Add Grafana

2022-10-14 14:38:23 +03:00
parent 4686108f42
commit a27f273c0b
4 changed files with 173 additions and 2 deletions
--- a/argocd/applications/grafana.yml
+++ b/argocd/applications/grafana.yml
@@ -0,0 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: grafana
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: grafana
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: grafana
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
--- a/authelia/README.md
+++ b/authelia/README.md
@@ -162,8 +162,8 @@ kubectl -n argocd create secret generic argocd-secret \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
-kubectl -n monitoring delete secret oidc-secret
+kubectl -n grafana delete secret oidc-secret
-kubectl -n monitoring create secret generic oidc-secret \
+kubectl -n grafana create secret generic oidc-secret \
    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
--- a/grafana/README.md
+++ b/grafana/README.md
@@ -0,0 +1,19 @@
 # Grafana
 ```
 kubectl create namespace grafana
 kubectl apply -n grafana -f application.yml
 ```
 ## OIDC secret
 See Authelia README on provisioning and updating OIDC secrets for Grafana
 ## Grafana post deployment steps
 * Configure Prometheus datasource with URL set to
  `http://prometheus-operated.prometheus-operator.svc.cluster.local:9090`
 * Configure Elasticsearch datasource with URL set to
  `http://elasticsearch.elastic-system.svc.cluster.local`,
  Time field name set to `timestamp` and
  ElasticSearch version set to `7.10+`
--- a/grafana/application.yml
+++ b/grafana/application.yml
@@ -0,0 +1,135 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: grafana-config
 data:
  grafana.ini: |
    [log]
    level = warn
    [server]
    domain = grafana.k-space.ee
    root_url = https://%(domain)s/
    [auth.generic_oauth]
    name = OAuth
    icon = signin
    enabled = true
    client_id = grafana
    scopes = openid profile email groups
    empty_scopes = false
    auth_url = https://auth.k-space.ee/api/oidc/authorize
    token_url = https://auth.k-space.ee/api/oidc/token
    api_url = https://auth.k-space.ee/api/oidc/userinfo
    allow_sign_up = true
    role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || 'Viewer'
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  labels:
    app: grafana
  name: grafana
 spec:
  revisionHistoryLimit: 0
  serviceName: grafana
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
      containers:
        - name: grafana
          image: grafana/grafana:8.5.0
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 472
          envFrom:
            - secretRef:
                name: oidc-secret
          ports:
            - containerPort: 3000
              name: http-grafana
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /robots.txt
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: 3000
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 250m
              memory: 750Mi
          volumeMounts:
            - mountPath: /var/lib/grafana
              name: grafana-data
            - mountPath: /etc/grafana
              name: grafana-config
      volumes:
        - name: grafana-config
          configMap:
            name: grafana-config
  volumeClaimTemplates:
    - metadata:
        name: grafana-data
      spec:
        storageClassName: longhorn
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: grafana
 spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: http-grafana
  selector:
    app: grafana
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: grafana
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
 spec:
  rules:
  - host: grafana.k-space.ee
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: grafana
            port:
              number: 80
  tls:
  - hosts:
    - "*.k-space.ee"