diff --git a/argocd/applications/grafana.yaml b/argocd/applications/grafana.yaml index 12ab0f3..dc64266 100644 --- a/argocd/applications/grafana.yaml +++ b/argocd/applications/grafana.yaml @@ -7,9 +7,10 @@ metadata: spec: project: k-space.ee source: - repoURL: 'git@git.k-space.ee:k-space/kube.git' - path: grafana + # also depends on git@git.k-space.ee:secretspace/kube.git + repoURL: git@git.k-space.ee:k-space/kube.git targetRevision: HEAD + path: grafana destination: server: 'https://kubernetes.default.svc' namespace: grafana @@ -17,4 +18,4 @@ spec: automated: prune: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/grafana/application.yml b/grafana/application.yml deleted file mode 100644 index 74e12bc..0000000 --- a/grafana/application.yml +++ /dev/null @@ -1,221 +0,0 @@ ---- -apiVersion: codemowers.cloud/v1beta1 -kind: OIDCClient -metadata: - name: grafana -spec: - displayName: Grafana - uri: https://grafana.k-space.ee/login/generic_oauth - redirectUris: - - https://grafana.k-space.ee/login/generic_oauth - allowedGroups: - - k-space:floor - grantTypes: - - authorization_code - - refresh_token - responseTypes: - - code - availableScopes: - - openid - - profile - - groups - tokenEndpointAuthMethod: none ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-datasources -data: - prometheus.yaml: | - apiVersion: 1 - prune: true - datasources: - - name: Prometheus - type: prometheus - orgId: 1 - url: http://prometheus-operated.monitoring.svc.cluster.local:9090 - version: 1 - editable: false ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-config -data: - grafana.ini: | - [log] - level = warn - [server] - domain = grafana.k-space.ee - root_url = https://%(domain)s/ - [auth] - oauth_allow_insecure_email_lookup=true - [auth.basic] - enabled = false - [auth.generic_oauth] - name = OAuth - icon = signin - enabled = true - scopes = openid profile groups - allow_sign_up = true - use_pkce = true - role_attribute_path = contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer - allow_assign_grafana_admin = true - [security] - disable_initial_admin_creation = true ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app: grafana - name: grafana -spec: - revisionHistoryLimit: 0 - serviceName: grafana - selector: - matchLabels: - app: grafana - template: - metadata: - labels: - app: grafana - spec: - securityContext: - fsGroup: 472 - containers: - - name: grafana - image: mirror.gcr.io/grafana/grafana:12.1.0 - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 472 - env: - - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_IDP_URI - - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_CLIENT_ID - - name: GF_AUTH_GENERIC_OAUTH_SECRET - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_CLIENT_SECRET - - name: GF_AUTH_GENERIC_OAUTH_SCOPES - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_AVAILABLE_SCOPES - - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_IDP_AUTH_URI - - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_IDP_TOKEN_URI - - name: GF_AUTH_GENERIC_OAUTH_API_URL - valueFrom: - secretKeyRef: - name: oidc-client-grafana-owner-secrets - key: OIDC_IDP_USERINFO_URI - - name: GF_DATABASE_TYPE - value: mysql - - name: GF_DATABASE_HOST - value: 172.20.36.1:3306 - - name: GF_DATABASE_SSL_MODE - value: disable - - name: GF_DATABASE_NAME - value: kspace_grafana - - name: GF_DATABASE_USER - value: kspace_grafana - - name: GF_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: grafana-database - key: password - ports: - - containerPort: 3000 - name: http-grafana - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /robots.txt - port: 3000 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 2 - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: 3000 - timeoutSeconds: 1 - resources: - requests: - cpu: 250m - memory: 750Mi - volumeMounts: - - mountPath: /var/lib/grafana - name: grafana-data - - mountPath: /etc/grafana - name: grafana-config - - mountPath: /etc/grafana/provisioning/datasources - name: grafana-datasources - volumes: - - name: grafana-config - configMap: - name: grafana-config - - name: grafana-datasources - configMap: - name: grafana-datasources - - name: grafana-data - emptyDir: - sizeLimit: 500Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: grafana -spec: - ports: - - port: 80 - protocol: TCP - targetPort: http-grafana - selector: - app: grafana ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: grafana - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee -spec: - rules: - - host: grafana.k-space.ee - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: grafana - port: - number: 80 - tls: - - hosts: - - "*.k-space.ee" diff --git a/grafana/kustomization.yaml b/grafana/kustomization.yaml new file mode 100644 index 0000000..5aed120 --- /dev/null +++ b/grafana/kustomization.yaml @@ -0,0 +1,71 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: grafana + +# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_ +helmCharts: +- includeCRDs: true + name: &name grafana + releaseName: *name + repo: https://grafana.github.io/helm-charts + valuesInline: # https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee + hosts: [grafana.k-space.ee] + tls: [hosts: ["*.k-space.ee"]] + persistence: + inMemory: + enabled: true + grafana.ini: + log: {level: warn} + server: + root_url: https://grafana.k-space.ee/ + security: + disable_initial_admin_creation: true + auth: + oauth_allow_insecure_email_lookup: true + auth.basic: + enabled: false + auth.generic_oauth: + enabled: true + auto_login: true + name: auth.k-space.ee + role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer + allow_assign_grafana_admin: true + client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID} + client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET} + scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES} + auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI} + token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI} + api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI} + signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI} + use_pkce: true + extraSecretMounts: + - name: oidc-client-grafana-owner-secrets + secretName: oidc-client-grafana-owner-secrets + mountPath: /etc/secrets/oidc-client-grafana-owner-secrets + defaultMode: 0440 + subPath: . + readOnly: true + envFromSecrets: + - name: grafana-database + datasources: + prometheus.yaml: + apiVersion: 1 + prune: true + datasources: + - name: Prometheus + type: prometheus + url: http://prometheus-prometheus-server + orgId: 1 + version: 1 + editable: false + version: v9.2.10 + +resources: +- ./passmower.yaml +- ssh://git@git.k-space.ee/secretspace/kube/grafana # secret: grafana-database diff --git a/grafana/passmower.yaml b/grafana/passmower.yaml new file mode 100644 index 0000000..929e66c --- /dev/null +++ b/grafana/passmower.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient +metadata: + name: grafana +spec: + displayName: Grafana + uri: https://grafana.k-space.ee/login/generic_oauth + redirectUris: + - https://grafana.k-space.ee/login/generic_oauth + allowedGroups: + - k-space:floor + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + availableScopes: + - openid + - profile + - groups + tokenEndpointAuthMethod: none diff --git a/monitoring/README.md b/monitoring/README.md index 55ddb29..3644497 100644 --- a/monitoring/README.md +++ b/monitoring/README.md @@ -63,6 +63,6 @@ To wipe timeseries: ``` for replica in $(seq 0 2); do - kubectl exec -n monitoring prometheus-prometheus-$replica -- wget --post-data='match[]={__name__=~"mikrotik_.*"}' http://127.0.0.1:9090/api/v1/admin/tsdb/delete_series -O - + kubectl exec -n monitoring prometheus-prometheus-$replica -- wget --post-data='match[]={__name__=~"mktxp_.*"}' http://127.0.0.1:9090/api/v1/admin/tsdb/delete_series -O - done ```