diff --git a/kubernetes/apps/observability/grafana/app/externalsecret.yaml b/kubernetes/apps/observability/grafana/app/externalsecret.yaml index e31a8283..669952e0 100644 --- a/kubernetes/apps/observability/grafana/app/externalsecret.yaml +++ b/kubernetes/apps/observability/grafana/app/externalsecret.yaml @@ -3,30 +3,23 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: grafana + name: grafana-secrets + namespace: monitoring spec: secretStoreRef: kind: ClusterSecretStore name: onepassword-connect target: name: grafana-secret + creationPolicy: Owner template: engineVersion: v2 data: - GF_DATABASE_NAME: &dbName grafana - GF_DATABASE_HOST: postgres16-rw.database.svc.cluster.local:5432 - GF_DATABASE_USER: &dbUser "{{ .GRAFANA_POSTGRES_USER }}" - GF_DATABASE_PASSWORD: &dbPass "{{ .GRAFANA_POSTGRES_PASS }}" - GF_DATABASE_SSL_MODE: disable - GF_DATABASE_TYPE: postgres - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}" dataFrom: - extract: - key: grafana - - extract: - key: cloudnative-pg \ No newline at end of file + key: Authentik + rewrite: + - regexp: + source: "(.*)" + target: "authentik_$1" diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml new file mode 100644 index 00000000..e7c72946 --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -0,0 +1,412 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: grafana +spec: + interval: 30m + chart: + spec: + chart: grafana + version: 7.3.3 + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: kube-prometheus-stack + namespace: observability + - name: loki + namespace: observability + values: + replicas: 2 + env: + GF_DATE_FORMATS_USE_BROWSER_LOCALE: true + GF_EXPLORE_ENABLED: true + GF_FEATURE_TOGGLES_ENABLE: publicDashboards + GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel + GF_SERVER_ROOT_URL: https://grafana.jahanson.tech + GF_DATABASE_NAME: ${DB_NAME} + GF_DATABASE_HOST: + valueFrom: + secretKeyRef: + name: "${APP}-pguser-${DB_USER}" + key: host + GF_DATABASE_USER: + valueFrom: + secretKeyRef: + name: "${APP}-pguser-${DB_USER}" + key: user + GF_DATABASE_PASSWORD: + valueFrom: + secretKeyRef: + name: "${APP}-pguser-${DB_USER}" + key: password + GF_DATABASE_SSL_MODE: disable + GF_DATABASE_TYPE: postgres + envFromSecrets: + - name: *secret + grafana.ini: + analytics: + check_for_updates: false + check_for_plugin_updates: false + reporting_enabled: false + auth: + oauth_auto_login: true + oauth_allow_insecure_email_lookup: true + auth.generic_oauth: + enabled: true + name: Authentik + icon: signin + scopes: openid profile email + empty_scopes: false + login_attribute_path: preferred_username + groups_attribute_path: groups + name_attribute_path: name + use_pkce: true + client_id: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M + client_secret: # Set by env vars + auth_url: https://auth.hsn.dev/application/o/authorize/ + token_url: https://auth.hsn.dev/application/o/token/ + api_url: https://auth.hsn.dev/application/o/userinfo/ + + auth.generic_oauth.group_mapping: + org_id: 1 + role_attribute_path: | + contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer' + auth.basic: + enabled: false + auth.anonymous: + enabled: false + # org_id: 1 + # org_role: Viewer + news: + news_feed_enabled: false + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: default + orgId: 1 + folder: "" + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default-folder + - name: ceph + orgId: 1 + folder: Ceph + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/ceph-folder + - name: flux + orgId: 1 + folder: Flux + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/flux-folder + - name: kubernetes + orgId: 1 + folder: Kubernetes + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/kubernetes-folder + - name: nginx + orgId: 1 + folder: Nginx + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/nginx-folder + - name: prometheus + orgId: 1 + folder: Prometheus + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/prometheus-folder + - name: thanos + orgId: 1 + folder: Thanos + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/thanos-folder + - name: unifi + orgId: 1 + folder: Unifi + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/unifi-folder + datasources: + datasources.yaml: + apiVersion: 1 + deleteDatasources: + - { name: Alertmanager, orgId: 1 } + - { name: Loki, orgId: 1 } + - { name: Prometheus, orgId: 1 } + datasources: + - name: Prometheus + type: prometheus + uid: prometheus + access: proxy + url: http://thanos-query-frontend.observability.svc.cluster.local:9090 + jsonData: + prometheusType: Thanos + timeInterval: 1m + isDefault: true + - name: Loki + type: loki + uid: loki + access: proxy + url: http://loki-gateway.observability.svc.cluster.local + jsonData: + maxLines: 250 + - name: Alertmanager + type: alertmanager + uid: alertmanager + access: proxy + url: http://alertmanager-operated.observability.svc.cluster.local:9093 + jsonData: + implementation: prometheus + dashboards: + default: + cloudflared: + # renovate: depName="Cloudflare Tunnels (cloudflared)" + gnetId: 17457 + revision: 6 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + external-dns: + # renovate: depName="External-dns" + gnetId: 15038 + revision: 3 + datasource: Prometheus + minio: + # renovate: depName="MinIO Dashboard" + gnetId: 13502 + revision: 25 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + node-exporter-full: + # renovate: depName="Node Exporter Full" + gnetId: 1860 + revision: 33 + datasource: Prometheus + redis: + # renovate: depName="Redis Dashboard for Prometheus Redis Exporter 1.x" + gnetId: 763 + revision: 6 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + spegel: + # renovate: depName="Spegel" + gnetId: 18089 + revision: 1 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + unpackerr: + # renovate: depName="Unpackerr" + gnetId: 18817 + revision: 1 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + zfs: + # renovate: depName="ZFS" + gnetId: 7845 + revision: 4 + datasource: Prometheus + cert-manager: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json + datasource: Prometheus + external-secrets: + url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json + datasource: Prometheus + node-feature-discovery: + url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json + datasource: Prometheus + ceph: + ceph-cluster: + # renovate: depName="Ceph Cluster" + gnetId: 2842 + revision: 17 + datasource: Prometheus + ceph-osd: + # renovate: depName="Ceph - OSD (Single)" + gnetId: 5336 + revision: 9 + datasource: Prometheus + ceph-pools: + # renovate: depName="Ceph - Pools" + gnetId: 5342 + revision: 9 + datasource: Prometheus + flux: + flux-cluster: + url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json + datasource: Prometheus + flux-control-plane: + url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json + datasource: Prometheus + kubernetes: + kubernetes-api-server: + # renovate: depName="Kubernetes / System / API Server" + gnetId: 15761 + revision: 16 + datasource: Prometheus + kubernetes-coredns: + # renovate: depName="Kubernetes / System / CoreDNS" + gnetId: 15762 + revision: 17 + datasource: Prometheus + kubernetes-global: + # renovate: depName="Kubernetes / Views / Global" + gnetId: 15757 + revision: 37 + datasource: Prometheus + kubernetes-namespaces: + # renovate: depName="Kubernetes / Views / Namespaces" + gnetId: 15758 + revision: 34 + datasource: Prometheus + kubernetes-nodes: + # renovate: depName="Kubernetes / Views / Nodes" + gnetId: 15759 + revision: 29 + datasource: Prometheus + kubernetes-pods: + # renovate: depName="Kubernetes / Views / Pods" + gNetId: 15760 + revision: 21 + datasource: Prometheus + kubernetes-volumes: + # renovate: depName="K8s / Storage / Volumes / Cluster" + gnetId: 11454 + revision: 14 + datasource: Prometheus + nginx: + nginx: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json + datasource: Prometheus + nginx-request-handling-performance: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json + datasource: Prometheus + prometheus: + prometheus: + # renovate: depName="Prometheus" + gnetId: 19105 + revision: 3 + datasource: Prometheus + thanos: + thanos-bucket-replicate: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json + datasource: Prometheus + thanos-compact: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json + datasource: Prometheus + thanos-overview: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json + datasource: Prometheus + thanos-query: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json + datasource: Prometheus + thanos-query-frontend: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json + datasource: Prometheus + thanos-receieve: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json + datasource: Prometheus + thanos-rule: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json + datasource: Prometheus + thanos-sidecar: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json + datasource: Prometheus + thanos-store: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json + datasource: Prometheus + unifi: + unifi-insights: + # renovate: depName="UniFi-Poller: Client Insights - Prometheus" + gnetId: 11315 + revision: 9 + datasource: Prometheus + unifi-network-sites: + # renovate: depName="UniFi-Poller: Network Sites - Prometheus" + gnetId: 11311 + revision: 5 + datasource: Prometheus + unifi-uap: + # renovate: depName="UniFi-Poller: UAP Insights - Prometheus" + gnetId: 11314 + revision: 10 + datasource: Prometheus + unifi-usw: + # renovate: depName="UniFi-Poller: USW Insights - Prometheus" + gnetId: 11312 + revision: 9 + datasource: Prometheus + sidecar: + dashboards: + enabled: true + searchNamespace: ALL + labelValue: "" + label: grafana_dashboard + folderAnnotation: grafana_folder + provider: + disableDelete: true + foldersFromFilesStructure: true + datasources: + enabled: true + searchNamespace: ALL + labelValue: "" + plugins: + - grafana-clock-panel + - grafana-piechart-panel + - grafana-worldmap-panel + - natel-discrete-panel + - pr0ps-trackmap-panel + - vonage-status-panel + serviceMonitor: + enabled: true + ingress: + enabled: true + ingressClassName: internal-nginx + hosts: + - &host grafana.jahanson.tech + tls: + - hosts: + - *host + persistence: + enabled: false + testFramework: + enabled: false + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: grafana \ No newline at end of file diff --git a/kubernetes/apps/observability/grafana/app/kustomization.yaml b/kubernetes/apps/observability/grafana/app/kustomization.yaml new file mode 100644 index 00000000..bd5c01fe --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml + - ../../../../templates/postgresCluster.yaml \ No newline at end of file diff --git a/kubernetes/apps/observability/grafana/app/postgresCluster.yaml b/kubernetes/apps/observability/grafana/app/postgresCluster.yaml deleted file mode 100644 index 8a2d007b..00000000 --- a/kubernetes/apps/observability/grafana/app/postgresCluster.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json -apiVersion: postgres-operator.crunchydata.com/v1beta1 -kind: PostgresCluster -metadata: - name: "${APP}" -spec: - postgresVersion: 16 - dataSource: - pgbackrest: - stanza: db - configuration: - - secret: - name: pgo-s3-creds - global: - repo1-path: "/${APP}/repo1" - repo1-s3-uri-style: path - repo: - name: repo1 - s3: - bucket: "crunchy-postgres" - endpoint: "s3.hsn.dev" - region: "us-east-1" - patroni: - dynamicConfiguration: - synchronous_mode: true - postgresql: - synchronous_commit: "on" - pg_hba: - - hostnossl all all 10.32.0.0/16 md5 - - hostssl all all all md5 - instances: - - name: postgres - metadata: - labels: - app.kubernetes.io/name: pgo-${APP} - replicas: 2 - dataVolumeClaimSpec: - storageClassName: openebs-hostpath - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: "DoNotSchedule" - labelSelector: - matchLabels: - postgres-operator.crunchydata.com/cluster: ${APP} - postgres-operator.crunchydata.com/data: postgres - users: - - name: "grafana" - databases: - - "grafana" - options: "SUPERUSER" - password: - type: AlphaNumeric - backups: - pgbackrest: - configuration: - - secret: - name: pgo-s3-creds - global: - archive-push-queue-max: 4GiB - repo1-retention-full: "14" - repo1-retention-full-type: time - repo1-path: "/${APP}/repo1" - repo1-s3-uri-style: path - manual: - repoName: repo1 - options: - - --type=full - metadata: - labels: - app.kubernetes.io/name: pgo-${APP}-backup - repos: - - name: repo1 - schedules: - full: "0 1 * * 0" - differential: "0 1 * * 1-6" - s3: - bucket: "crunchy-postgres" - endpoint: "s3.hsn.dev" - region: "us-east-1" diff --git a/kubernetes/apps/observability/grafana/ks.yaml b/kubernetes/apps/observability/grafana/ks.yaml index 49bec5fa..1e8d8749 100644 --- a/kubernetes/apps/observability/grafana/ks.yaml +++ b/kubernetes/apps/observability/grafana/ks.yaml @@ -24,4 +24,6 @@ spec: timeout: 5m postBuild: substitute: - APP: *app \ No newline at end of file + APP: *app + DB_NAME: grafana + DB_USER: grafana \ No newline at end of file diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml index 8b221b38..0ffc5429 100644 --- a/kubernetes/apps/observability/kustomization.yaml +++ b/kubernetes/apps/observability/kustomization.yaml @@ -8,7 +8,7 @@ resources: # Flux-Kustomizations - ./alertmanager-silencer/ks.yaml # - ./gatus/ks.yaml - # - ./grafana/ks.yaml + - ./grafana/ks.yaml - ./kube-prometheus-stack/ks.yaml - ./loki/ks.yaml - ./smartctl-exporter/ks.yaml