diff --git a/clusters/cl01tl/monitoring/grafana/Chart.yaml b/clusters/cl01tl/monitoring/grafana/Chart.yaml new file mode 100644 index 000000000..6f2e99e3c --- /dev/null +++ b/clusters/cl01tl/monitoring/grafana/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: grafana +version: 1.0.0 +description: Grafana +keywords: + - grafana + - dashboard + - metrics + - logs +home: https://wiki.alexlebens.dev/doc/grafana-BFwY2bvVzt +sources: + - https://github.com/grafana/grafana + - https://github.com/grafana/helm-charts/tree/main/charts/grafana +maintainers: + - name: alexlebens +dependencies: + - name: grafana + version: 8.10.1 + repository: https://grafana.github.io/helm-charts +icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/grafana.png +appVersion: 11.4.0 diff --git a/clusters/cl01tl/monitoring/grafana/templates/external-secret.yaml b/clusters/cl01tl/monitoring/grafana/templates/external-secret.yaml new file mode 100644 index 000000000..1a0d1f9b4 --- /dev/null +++ b/clusters/cl01tl/monitoring/grafana/templates/external-secret.yaml @@ -0,0 +1,121 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-auth-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: admin-user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/grafana/auth + metadataPolicy: None + property: admin-user + - secretKey: admin-password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/grafana/auth + metadataPolicy: None + property: admin-password + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-oauth-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/grafana + metadataPolicy: None + property: client + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/grafana + metadataPolicy: None + property: secret + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: grafana-backup-secret +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: grafana-backup-secret +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: backup +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# target: +# template: +# mergePolicy: Merge +# engineVersion: v2 +# data: +# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/grafana/grafana" +# data: +# - secretKey: BUCKET_ENDPOINT +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: S3_BUCKET_ENDPOINT +# - secretKey: RESTIC_PASSWORD +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: RESTIC_PASSWORD +# - secretKey: AWS_DEFAULT_REGION +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: AWS_DEFAULT_REGION +# - secretKey: AWS_ACCESS_KEY_ID +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/volsync-backups +# metadataPolicy: None +# property: access_key +# - secretKey: AWS_SECRET_ACCESS_KEY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/volsync-backups +# metadataPolicy: None +# property: secret_key diff --git a/clusters/cl01tl/monitoring/grafana/templates/http-route.yaml b/clusters/cl01tl/monitoring/grafana/templates/http-route.yaml new file mode 100644 index 000000000..db4e06f14 --- /dev/null +++ b/clusters/cl01tl/monitoring/grafana/templates/http-route.yaml @@ -0,0 +1,30 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-route-grafana + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: http-route-grafana + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - grafana.alexlebens.net + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - group: '' + kind: Service + name: grafana + port: 80 + weight: 100 diff --git a/clusters/cl01tl/monitoring/grafana/templates/replication-source.yaml b/clusters/cl01tl/monitoring/grafana/templates/replication-source.yaml new file mode 100644 index 000000000..04b72bd8a --- /dev/null +++ b/clusters/cl01tl/monitoring/grafana/templates/replication-source.yaml @@ -0,0 +1,30 @@ +# apiVersion: volsync.backube/v1alpha1 +# kind: ReplicationSource +# metadata: +# name: grafana-backup-source +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: grafana-backup-source +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: backup +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# sourcePVC: grafana +# trigger: +# schedule: 0 0 */3 * * +# restic: +# pruneIntervalDays: 14 +# repository: grafana-backup-secret +# retain: +# hourly: 1 +# daily: 1 +# weekly: 1 +# monthly: 2 +# yearly: 4 +# moverSecurityContext: +# runAsUser: 472 +# runAsGroup: 472 +# copyMethod: Snapshot +# storageClassName: ceph-block +# volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/monitoring/grafana/values.yaml b/clusters/cl01tl/monitoring/grafana/values.yaml new file mode 100644 index 000000000..6ab8c0544 --- /dev/null +++ b/clusters/cl01tl/monitoring/grafana/values.yaml @@ -0,0 +1,144 @@ +grafana: + deploymentStrategy: + type: Recreate + createConfigmap: true + serviceMonitor: + enabled: true + ingress: + enabled: false + persistence: + enabled: true + storageClassName: ceph-block + admin: + existingSecret: grafana-auth-secret + userKey: admin-user + passwordKey: admin-password + envFromSecret: grafana-oauth-secret + plugins: + - grafana-clock-panel + - grafana-worldmap-panel + - grafana-lokiexplore-app + - isovalent-hubble-datasource + - marcusolsson-treemap-panel + - camptocamp-prometheus-alertmanager-datasource + datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + uid: prometheus + url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090/ + access: proxy + isDefault: true + jsonData: + timeInterval: 30s + - name: Loki + type: loki + url: http://loki.loki:3100 + jsonData: + httpHeaderName1: "X-Scope-OrgID" + secureJsonData: + httpHeaderValue1: "1" + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: "app-gitea" + orgId: 1 + folder: "Application" + type: file + disableDeletion: true + editable: false + options: + path: /var/lib/grafana/dashboards/app-gitea + - name: "srv-gitea" + orgId: 1 + folder: "Service" + type: file + disableDeletion: true + editable: false + options: + path: /var/lib/grafana/dashboards/srv-gitea + - name: "sys-gitea" + orgId: 1 + folder: "System" + type: file + disableDeletion: true + editable: false + options: + path: /var/lib/grafana/dashboards/sys-gitea + dashboards: + app-gitea: + immich: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/immich.json + radarr: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/radarr.json + sonarr: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/sonarr.json + srv-gitea: + alertmanager: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/alertmanager.json + argocd: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/argocd.json + authentik: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/authentik.json + blocky: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/blocky.json + cert-manager: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cert-manager.json + cloudnativepg: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cloudnativepg.json + coredns: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/coredns.json + descheduler: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/descheduler.json + minio: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/minio.json + speedtest-exporter: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/speedtest-exporter.json + spegel: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/spegel.json + traefik: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json + trivy: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/trivy.json + unpoller: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/unpoller.json + vault: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/vault.json + volsync: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/volsync.json + sys-gitea: + ceph: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/ceph.json + etcd: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/etcd.json + loki: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/loki.json + node-full: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-full.json + node-short: + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-short.json + grafana.ini: + analytics: + check_for_updates: false + server: + domain: alexlebens.net + root_url: https://grafana.alexlebens.net + users: + auto_assign_org: true + auto_assign_org_id: 1 + auth: + disable_login_form: true + oauth_auto_login: true + signout_redirect_url: https://authentik.alexlebens.net/application/o/grafana/end-session/ + auth.generic_oauth: + enabled: true + name: Authentik + allow_sign_up: true + scopes: openid profile email + auth_url: https://authentik.alexlebens.net/application/o/authorize/ + token_url: https://authentik.alexlebens.net/application/o/token/ + api_url: https://authentik.alexlebens.net/application/o/userinfo/ + role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'