { "contents": [{
-                        "apiVersion": "influxdata.com/v2alpha1",
-                        "kind": "Label",
-                        "metadata": {
-                          "name": {
-                            "envRef": {
-                              "key": "linux-cpu-label"
-                            }
-                          }
-                        },
-                        "spec": {
-                          "color": "#326BBA",
-                          "name": "inputs.cpu"
-                        }
-                      }]
-                    },
-                    { "contents": [{
-                        "apiVersion": "influxdata.com/v2alpha1",
-                        "kind": "Bucket",
-                        "metadata": {
-                          "name": {
-                            "envRef": {
-                              "key": "docker-bucket"
-                            }
-                          }
-                        }
-                      }]
-                    }
-                  ]
-                }
-            EOF
   /api/v2/templates/export:
     post:
       operationId: ExportTemplate
@@ -17707,26 +17645,10 @@ components:
               - type: number
               - type: boolean
           description: |
-            An object with key-value pairs that map to **environment references** in templates.
+            - **Not supported**: InfluxDB Cloud doesn't
+            support environment reference substitution in templates. Variable names you define in templates aren't replaced by user-defined values.
 
-            Environment references in templates are `envRef` objects with an `envRef.key`
-            property.
-            To substitute a custom environment reference value when applying templates,
-            pass `envRefs` with the `envRef.key` and the value.
-
-            When you apply a template, InfluxDB replaces `envRef` objects in the template
-            with the values that you provide in the `envRefs` parameter.
-            For more examples, see how to [define environment references](/influxdb/cloud/influxdb-templates/use/#define-environment-references).
-
-            The following template fields may use environment references:
-
-              - `metadata.name`
-              - `spec.endpointName`
-              - `spec.associations.name`
-
-            For more information about including environment references in template fields, see how to
-            [include user-definable resource names](/influxdb/cloud/influxdb-templates/create/#include-user-definable-resource-names).
-          type: object
+            **Important**: InfluxDB Cloud doesn't support all template features. We recommend using InfluxDB OSS v2 if you need full template support.
         orgID:
           description: |
             Organization ID.

content/influxdb/cloud/tools/influxdb-templates/create.md

@@ -67,7 +67,7 @@ influx export all --org <INFLUX_ORG> --file <FILE_PATH> --token <INFLUX_TOKEN>
 # Example
 influx export all \
   --org $INFLUX_ORG \
-  --file /path/to/TEMPLATE_FILE.yml \
+  --file /path/to/templates/TEMPLATE_FILE.yml \
   --token $INFLUX_TOKEN
 ```
 
@@ -85,10 +85,10 @@ and
 (labelName == "Example1" or labelName == "Example2")
 ```
 
-```sh
+```bash
 influx export all \
   --org $INFLUX_ORG \
-  --file /path/to/TEMPLATE_FILE.yml \
+  --file /path/to/templates/TEMPLATE_FILE.yml \
   --token $INFLUX_TOKEN \
   --filter=resourceKind=Bucket \
   --filter=resourceKind=Dashboard \
@@ -128,7 +128,7 @@ influx export --file <FILE_PATH> --token <INFLUX_TOKEN> [resource-flags]
 ```bash
 # Example
 influx export \
-  --file /path/to/TEMPLATE_FILE.yml \
+  --file /path/to/templates/TEMPLATE_FILE.yml \
   --token $INFLUX_TOKEN \
   --buckets=00x000ooo0xx0xx,o0xx0xx00x000oo \
   --dashboards=00000xX0x0X00x000 \
@@ -165,119 +165,17 @@ influx export stack \
 # Example
 influx export stack \
   -t $INFLUX_TOKEN \
-  -f /path/to/TEMPLATE_FILE.yml \
+  -f /path/to/templates/TEMPLATE_FILE.yml \
   05dbb791a4324000
 ```
 
 ## Include user-definable resource names
-After exporting a template manifest, replace resource names with **environment references**
-to let users customize resource names when installing your template.
-
-1.  [Export a template](#export-a-template)
-2.  Select any of the following resource fields to update:
-
-    - `metadata.name`
-    - `associations[].name`
-    - `endpointName` _(unique to `NotificationRule` resources)_
-
-3.  Replace the resource field value with an `envRef` object with a `key` property
-    that reference the key of a key-value pair the user provides when installing the template.
-    During installation, the `envRef` object is replaced by the value of the
-    referenced key-value pair.
-    If the user does not provide the environment reference key-value pair, InfluxDB
-    uses the `key` string as the default value.
-
-    {{< code-tabs-wrapper >}}
-    {{% code-tabs %}}
-[YAML](#)
-[JSON](#)
-  {{% /code-tabs %}}
-  {{% code-tab-content %}}
-```yml
-apiVersion: influxdata.com/v2alpha1
-kind: Bucket
-metadata:
-  name:
-    envRef:
-      key: bucket-name-1
-```
-  {{% /code-tab-content %}}
-  {{% code-tab-content %}}
-```json
-{
-  "apiVersion": "influxdata.com/v2alpha1",
-  "kind": "Bucket",
-  "metadata": {
-    "name": {
-      "envRef": {
-        "key": "bucket-name-1"
-      }
-    }
-  }
-}
-```
-  {{% /code-tab-content %}}
-  {{< /code-tabs-wrapper >}}
-
-Using the example above, users are prompted to provide a value for `bucket-name-1`
-when [applying the template](/influxdb/cloud/tools/influxdb-templates/use/#apply-templates).
-Users can also include the `--env-ref` flag with the appropriate key-value pair
-when installing the template.
 
-<!-- //REVIEW I can't get this to work with environment reference substitution
-  -- Skipping the test for now, but we should review it and fix it.
-  -->
-<!--pytest.mark.skip-->
-<!--test:setup
-```sh
-jq -n '{
-  apiVersion: "influxdata.com/v2alpha1",
-  kind: "Bucket",
-  metadata: {
-    name: {
-      envRef: {
-        key: "bucket-name-1"
-      }
-    }
-  }
-}' >  /path/to/TEMPLATE_FILE.json
-chmod +rx /path/to/TEMPLATE_FILE.json
-# View formatted JSON
-jq '.' /path/to/TEMPLATE_FILE.json
-```
--->
-
-For example, to set a custom bucket name when applying a template with an environment reference:
-
-<!--pytest-codeblocks:cont-->
-```sh
-# The template, edited to include an environment reference:
-# apiVersion: influxdata.com/v2alpha1
-# kind: Bucket
-# metadata:
-#   name:
-#     envRef: bucket-name-1
-
-# Apply template, set bucket-name-1 to "myBucket", and skip verification 
-influx apply \
-  --file /path/to/TEMPLATE_FILE.json \
-  --env-ref bucket-name-1=myBucket \
-  --force yes
-  --org $INFLUX_ORG
-  --token $INFLUX_TOKEN
-```
-
-_If sharing your template, we recommend documenting what environment references
-exist in the template and what keys to use to replace them._
-
-{{% note %}}
-#### Resource fields that support environment references
-Only the following fields support environment references:
-
-- `metadata.name`
-- `spec.endpointName`
-- `spec.associations.name`
-{{% /note %}}
+> [!Warning]
+>
+> #### Environment reference substitution not supported
+>  
+> This feature is not supported by InfluxDB Cloud.
 
 ## Share your InfluxDB templates
 Share your InfluxDB templates with the entire InfluxData community.

content/influxdb/v2/admin/secrets/use-vault.md

@@ -31,18 +31,18 @@ The following links provide information about running Vault in both development
 - [Start a Vault dev server](https://learn.hashicorp.com/vault/getting-started/dev-server)
 - [Deploy Vault](https://learn.hashicorp.com/vault/getting-started/deploy)
 
-{{% note %}}
-InfluxDB supports the [Vault KV Secrets Engine Version 2 API](https://www.vaultproject.io/api/secret/kv/kv-v2.html) only.
-When you create a secrets engine, enable the `kv-v2` version by running:
-
-```js
-vault secrets enable kv-v2
-```
-{{% /note %}}
+> [!Note]
+> InfluxDB supports the [Vault KV Secrets Engine Version 2 API](https://www.vaultproject.io/api/secret/kv/kv-v2.html) only.
+> When you create a secrets engine, enable the `kv-v2` version by running:
+>
+> ```js
+> vault secrets enable kv-v2
+> ```
 
 For this example, install Vault on your local machine and start a Vault dev server.
 
-```sh
+<!--pytest.mark.skip-->
+```bash
 vault server -dev
 ```
 
@@ -70,12 +70,23 @@ _Your Vault server configuration may require other Vault settings._
 ## Start InfluxDB
 
 Start the [`influxd` service](/influxdb/v2/reference/cli/influxd/) with the `--secret-store`
-option set to `vault` any other necessary flags.
+option set to `vault` and any other necessary flags--for example, enter the following
+command:
 
+<!--pytest.mark.skip-->
+<!--test:setup
+```bash
+service influxdb stop \
+&& service influxdb start --secret-store vault \
+  --vault-addr=http://127.0.0.1:8200 \
+  --vault-token=$VAULT_TOKEN 
+```
+-->
+<!--pytest.mark.skip-->
 ```bash
 influxd --secret-store vault \
   --vault-addr=http://127.0.0.1:8200 \
-  --vault-token=s.0X0XxXXx0xXxXXxxxXxXxX0x
+  --vault-token=$VAULT_TOKEN
 ```
 
 `influxd` includes the following Vault configuration options.
@@ -97,4 +108,4 @@ For more information, see [InfluxDB configuration options](/influxdb/v2/referenc
 ## Manage secrets through the InfluxDB API
 
 Use the InfluxDB `/org/{orgID}/secrets` API endpoint to add tokens to Vault.
-For details, see [Manage secrets](/influxdb/v2/admin/secrets/manage-secrets/).
+For details, see [Secrets](/influxdb/v2/admin/secrets/).