diff --git a/cluster/apps/monitoring/grafana/helm-release.yaml b/cluster/apps/monitoring/grafana/helm-release.yaml new file mode 100644 index 0000000..3a9daea --- /dev/null +++ b/cluster/apps/monitoring/grafana/helm-release.yaml @@ -0,0 +1,87 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: grafana + namespace: monitoring +spec: + interval: 5m + chart: + spec: + chart: grafana + version: "6.60.1" + sourceRef: + kind: HelmRepository + name: grafana-charts + namespace: flux-system + + values: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - &grafana-host grafana.${SECRET_NEW_DOMAIN} + path: "/" + tls: + - hosts: + - *grafana-host + secretName: wildcard-main-tls + + grafana.ini: + server: + root_url: https://grafana.${SECRET_NEW_DOMAIN}/ + + auth: + disable_login_form: true + oauth_auto_login: true + + auth.generic_oauth: + enabled: true + allow_sign_up: true # creates new users after authentik login + auto_login: true + name: Authentik + client_id: $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret} + scopes: openid profile email offline_access + auth_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/authorize/ + token_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/token/ + api_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/userinfo/ + use_pkce: true + use_refresh_token: true + + # Provide oauth creds + extraSecretMounts: + - name: grafana-secrets-mount + secretName: grafana-secrets + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true + + # Add Victoria Metrics as the default datasource + datasources: + victoria.yaml: + apiVersion: 1 + datasources: + - name: Victoria + type: prometheus + editable: false + url: http://victoria-metrics-server.monitoring.svc:8428 + isDefault: true + +# datasources: +# - name: Victoria +# uid: victoria-metrics-server +# type: prometheus +# jsonData: +# tlsSkipVerify: "true" +# editable: false" +# url: http://victoria-metrics-server.monitoring.svc:8428 +# version: "1" +# isDefault: "true" + + sidecar: + dashboards: + enabled: true + label: grafana_dashboard + labelValue: "1" \ No newline at end of file diff --git a/cluster/apps/monitoring/grafana/helm-repository.yaml b/cluster/apps/monitoring/grafana/helm-repository.yaml new file mode 100644 index 0000000..8086787 --- /dev/null +++ b/cluster/apps/monitoring/grafana/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: grafana-charts + namespace: flux-system +spec: + interval: 1m + url: https://grafana.github.io/helm-charts \ No newline at end of file diff --git a/cluster/apps/monitoring/grafana/kustomization.yaml b/cluster/apps/monitoring/grafana/kustomization.yaml new file mode 100644 index 0000000..7414970 --- /dev/null +++ b/cluster/apps/monitoring/grafana/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./secret.sops.yaml +- ./helm-repository.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/monitoring/grafana/secret.sops.yaml b/cluster/apps/monitoring/grafana/secret.sops.yaml new file mode 100644 index 0000000..80a15c1 --- /dev/null +++ b/cluster/apps/monitoring/grafana/secret.sops.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-secrets + namespace: monitoring +stringData: + client_id: ENC[AES256_GCM,data:9nDR+Mx3xCDEe/3n2pdfWWihTLPj4/TqoaqbM7+uBzqAlu2oPeEF8A==,iv:xh+GOONaVbExUdJCna0HpmUvBvV1TcV5BizUaVy7Jfs=,tag:N/jkW7ZCiiei6M7Bbv5j4g==,type:str] + client_secret: ENC[AES256_GCM,data:v6DMkzI+wD/7lQh8fR+GZl0l1cGKxQ3jy++H1U92U9JGA9uHYf7c1pgCZAb26eaUVou90oeTsh5pc98tbUnwsnq8WWYskKsfEy8W32dZSIm3VRs7uKAyOcRT6Ink2UXlH6wvMkTobqUEt/Quwlr5YIDmeGviEVQUuBk2JwYQE/E=,iv:AiYcuKy6MXsYGSa/S0Fdu+8Zxof4vKZAhxYB/pVFigM=,tag:eya2Xj5Q2YLHOASZN/2gyQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-10-01T23:25:40Z" + mac: ENC[AES256_GCM,data:LqK/sMdQpT+EJQyJIAJe9GpSefMAdDO57RDOoikLAvhA/CZxtlIFfKQ9D0v+P1T6nogCybhgc2CqvtXF2pLSLdjej9V17wmBZGn/kA3vO3GKmUoJSmKUHSf/CbUcJNE92f+6HUOTI1yWrdZNqLJdDk9FrVUhOiLKGocx2V6PCEk=,iv:YP3z8US1CfGeZliCDfQAIEiGCDz5TxRvYNxLMOdTSB4=,tag:TdNFISNgjNSVHy1EDKOwtQ==,type:str] + pgp: + - created_at: "2023-10-01T23:25:40Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ//bkp2YBFG0TAICxbXBaPhOD5CBdhCUqGcBTVH+qWZnKY7 + ftsTk4Y1g/2aUC+0fL7GbKgGAU3SNXiq9wYaNziihP0o7pQpDIipOXblEyB/VaR0 + duBGSVL1dPj7ZTLDyGDnfXlyEFgpv5u/Ss9q4S6pmnEVNThtaBO6GCOs16TfYz9b + cW/y0eGWSm7rLzL51nklgg2pddOzCqdiylK4R5L2ngoke9M22TkzsojENM92/c8w + trvsvG92fJ+0XX/rVyI4LavJV6wT9vaLX+jJs8ysTHSpel6H7wr/7UXHtPRH7SU+ + AUgLjxBujI7MQjtBwR57R4KzhD7k5+6coFo9E/oJHafx1RrgEPBoRFB2V8btuNZs + 8H0lxPdOFNmC6bfQ8E7/Cwv+TbQMiW4T7M0W665pwXBlMBfG4xoeVvGVB409SpwP + Lr1aNYWuk8NS0riwU8jUerX+YCXVK5kGBEhvZXlotwoJsgo/CdA/wPaDRVxBuH9m + qnBKr7Er0dbQjEsPk36/fMOVRa8LPjcU2550zsUwpk9/7IIWo+zjV3Urav2fSmGX + njYhy90NlIT+kkC6eLU8tIqCekYTjSOoyqRJbeivLszQsj8lT3xF4hW5JyTZ+g4Y + 8V8Uao5cQNl+JVBzfZpzzrZDXyaDdiUt7TFtRg0h7aSMx17V993F2KNsQa5fDKnS + XgGEAMUZ69PL1HWVMxhwfmjfZkY8tDyvBT6Wtm6zUWybOlJsurZiFserW4o4LHNQ + 1zPrZYdFMHkq7fIJn5PJrCH7Yx/DahRyb3h/VxiZlgpl594nf73ekr4e2bhi+98= + =CcmB + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-10-01T23:25:40Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VAQ/+NNma0ciWbimhjGxVRyPpnmnvaV6cowm+5k+29LOp4EyG + BZVm0pS1uIuQBls5BAdqi0cNbWyF6rQPE1r26Q1/jx4XS1M+LAadoufC4OcIDpOK + p8/UqVdAeMrS0Xn+kUvEdbKVAwGRBVRnd067+3QAY6jYcCy6iWLRCdwI3kOu1B69 + ZcfUJ+BJcXomqrSKa9H+iOUqcaxZUvGDpa+MBGfgY8Gdxtz0idW282P3hMrPZ+pP + Y63/Eik6Uf4DmyQQbI6gsnERL2jtCDSoAfyYkqpAg9R2EWLjf50G7I9r2YHXb+c1 + FrNSCmGFuYPwW6WMXLayi1hdw18ySYliYA92dMhq84bCx78K/9RPByTVuh7YVu3J + QEThL8nPAEqVVyW0qht5NA6NTcN6XbiDd/CvUXPgMSJ/xE9QKInvQ249g8lBD+Pb + kcBieDr/jzUd6lDmy+CgNKcNQetyczkC9XeFKJJEiDcNn5al7iuYGI2LqNzxJmEY + NOBornabsW6E7psEFK0wxyo6ePYqsBSPtwYXvyvF/jO3DJvHCXrdG86BvnqR19im + T2UiUB984MSYSic3y4+8zNPkOFlzwmew2Q5cyRsY/UuKqmTKeMcYvKl9CKCMS44p + enrWB3vIEfCmQluwIn30kyX7F7hGgHl2QkhwIcsFHYQavwwXqhHsPVULNqbb7WjS + XgGKHjVfDDhoMzZDYEqiJX5sAEWy1qyP7tJinnBfK1RN8pEF5nKAQr7hJLDil5O5 + rUzQzJIVeVzB7WIGR6jMY68tHkonV/D6YwgqdXsnAjwY2hKz4JOrFgGx5CDtQ0E= + =WHrr + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.8.0 diff --git a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml index f15b122..7995dc8 100644 --- a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml +++ b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml @@ -38,35 +38,7 @@ spec: name: alertmanager-config grafana: - ingress: - enabled: true - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - traefik.ingress.kubernetes.io/router.entrypoints: websecure - hosts: - - &grafana-host grafana.${SECRET_NEW_DOMAIN} - path: "/" - tls: - - hosts: - - *grafana-host - secretName: wildcard-main-tls - - sidecar: - datasources: - defaultDatasourceEnabled: false - isDefaultDatasource: false - - # Add Victoria Metrics as the default datasource - additionalDataSources: - - name: Victoria - uid: victoria-metrics-server - type: prometheus - jsonData: - tlsSkipVerify: true - editable: false - url: http://victoria-metrics-server.monitoring.svc:8428 - version: 1 - isDefault: true + enabled: false prometheus: ingress: diff --git a/cluster/apps/monitoring/kustomization.yaml b/cluster/apps/monitoring/kustomization.yaml index 119d034..7464cad 100644 --- a/cluster/apps/monitoring/kustomization.yaml +++ b/cluster/apps/monitoring/kustomization.yaml @@ -4,6 +4,7 @@ resources: - ./namespace.yaml - ./network_policy.yaml - ./kube-prometheus-stack +- ./grafana - ./zfs-exporter - ./alertmanager-gotify-bridge - ./victoria-metrics