feat(grafana): add configmaps #2757
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana HelmRelease: observability/grafana
+++ kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana HelmRelease: observability/grafana
@@ -1,11 +1,13 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
labels:
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/name: grafana
kustomize.toolkit.fluxcd.io/name: apps-grafana
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: grafana
namespace: observability
spec:
chart:
@@ -23,128 +25,71 @@
interval: 30m
timeout: 20m
upgrade:
remediation:
retries: 3
values:
- adminPassword: ${SECRET_GRAFANA_PASSWORD}
- alerting:
- contactpoints.yaml:
- secret:
- apiVersion: 1
- contactPoints:
- - name: alertmanager-notifications
- orgId: 1
- receivers:
- - settings:
- send_resolved: true
- url: $TEST_URL
- type: prometheus-alertmanager
- uid: test
- dashboardProviders:
- dashboardproviders.yaml:
- apiVersion: 1
- providers:
- - disableDeletion: false
- editable: true
- folder: ''
- name: default
- options:
- path: /var/lib/grafana/dashboards/default
- orgId: 1
- type: file
- - disableDeletion: false
- editable: true
- folder: Flux
- name: flux
- options:
- path: /var/lib/grafana/dashboards/flux
- orgId: 1
- type: file
+ admin:
+ existingSecret: grafana-admin
+ passwordKey: PASSWORD
+ userKey: USERNAME
+ createConfigmap: true
dashboards:
default:
Node Exporter for Prometheus Dashboard:
datasource: Prometheus
gnetId: 11074
revision: 9
- blocky:
- datasource: Prometheus
- gnetId: 13768
- revision: 3
- datasources:
- datasources.yaml:
- apiVersion: 1
- datasources:
- - access: proxy
- isDefault: true
- name: Prometheus
- type: prometheus
- url: http://prometheus-prometheus:9090/
- - access: proxy
- name: Loki
- type: loki
- url: http://loki-gateway
- - jsonData:
- owner: tyriis
- repository: home-ops
- name: GitHub
- secureJsonData:
- accessToken: ${SECRET_GH_PAT}
- type: grafana-github-datasource
- deleteDatasources:
- - name: Loki
- orgId: 1
- - name: Prometheus
- orgId: 1
- - name: GitHub
- orgId: 1
env:
- GF_DATE_FORMATS_USE_BROWSER_LOCALE: 'true'
- GF_EXPLORE_ENABLED: 'true'
- GF_PANELS_DISABLE_SANITIZE_HTML: 'true'
TZ: ${SETTING_TZ}
- VAR_BLOCKY_URL: http://blocky.networking.svc.cluster.local:4000
envFromSecrets:
- name: grafana-env
- grafana.ini:
- auth.google:
- allow_sign_up: true
- allowed_domains: ${SECRET_DOMAIN}
- auth_url: https://accounts.google.com/o/oauth2/auth
- enabled: true
- scopes: https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
- token_url: https://accounts.google.com/o/oauth2/token
- server:
- root_url: https://grafana.${SECRET_DOMAIN}
- users:
- auto_assign_org_role: Admin
+ extraConfigmapMounts:
+ - configMap: grafana-contactpoints
+ mountPath: /etc/grafana/alerting/
+ name: grafana-contactpoints
+ readOnly: true
+ subPath: contactpoints.yaml
+ - configMap: grafana-datasources
+ mountPath: /etc/grafana/datasources/
+ name: grafana-datasources
+ readOnly: true
+ subPath: datasources.yaml
+ - configMap: grafana-ini
+ mountPath: /etc/grafana/
+ name: grafana-ini
+ readOnly: true
+ subPath: grafana.ini
+ - configMap: grafana-policies
+ mountPath: /etc/grafana/alerting/
+ name: grafana-policies
+ readOnly: true
+ subPath: policies.yaml
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
external-dns.alpha.kubernetes.io/target: ${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com
hajimari.io/enable: 'true'
hajimari.io/icon: simple-icons:grafana
traefik.ingress.kubernetes.io/router.entrypoints: websecure
enabled: true
hosts:
- - grafana.${SECRET_DOMAIN}
+ - grafana.techtales.io
ingressClassName: traefik
path: /
tls:
- hosts:
- - grafana.${SECRET_DOMAIN}
+ - grafana.techtales.io
secretName: grafana-cert
persistence:
enabled: false
plugins:
- grafana-piechart-panel
- grafana-worldmap-panel
- grafana-clock-panel
- grafana-github-datasource
- rbac:
- pspEnabled: false
replicas: 1
serviceAccount:
autoMount: true
create: true
serviceMonitor:
enabled: true
--- kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-contactpoints
+++ kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-contactpoints
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+data:
+ contactpoints.yaml: |
+ ---
+ # https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#import-contact-points
+ apiVersion: 1
+ contactPoints:
+ - orgId: 1
+ name: alertmanager-notifications
+ receivers:
+ - uid: cp1
+ type: prometheus-alertmanager
+ disableResolveMessage: false
+ settings:
+ url: http://prometheus-alertmanager.observability.svc.cluster.local:9093
+kind: ConfigMap
+metadata:
+ annotations:
+ kustomize.toolkit.fluxcd.io/substitute: disabled
+ labels:
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/name: grafana
+ kustomize.toolkit.fluxcd.io/name: apps-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-contactpoints
+ namespace: observability
+
--- kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-datasources
+++ kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-datasources
@@ -0,0 +1,44 @@
+---
+apiVersion: v1
+data:
+ datasources.yaml: |
+ ---
+ # https://grafana.com/docs/grafana/latest/datasources/
+ apiVersion: 1
+ # list of datasources that should be deleted from the database
+ deleteDatasources:
+ - name: Loki
+ orgId: 1
+ - name: Prometheus
+ orgId: 1
+ - name: GitHub
+ orgId: 1
+ datasources:
+ - name: Prometheus
+ type: prometheus
+ access: proxy
+ url: http://prometheus-prometheus:9090/
+ isDefault: true
+ - name: Loki
+ type: loki
+ access: proxy
+ url: http://loki-gateway:80/
+ - name: GitHub
+ type: grafana-github-datasource
+ jsonData:
+ owner: tyriis
+ repository: home-ops
+ secureJsonData:
+ accessToken: $GITHUB_PAT
+kind: ConfigMap
+metadata:
+ annotations:
+ kustomize.toolkit.fluxcd.io/substitute: disabled
+ labels:
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/name: grafana
+ kustomize.toolkit.fluxcd.io/name: apps-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-datasources
+ namespace: observability
+
--- kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-ini
+++ kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-ini
@@ -0,0 +1,45 @@
+---
+apiVersion: v1
+data:
+ grafana.ini: |
+ ;https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/
+ [analytics]
+ check_for_updates = false
+ [auth.google]
+ enabled = true
+ allow_sign_up = true
+ allowed_domains = techtales.io
+ auth_url = https://accounts.google.com/o/oauth2/auth
+ scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+ token_url = https://accounts.google.com/o/oauth2/token
+ [date_formats]
+ use_browser_locale = true
+ [explore]
+ enabled = true
+ [log]
+ mode = console
+ level = info
+ [panels]
+ disable_sanitize_html = true
+ [paths]
+ data = /var/lib/grafana/
+ logs = /var/log/grafana
+ plugins = /var/lib/grafana/plugins
+ provisioning = /etc/grafana/provisioning
+ [server]
+ domain = grafana.techtales.io
+ root_url = https://grafana.techtales.io
+ [users]
+ auto_assign_org_role = Admin
+kind: ConfigMap
+metadata:
+ annotations:
+ kustomize.toolkit.fluxcd.io/substitute: disabled
+ labels:
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/name: grafana
+ kustomize.toolkit.fluxcd.io/name: apps-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-ini
+ namespace: observability
+
--- kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-policies
+++ kubernetes/talos-flux/apps/observability/grafana/app Kustomization: flux-system/apps-grafana ConfigMap: observability/grafana-policies
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+data:
+ policies.yaml: |
+ ---
+ # https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#import-notification-policies
+ apiVersion: 1
+ policies:
+ - orgId: 1
+ receiver: alertmanager-notifications
+ group_by:
+ - grafana_folder
+ - alertname
+ group_wait: 30s
+ group_interval: 5m
+ repeat_interval: 12h
+kind: ConfigMap
+metadata:
+ annotations:
+ kustomize.toolkit.fluxcd.io/substitute: disabled
+ labels:
+ app.kubernetes.io/instance: grafana
+ app.kubernetes.io/name: grafana
+ kustomize.toolkit.fluxcd.io/name: apps-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-policies
+ namespace: observability
+ |
--- HelmRelease: observability/grafana ConfigMap: observability/grafana
+++ HelmRelease: observability/grafana ConfigMap: observability/grafana
@@ -10,84 +10,30 @@
app.kubernetes.io/managed-by: Helm
data:
plugins: grafana-piechart-panel,grafana-worldmap-panel,grafana-clock-panel,grafana-github-datasource
grafana.ini: |
[analytics]
check_for_updates = true
- [auth.google]
- allow_sign_up = true
- allowed_domains = ${SECRET_DOMAIN}
- auth_url = https://accounts.google.com/o/oauth2/auth
- enabled = true
- scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
- token_url = https://accounts.google.com/o/oauth2/token
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
- domain = grafana.${SECRET_DOMAIN}
- root_url = https://grafana.${SECRET_DOMAIN}
- [users]
- auto_assign_org_role = Admin
- datasources.yaml: |
- apiVersion: 1
- datasources:
- - access: proxy
- isDefault: true
- name: Prometheus
- type: prometheus
- url: http://prometheus-prometheus:9090/
- - access: proxy
- name: Loki
- type: loki
- url: http://loki-gateway
- - jsonData:
- owner: tyriis
- repository: home-ops
- name: GitHub
- secureJsonData:
- accessToken: ${SECRET_GH_PAT}
- type: grafana-github-datasource
- deleteDatasources:
- - name: Loki
- orgId: 1
- - name: Prometheus
- orgId: 1
- - name: GitHub
- orgId: 1
- dashboardproviders.yaml: |
- apiVersion: 1
- providers:
- - disableDeletion: false
- editable: true
- folder: ""
- name: default
- options:
- path: /var/lib/grafana/dashboards/default
- orgId: 1
- type: file
- - disableDeletion: false
- editable: true
- folder: Flux
- name: flux
- options:
- path: /var/lib/grafana/dashboards/flux
- orgId: 1
- type: file
- download_dashboards.sh: "#!/usr/bin/env sh\nset -euf\nmkdir -p /var/lib/grafana/dashboards/default\n\
- mkdir -p /var/lib/grafana/dashboards/flux\n\ncurl -skf \\\n--connect-timeout 60\
- \ \\\n--max-time 60 \\\n-H \"Accept: application/json\" \\\n-H \"Content-Type:\
- \ application/json;charset=UTF-8\" \\\n \"https://grafana.com/api/dashboards/11074/revisions/9/download\"\
- \ \\\n | sed '/-- .* --/! s/\"datasource\":.*,/\"datasource\": \"Prometheus\"\
- ,/g' \\\n> \"/var/lib/grafana/dashboards/default/Node Exporter for Prometheus\
- \ Dashboard.json\"\n \ncurl -skf \\\n--connect-timeout 60 \\\n--max-time 60 \\\
- \n-H \"Accept: application/json\" \\\n-H \"Content-Type: application/json;charset=UTF-8\"\
- \ \\\n \"https://grafana.com/api/dashboards/13768/revisions/3/download\" \\\n\
- \ | sed '/-- .* --/! s/\"datasource\":.*,/\"datasource\": \"Prometheus\",/g'\
- \ \\\n> \"/var/lib/grafana/dashboards/default/blocky.json\"\n"
+ domain = grafana.techtales.io
+ download_dashboards.sh: |
+ #!/usr/bin/env sh
+ set -euf
+ curl -skf \
+ --connect-timeout 60 \
+ --max-time 60 \
+ -H "Accept: application/json" \
+ -H "Content-Type: application/json;charset=UTF-8" \
+ "https://grafana.com/api/dashboards/11074/revisions/9/download" \
+ | sed '/-- .* --/! s/"datasource":.*,/"datasource": "Prometheus",/g' \
+ > "/var/lib/grafana/dashboards/default/Node Exporter for Prometheus Dashboard.json"
+
--- HelmRelease: observability/grafana Deployment: observability/grafana
+++ HelmRelease: observability/grafana Deployment: observability/grafana
@@ -22,13 +22,12 @@
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
checksum/dashboards-json-config: cd8290434cd2b1219fb3297f19533dfdb1071e2df8e84d0ed3f21afc46081238
checksum/sc-dashboard-provider-config: 593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c
- checksum/secret: 385abea46313993d8c36a07faff7897b4f5f75e1b5adec56f895c00cd2dc2c7e
kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
@@ -74,19 +73,19 @@
value: both
- name: NAMESPACE
value: ALL
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
- name: grafana
- key: admin-user
+ name: grafana-admin
+ key: USERNAME
- name: REQ_PASSWORD
valueFrom:
secretKeyRef:
- name: grafana
- key: admin-password
+ name: grafana-admin
+ key: PASSWORD
- name: REQ_URL
value: http://localhost:3000/api/admin/provisioning/dashboards/reload
- name: REQ_METHOD
value: POST
securityContext:
allowPrivilegeEscalation: false
@@ -112,19 +111,19 @@
value: both
- name: NAMESPACE
value: ALL
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
- name: grafana
- key: admin-user
+ name: grafana-admin
+ key: USERNAME
- name: REQ_PASSWORD
valueFrom:
secretKeyRef:
- name: grafana
- key: admin-password
+ name: grafana-admin
+ key: PASSWORD
- name: REQ_URL
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
securityContext:
allowPrivilegeEscalation: false
@@ -147,23 +146,30 @@
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: config
mountPath: /etc/grafana/grafana.ini
subPath: grafana.ini
+ - name: grafana-contactpoints
+ mountPath: /etc/grafana/alerting/
+ subPath: contactpoints.yaml
+ readOnly: true
+ - name: grafana-datasources
+ mountPath: /etc/grafana/datasources/
+ subPath: datasources.yaml
+ readOnly: true
+ - name: grafana-ini
+ mountPath: /etc/grafana/
+ subPath: grafana.ini
+ readOnly: true
+ - name: grafana-policies
+ mountPath: /etc/grafana/alerting/
+ subPath: policies.yaml
+ readOnly: true
- name: storage
mountPath: /var/lib/grafana
- - name: config
- mountPath: /etc/grafana/provisioning/datasources/datasources.yaml
- subPath: datasources.yaml
- - name: config-secret
- mountPath: /etc/grafana/provisioning/alerting/contactpoints.yaml
- subPath: contactpoints.yaml
- - name: config
- mountPath: /etc/grafana/provisioning/dashboards/dashboardproviders.yaml
- subPath: dashboardproviders.yaml
- name: sc-dashboard-volume
mountPath: /tmp/dashboards
- name: sc-dashboard-provider
mountPath: /etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml
subPath: provider.yaml
- name: sc-datasources-volume
@@ -183,19 +189,19 @@
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
- name: grafana
- key: admin-user
+ name: grafana-admin
+ key: USERNAME
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
- name: grafana
- key: admin-password
+ name: grafana-admin
+ key: PASSWORD
- name: GF_INSTALL_PLUGINS
valueFrom:
configMapKeyRef:
name: grafana
key: plugins
- name: GF_PATHS_DATA
@@ -203,22 +209,14 @@
- name: GF_PATHS_LOGS
value: /var/log/grafana
- name: GF_PATHS_PLUGINS
value: /var/lib/grafana/plugins
- name: GF_PATHS_PROVISIONING
value: /etc/grafana/provisioning
- - name: GF_DATE_FORMATS_USE_BROWSER_LOCALE
- value: 'true'
- - name: GF_EXPLORE_ENABLED
- value: 'true'
- - name: GF_PANELS_DISABLE_SANITIZE_HTML
- value: 'true'
- name: TZ
value: ${SETTING_TZ}
- - name: VAR_BLOCKY_URL
- value: http://blocky.networking.svc.cluster.local:4000
envFrom:
- secretRef:
name: grafana-env
optional: false
livenessProbe:
failureThreshold: 10
@@ -232,15 +230,24 @@
path: /api/health
port: 3000
volumes:
- name: config
configMap:
name: grafana
- - name: config-secret
- secret:
- secretName: grafana-config-secret
+ - name: grafana-contactpoints
+ configMap:
+ name: grafana-contactpoints
+ - name: grafana-datasources
+ configMap:
+ name: grafana-datasources
+ - name: grafana-ini
+ configMap:
+ name: grafana-ini
+ - name: grafana-policies
+ configMap:
+ name: grafana-policies
- name: dashboards-default
configMap:
name: grafana-dashboards-default
- name: storage
emptyDir: {}
- name: sc-dashboard-volume
--- HelmRelease: observability/grafana Ingress: observability/grafana
+++ HelmRelease: observability/grafana Ingress: observability/grafana
@@ -15,16 +15,16 @@
hajimari.io/icon: simple-icons:grafana
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
ingressClassName: traefik
tls:
- hosts:
- - grafana.${SECRET_DOMAIN}
+ - grafana.techtales.io
secretName: grafana-cert
rules:
- - host: grafana.${SECRET_DOMAIN}
+ - host: grafana.techtales.io
http:
paths:
- path: /
pathType: Prefix
backend:
service: |
🦙 MegaLinter status: ✅ SUCCESS
See detailed report in MegaLinter reports MegaLinter is graciously provided by OX Security |
|
tyriis
approved these changes
Apr 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.