k-space/kube
12
1
Fork 3
Code Issues 61 Pull Requests 1 Wiki Activity

kustomize grafana

Browse Source
This commit is contained in:
rasmus
2025-07-24 09:20:14 +03:00
parent b6098f92b0
commit ca4de329f7
5 changed files with 98 additions and 225 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
argocd/applications/grafana.yaml
View File

@@ -7,9 +7,10 @@ metadata:
spec:
project: k-space.ee
source:
repoURL: 'git@git.k-space.ee:k-space/kube.git'
path: grafana
# also depends on git@git.k-space.ee:secretspace/kube.git
repoURL: git@git.k-space.ee:k-space/kube.git
targetRevision: HEAD
path: grafana
destination:
server: 'https://kubernetes.default.svc'
namespace: grafana

221
grafana/application.yml
View File

@@ -1,221 +0,0 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: grafana
spec:
displayName: Grafana
uri: https://grafana.k-space.ee/login/generic_oauth
redirectUris:
- https://grafana.k-space.ee/login/generic_oauth
allowedGroups:
- k-space:floor
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
- groups
tokenEndpointAuthMethod: none
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-datasources
data:
prometheus.yaml: |
apiVersion: 1
prune: true
datasources:
- name: Prometheus
type: prometheus
orgId: 1
url: http://prometheus-operated.monitoring.svc.cluster.local:9090
version: 1
editable: false
---
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-config
data:
grafana.ini: |
[log]
level = warn
[server]
domain = grafana.k-space.ee
root_url = https://%(domain)s/
[auth]
oauth_allow_insecure_email_lookup=true
[auth.basic]
enabled = false
[auth.generic_oauth]
name = OAuth
icon = signin
enabled = true
scopes = openid profile groups
allow_sign_up = true
use_pkce = true
role_attribute_path = contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
allow_assign_grafana_admin = true
[security]
disable_initial_admin_creation = true
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: grafana
name: grafana
spec:
revisionHistoryLimit: 0
serviceName: grafana
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
securityContext:
fsGroup: 472
containers:
- name: grafana
image: mirror.gcr.io/grafana/grafana:12.1.0
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 472
env:
- name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_IDP_URI
- name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_CLIENT_ID
- name: GF_AUTH_GENERIC_OAUTH_SECRET
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_CLIENT_SECRET
- name: GF_AUTH_GENERIC_OAUTH_SCOPES
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_AVAILABLE_SCOPES
- name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_IDP_AUTH_URI
- name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_IDP_TOKEN_URI
- name: GF_AUTH_GENERIC_OAUTH_API_URL
valueFrom:
secretKeyRef:
name: oidc-client-grafana-owner-secrets
key: OIDC_IDP_USERINFO_URI
- name: GF_DATABASE_TYPE
value: mysql
- name: GF_DATABASE_HOST
value: 172.20.36.1:3306
- name: GF_DATABASE_SSL_MODE
value: disable
- name: GF_DATABASE_NAME
value: kspace_grafana
- name: GF_DATABASE_USER
value: kspace_grafana
- name: GF_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-database
key: password
ports:
- containerPort: 3000
name: http-grafana
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /robots.txt
port: 3000
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 3000
timeoutSeconds: 1
resources:
requests:
cpu: 250m
memory: 750Mi
volumeMounts:
- mountPath: /var/lib/grafana
name: grafana-data
- mountPath: /etc/grafana
name: grafana-config
- mountPath: /etc/grafana/provisioning/datasources
name: grafana-datasources
volumes:
- name: grafana-config
configMap:
name: grafana-config
- name: grafana-datasources
configMap:
name: grafana-datasources
- name: grafana-data
emptyDir:
sizeLimit: 500Mi
---
apiVersion: v1
kind: Service
metadata:
name: grafana
spec:
ports:
- port: 80
protocol: TCP
targetPort: http-grafana
selector:
app: grafana
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: grafana.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: grafana
port:
number: 80
tls:
- hosts:
- "*.k-space.ee"

71
grafana/kustomization.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: grafana
# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
helmCharts:
- includeCRDs: true
name: &name grafana
releaseName: *name
repo: https://grafana.github.io/helm-charts
valuesInline: # https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
hosts: [grafana.k-space.ee]
tls: [hosts: ["*.k-space.ee"]]
persistence:
inMemory:
enabled: true
grafana.ini:
log: {level: warn}
server:
root_url: https://grafana.k-space.ee/
security:
disable_initial_admin_creation: true
auth:
oauth_allow_insecure_email_lookup: true
auth.basic:
enabled: false
auth.generic_oauth:
enabled: true
auto_login: true
name: auth.k-space.ee
role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
allow_assign_grafana_admin: true
client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID}
client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET}
scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES}
auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI}
token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI}
api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI}
signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI}
use_pkce: true
extraSecretMounts:
- name: oidc-client-grafana-owner-secrets
secretName: oidc-client-grafana-owner-secrets
mountPath: /etc/secrets/oidc-client-grafana-owner-secrets
defaultMode: 0440
subPath: .
readOnly: true
envFromSecrets:
- name: grafana-database
datasources:
prometheus.yaml:
apiVersion: 1
prune: true
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus-prometheus-server
orgId: 1
version: 1
editable: false
version: v9.2.10
resources:
- ./passmower.yaml
- ssh://git@git.k-space.ee/secretspace/kube/grafana # secret: grafana-database

22
grafana/passmower.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: grafana
spec:
displayName: Grafana
uri: https://grafana.k-space.ee/login/generic_oauth
redirectUris:
- https://grafana.k-space.ee/login/generic_oauth
allowedGroups:
- k-space:floor
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
- groups
tokenEndpointAuthMethod: none

2
monitoring/README.md
View File

@@ -63,6 +63,6 @@ To wipe timeseries:
```
for replica in $(seq 0 2); do
kubectl exec -n monitoring prometheus-prometheus-$replica -- wget --post-data='match[]={__name__=~"mikrotik_.*"}' http://127.0.0.1:9090/api/v1/admin/tsdb/delete_series -O -
kubectl exec -n monitoring prometheus-prometheus-$replica -- wget --post-data='match[]={__name__=~"mktxp_.*"}' http://127.0.0.1:9090/api/v1/admin/tsdb/delete_series -O -
done
```