From 888b30b0f82627f571b1a16d77495fd48c49a0e7 Mon Sep 17 00:00:00 2001 From: Jazzlyn <9011011+jazzlyn@users.noreply.github.com> Date: Wed, 3 Apr 2024 00:07:29 +0200 Subject: [PATCH 1/4] feat(grafana): add configmaps --- .../grafana/app/config/contactpoints.yaml | 12 ++ .../grafana/app/config/datasources.yaml | 28 ++++ .../grafana/app/config/grafana.ini | 29 ++++ .../grafana/app/config/policies.yaml | 12 ++ .../grafana/app/grafana-admin.sops.yaml | 29 ++++ ...ops.yaml => grafana-auth-google.sops.yaml} | 7 +- .../grafana/app/helm-release.yaml | 124 +++++------------- .../grafana/app/kustomization.yaml | 21 ++- 8 files changed, 163 insertions(+), 99 deletions(-) create mode 100644 kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml create mode 100644 kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml create mode 100644 kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini create mode 100644 kubernetes/talos-flux/apps/observability/grafana/app/config/policies.yaml create mode 100644 kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml rename kubernetes/talos-flux/apps/observability/grafana/app/{grafana-env.sops.yaml => grafana-auth-google.sops.yaml} (71%) diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml new file mode 100644 index 000000000..6b2c2aa34 --- /dev/null +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml @@ -0,0 +1,12 @@ +--- +# https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#import-contact-points +apiVersion: 1 +contactPoints: + - orgId: 1 + name: alertmanager-notifications + receivers: + - uid: cp1 + type: prometheus-alertmanager + disableResolveMessage: false + settings: + url: $ALERTMANAGER_URL diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml new file mode 100644 index 000000000..f7cb223ed --- /dev/null +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml @@ -0,0 +1,28 @@ +--- +# https://grafana.com/docs/grafana/latest/datasources/ +apiVersion: 1 +# list of datasources that should be deleted from the database +deleteDatasources: + - name: Loki + orgId: 1 + - name: Prometheus + orgId: 1 + - name: GitHub + orgId: 1 +datasources: + - name: Prometheus + type: prometheus + access: proxy + url: http://prometheus-prometheus:9090/ + isDefault: true + - name: Loki + type: loki + access: proxy + url: http://loki-gateway:80/ + - name: GitHub + type: grafana-github-datasource + jsonData: + owner: "tyriis" + repository: "home-ops" + secureJsonData: + accessToken: ${SECRET_GH_PAT} diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini b/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini new file mode 100644 index 000000000..497e8891b --- /dev/null +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini @@ -0,0 +1,29 @@ +;https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/ +[analytics] +check_for_updates = false +[auth.google] +enabled = true +allow_sign_up = true +allowed_domains = ${SECRET_DOMAIN} +auth_url = https://accounts.google.com/o/oauth2/auth +scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email +token_url = https://accounts.google.com/o/oauth2/token +[date_formats] +use_browser_locale = true +[explore] +enabled = true +[log] +mode = console +level = info +[panels] +disable_sanitize_html = true +[paths] +data = /var/lib/grafana/ +logs = /var/log/grafana +plugins = /var/lib/grafana/plugins +provisioning = /etc/grafana/provisioning +[server] +domain = grafana.${SECRET_DOMAIN} +root_url = https://grafana.${SECRET_DOMAIN} +[users] +auto_assign_org_role = Admin diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/policies.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/config/policies.yaml new file mode 100644 index 000000000..9361949cb --- /dev/null +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/policies.yaml @@ -0,0 +1,12 @@ +--- +# https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#import-notification-policies +apiVersion: 1 +policies: + - orgId: 1 + receiver: alertmanager-notifications + group_by: + - grafana_folder + - alertname + group_wait: 30s + group_interval: 5m + repeat_interval: 12h diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml new file mode 100644 index 000000000..af1318c10 --- /dev/null +++ b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: grafana-admin +stringData: + USERNAME: ENC[AES256_GCM,data:n57P/S4=,iv:7qajI1QASF15zpMqcVjal8XvBEG+BxezxegKPrJePdg=,tag:tbf5BF3JKgFkeFI+4FFJ5g==,type:str] + PASSWORD: ENC[AES256_GCM,data:J4Zg6RQ8K2ECZRg2/1jbjHS2u+T7j7U1f2OZOAUuVbFHt7yjpNFEN8tiUts=,iv:s2ifsOTwHK/h4CMBfpDx75ibAuzeo6+tNJshR7xfgCs=,tag:dzsXSSgspFSTdLFhOk2TFg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16zqeqx5y6ay3flwz0d06rn83yjv9ckys3j8tpkysf9v6295fhc6sf4r0uj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZzFkbDhYbElUcTJQZ1ls + T25TeWN3M3NXRzAvMXJjQXVsa0VGSk1tYjNrClJrb0JQbjk2NnhaUjNtbVN1U1JU + dVpXZW9OaUh0YU1GQmhiOHIyNnBYNDAKLS0tIHdZdk4rUVdIYzUyMURzc2FsV3hL + TTcwSDlkQ3VPM1NTWFdoTzZ5MVBEeDAKXeIe9FM/ZenGa8kVJjMIC9hcAwktLR/U + T5O1xTcVAhgBUDYbKdrexWuFIAsqhXVMAh0xhQEs3m9gdygDPAL6Mw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-02T22:00:12Z" + mac: ENC[AES256_GCM,data:EGShcemEHAQOZ58+2fS1kt416dUUROQ0RTgbxZsfM7TQ+ueDGHPybePhPauYn/V6AeirrU7soNY0Es3BcjfG/pKNcKS/OYXCpKOWaQzE0m+r/PCPPHtdSMemb9Jvky/7wRVI9OgU+SFtOrVslQS/gVjsXgeVsC3mpILX2l7dx+Y=,iv:STI/yC8BWa+V/z7hpqNRSJa+tqJXhYi4LDGn+5XjaiA=,tag:mqdeAmh8U4J9fPhJqkGC9g==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml similarity index 71% rename from kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml rename to kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml index e77be59b1..61e83d19a 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml @@ -3,9 +3,8 @@ apiVersion: v1 kind: Secret type: Opaque metadata: - name: grafana-env + name: grafana-auth-google stringData: - GF_AUTH_GOOGLE_ENABLED: ENC[AES256_GCM,data:Vf684g==,iv:lb3T33RlQFvsJUwhQsJc4fySF+ricMiO1LgCZ0hs3ro=,tag:Pjr0vd0Eallec2eorwU51g==,type:str] GF_AUTH_GOOGLE_CLIENT_ID: ENC[AES256_GCM,data:EaJ5MS9jmXKZ1gbBwJU8xL09E95Lzog/ncqnq8+TYC/e27JpcE4LdQC2ZwjIWPcTDuUM5m7NpjMzUzIvISXoOJdDSxe/waRr,iv:Oub/mmnsIBGMB4GMMvL2eUK7Uz4XgHdIIdPiAeFuiXY=,tag:gKByk2mmlmJc5+yJmkXcAQ==,type:str] GF_AUTH_GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:YLlBwyOWV0zksdQoc2Rp0GrNxXCBtsxbvhPSSBHy/By4djo=,iv:sHFcGqQj6Ak0GvA+I7guGLPY40bHO3re7XPV2xsToPA=,tag:1Ns/P/xXdUpNS6iYjv4Rxw==,type:str] sops: @@ -23,8 +22,8 @@ sops: eUQwcWJxQWZIUkRsb291SHpGSDhqT1EKgTQ1qSb4D0VNoXTiTkz9sHrHFPNHcPCW IQ8/QYEA6iWVt+v8s+ATb2OaLZhha5FgwCOGVyIv6GJLP1kBlz8RwQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-13T23:45:15Z" - mac: ENC[AES256_GCM,data:/r1EiqbWn/ho1aIXzVsc/ZlcTZTff4bhGA8pP1W0QbI/DCsyFkc7h/BNQkthEseVeXbDLjqvE7OKchuGJKGaQTMwt+19WRCJSUmayJponTitay3ZKvRDmAgaT13u7pXteHalccjankpE4cBy2bdiVzQw0FQnhVqx+wY//uyb3OI=,iv:mzlgJJXYDQCbumfWvhPutdicue/aHwjyA2dhy9nA/Bs=,tag:b8iuZwbP4h5lbr7asY2tjw==,type:str] + lastmodified: "2024-04-02T21:27:47Z" + mac: ENC[AES256_GCM,data:oZqVunsLWCslIaZlRUOX3FHd66bIfhmHLuywVnQeda8ZrQX13LEJmbvEvApUrJGtoY5Zi8qFKank/NIwskNVGZpaOLcrGEm2tlLPuNn7e5ViLdjcqZu095zIEKQbx2wTeSZPMGe1wRbsjhivuHXmewEfAiQlmpuMu5ni2jE6nI8=,iv:LOGm+ROa6KYR+sD+aVgJWW3ifkA5Xx/893scQPryclw=,tag:yszeKmOf73y8311FI8fkAA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml index 3c8030588..c45af8f4e 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml @@ -27,105 +27,20 @@ spec: values: replicas: 1 - alerting: - contactpoints.yaml: - secret: - apiVersion: 1 - contactPoints: - - orgId: 1 - name: alertmanager-notifications - receivers: - - uid: test - type: prometheus-alertmanager - settings: - url: $TEST_URL - send_resolved: true - env: TZ: ${SETTING_TZ} - GF_EXPLORE_ENABLED: "true" - GF_PANELS_DISABLE_SANITIZE_HTML: "true" - GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true" - VAR_BLOCKY_URL: http://blocky.networking.svc.cluster.local:4000 - TEST_URL: http://prometheus-alertmanager.observability.svc.cluster.local:9093 + VAR_BLOCKY_URL: http://blocky.networking.svc.cluster.local:4000 # for dashboard + ALERTMANAGER_URL: http://prometheus-alertmanager.observability.svc.cluster.local:9093 envFromSecrets: - - name: grafana-env - - adminPassword: "${SECRET_GRAFANA_PASSWORD}" - grafana.ini: - server: - root_url: "https://grafana.${SECRET_DOMAIN}" - users: - auto_assign_org_role: "Admin" - auth.google: - enabled: true - scopes: https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email - auth_url: https://accounts.google.com/o/oauth2/auth - token_url: https://accounts.google.com/o/oauth2/token - allowed_domains: "${SECRET_DOMAIN}" - allow_sign_up: true + - name: grafana-auth-google - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: default - orgId: 1 - folder: "" - type: file - disableDeletion: false - # allowUiUpdates: false - editable: true - options: - path: /var/lib/grafana/dashboards/default - - name: flux - orgId: 1 - folder: Flux - type: file - disableDeletion: false - editable: true - # allowUiUpdates: true - options: - path: /var/lib/grafana/dashboards/flux - datasources: - datasources.yaml: - apiVersion: 1 - # list of datasources that should be deleted from the database - deleteDatasources: - - name: Loki - orgId: 1 - - name: Prometheus - orgId: 1 - - name: GitHub - orgId: 1 - datasources: - - name: Prometheus - type: prometheus - access: proxy - url: http://prometheus-prometheus:9090/ - isDefault: true - - name: Loki - type: loki - access: proxy - url: http://loki-gateway - - name: GitHub - type: grafana-github-datasource - jsonData: - owner: "tyriis" - repository: "home-ops" - secureJsonData: - accessToken: "${SECRET_GH_PAT}" + admin: + existingSecret: grafana-admin + userKey: USERNAME + passwordKey: PASSWORD dashboards: - # default: - # flux: - # flux-cluster: - # url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/cluster.json - # datasource: Prometheus - # flux-control-plane: - # url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/control-plane.json - # datasource: Prometheus default: # Ref: https://grafana.com/grafana/dashboards/11074 "Node Exporter for Prometheus Dashboard": @@ -155,8 +70,6 @@ spec: - grafana-github-datasource serviceMonitor: enabled: true - rbac: - pspEnabled: false ingress: enabled: true @@ -181,3 +94,26 @@ spec: persistence: enabled: false + + createConfigmap: true + extraConfigmapMounts: + - name: grafana-contactpoints + mountPath: /etc/grafana/alerting/ + subPath: contactpoints.yaml + configMap: grafana-contactpoints + readOnly: true + - name: grafana-datasources + mountPath: /etc/grafana/datasources/ + subPath: datasources.yaml + configMap: grafana-datasources + readOnly: true + - name: grafana-ini + mountPath: /etc/grafana/ + subPath: grafana.ini + configMap: grafana-ini + readOnly: true + - name: grafana-policies + mountPath: /etc/grafana/alerting/ + subPath: policies.yaml + configMap: grafana-policies + readOnly: true diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml index 762b04032..30f68630e 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml @@ -4,5 +4,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: observability resources: - - grafana-env.sops.yaml + - grafana-admin.sops.yaml + - grafana-auth-google.sops.yaml - helm-release.yaml +configMapGenerator: + - name: grafana-contactpoints + files: + - contactpoints.yaml=config/contactpoints.yaml + - name: grafana-datasources + files: + - datasources.yaml=config/datasources.yaml + - name: grafana-ini + files: + - grafana.ini=config/grafana.ini + - name: grafana-policies + files: + - policies.yaml=config/policies.yaml +commonLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana +generatorOptions: + disableNameSuffixHash: true From c1566f2077be9e4a6658a88d0af5b3b85c3001f1 Mon Sep 17 00:00:00 2001 From: Jazzlyn <9011011+jazzlyn@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:18:50 +0200 Subject: [PATCH 2/4] feat(grafana): refinement --- .../grafana/app/config/contactpoints.yaml | 2 +- .../apps/observability/grafana/app/config/grafana.ini | 6 +++--- .../observability/grafana/app/grafana-admin.sops.yaml | 5 ++--- .../grafana/app/grafana-auth-google.sops.yaml | 5 ++--- .../apps/observability/grafana/app/helm-release.yaml | 11 ++--------- 5 files changed, 10 insertions(+), 19 deletions(-) diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml index 6b2c2aa34..768cc3ae2 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml @@ -9,4 +9,4 @@ contactPoints: type: prometheus-alertmanager disableResolveMessage: false settings: - url: $ALERTMANAGER_URL + url: http://prometheus-alertmanager.observability.svc.cluster.local:9093 diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini b/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini index 497e8891b..a783672eb 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini @@ -4,7 +4,7 @@ check_for_updates = false [auth.google] enabled = true allow_sign_up = true -allowed_domains = ${SECRET_DOMAIN} +allowed_domains = techtales.io auth_url = https://accounts.google.com/o/oauth2/auth scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email token_url = https://accounts.google.com/o/oauth2/token @@ -23,7 +23,7 @@ logs = /var/log/grafana plugins = /var/lib/grafana/plugins provisioning = /etc/grafana/provisioning [server] -domain = grafana.${SECRET_DOMAIN} -root_url = https://grafana.${SECRET_DOMAIN} +domain = grafana.techtales.io +root_url = https://grafana.techtales.io [users] auto_assign_org_role = Admin diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml index af1318c10..d9a65e44d 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml @@ -1,7 +1,6 @@ # yamllint disable apiVersion: v1 kind: Secret -type: Opaque metadata: name: grafana-admin stringData: @@ -22,8 +21,8 @@ sops: TTcwSDlkQ3VPM1NTWFdoTzZ5MVBEeDAKXeIe9FM/ZenGa8kVJjMIC9hcAwktLR/U T5O1xTcVAhgBUDYbKdrexWuFIAsqhXVMAh0xhQEs3m9gdygDPAL6Mw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-02T22:00:12Z" - mac: ENC[AES256_GCM,data:EGShcemEHAQOZ58+2fS1kt416dUUROQ0RTgbxZsfM7TQ+ueDGHPybePhPauYn/V6AeirrU7soNY0Es3BcjfG/pKNcKS/OYXCpKOWaQzE0m+r/PCPPHtdSMemb9Jvky/7wRVI9OgU+SFtOrVslQS/gVjsXgeVsC3mpILX2l7dx+Y=,iv:STI/yC8BWa+V/z7hpqNRSJa+tqJXhYi4LDGn+5XjaiA=,tag:mqdeAmh8U4J9fPhJqkGC9g==,type:str] + lastmodified: "2024-04-03T20:17:49Z" + mac: ENC[AES256_GCM,data:+XnUw8M+hyNs8DHsR2juJKhfLV+mNGbeBlJ07j8RmQVYAuDrpVlneRWAtx6yxrC44z4C5+Jao61MkXqz+NClf2UX+dEnRIoYr15O9LPk9pBTcpEU0crb7VcJVSGxKQf8SulurCTdErGj6umdJeXyn43xebkE0QRV2F/46VavGT8=,iv:v9lnYP96v12HvaCucAXcsIerIyFVqwhUiYZVELP8hlQ=,tag:zTkjsfQrJC1v8m1DgalnMQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml index 61e83d19a..4667f50aa 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml @@ -1,7 +1,6 @@ # yamllint disable apiVersion: v1 kind: Secret -type: Opaque metadata: name: grafana-auth-google stringData: @@ -22,8 +21,8 @@ sops: eUQwcWJxQWZIUkRsb291SHpGSDhqT1EKgTQ1qSb4D0VNoXTiTkz9sHrHFPNHcPCW IQ8/QYEA6iWVt+v8s+ATb2OaLZhha5FgwCOGVyIv6GJLP1kBlz8RwQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-02T21:27:47Z" - mac: ENC[AES256_GCM,data:oZqVunsLWCslIaZlRUOX3FHd66bIfhmHLuywVnQeda8ZrQX13LEJmbvEvApUrJGtoY5Zi8qFKank/NIwskNVGZpaOLcrGEm2tlLPuNn7e5ViLdjcqZu095zIEKQbx2wTeSZPMGe1wRbsjhivuHXmewEfAiQlmpuMu5ni2jE6nI8=,iv:LOGm+ROa6KYR+sD+aVgJWW3ifkA5Xx/893scQPryclw=,tag:yszeKmOf73y8311FI8fkAA==,type:str] + lastmodified: "2024-04-03T20:17:40Z" + mac: ENC[AES256_GCM,data:JQr1hrOpDMRAuxbA/7I6aJgQ5ReLfwqPW3SvgVvUVcJXeWTPt9xvYRUrUBzqunfiJ6wZKRCkuSZ5uRthlDwR2fAVqxbFjAhUxWuld7P5fZs6u63Qx/+cgd8WkLZZ8ikNI249eDn0rzTo1UfGSI4eAozejvCufyuGh/L+o2MCKQc=,iv:o557kvzdsWv+3VkT+WH1i0iyhxFc2sR1FIO8hlzSfIU=,tag:lzVtBxhbs5aRA7XhCnfS/Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml index c45af8f4e..37f385eb3 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml @@ -29,8 +29,6 @@ spec: env: TZ: ${SETTING_TZ} - VAR_BLOCKY_URL: http://blocky.networking.svc.cluster.local:4000 # for dashboard - ALERTMANAGER_URL: http://prometheus-alertmanager.observability.svc.cluster.local:9093 envFromSecrets: - name: grafana-auth-google @@ -47,11 +45,6 @@ spec: gnetId: 11074 revision: 9 datasource: Prometheus - # Ref: https://grafana.com/grafana/dashboards/13768 - blocky: - gnetId: 13768 - revision: 3 - datasource: Prometheus sidecar: dashboards: @@ -81,12 +74,12 @@ spec: traefik.ingress.kubernetes.io/router.entrypoints: websecure external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" hosts: - - "grafana.${SECRET_DOMAIN}" + - &host grafana.techtales.io path: / tls: - secretName: grafana-cert hosts: - - "grafana.${SECRET_DOMAIN}" + - *host serviceAccount: create: true From a9a8b7733b83a30794f61f7410cd53406c941d89 Mon Sep 17 00:00:00 2001 From: Jazzlyn <9011011+jazzlyn@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:25:13 +0200 Subject: [PATCH 3/4] feat(grafana): disable substitution for configmaps --- .../apps/observability/grafana/app/kustomization.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml index 30f68630e..88f8d0d4e 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml @@ -25,3 +25,5 @@ commonLabels: app.kubernetes.io/instance: grafana generatorOptions: disableNameSuffixHash: true + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled From 13a4c2e23bd9ac85af344334378d3208204a7784 Mon Sep 17 00:00:00 2001 From: Jazzlyn <9011011+jazzlyn@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:32:45 +0200 Subject: [PATCH 4/4] feat(grafana): refinement --- .../apps/observability/grafana/app/config/datasources.yaml | 6 +++--- ...grafana-auth-google.sops.yaml => grafana-env.sops.yaml} | 7 ++++--- .../apps/observability/grafana/app/helm-release.yaml | 2 +- .../apps/observability/grafana/app/kustomization.yaml | 2 +- 4 files changed, 9 insertions(+), 8 deletions(-) rename kubernetes/talos-flux/apps/observability/grafana/app/{grafana-auth-google.sops.yaml => grafana-env.sops.yaml} (69%) diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml index f7cb223ed..8db6a3b53 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml @@ -22,7 +22,7 @@ datasources: - name: GitHub type: grafana-github-datasource jsonData: - owner: "tyriis" - repository: "home-ops" + owner: tyriis + repository: home-ops secureJsonData: - accessToken: ${SECRET_GH_PAT} + accessToken: $GITHUB_PAT diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml similarity index 69% rename from kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml rename to kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml index 4667f50aa..29a0f10db 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml @@ -2,10 +2,11 @@ apiVersion: v1 kind: Secret metadata: - name: grafana-auth-google + name: grafana-env stringData: GF_AUTH_GOOGLE_CLIENT_ID: ENC[AES256_GCM,data:EaJ5MS9jmXKZ1gbBwJU8xL09E95Lzog/ncqnq8+TYC/e27JpcE4LdQC2ZwjIWPcTDuUM5m7NpjMzUzIvISXoOJdDSxe/waRr,iv:Oub/mmnsIBGMB4GMMvL2eUK7Uz4XgHdIIdPiAeFuiXY=,tag:gKByk2mmlmJc5+yJmkXcAQ==,type:str] GF_AUTH_GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:YLlBwyOWV0zksdQoc2Rp0GrNxXCBtsxbvhPSSBHy/By4djo=,iv:sHFcGqQj6Ak0GvA+I7guGLPY40bHO3re7XPV2xsToPA=,tag:1Ns/P/xXdUpNS6iYjv4Rxw==,type:str] + GITHUB_PAT: ENC[AES256_GCM,data:XkHDWOs2UQP3yT5NwiilDrDTOK7NDNAKWBqF4wuY31yA2TW70Vqfjg==,iv:SgHDC9NTU5bVpJNIX9DxwKo6WgNLs6T1Kjsi7T0HpcQ=,tag:E967XwHdFfwU0ERYYMIetQ==,type:str] sops: kms: [] gcp_kms: [] @@ -21,8 +22,8 @@ sops: eUQwcWJxQWZIUkRsb291SHpGSDhqT1EKgTQ1qSb4D0VNoXTiTkz9sHrHFPNHcPCW IQ8/QYEA6iWVt+v8s+ATb2OaLZhha5FgwCOGVyIv6GJLP1kBlz8RwQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-03T20:17:40Z" - mac: ENC[AES256_GCM,data:JQr1hrOpDMRAuxbA/7I6aJgQ5ReLfwqPW3SvgVvUVcJXeWTPt9xvYRUrUBzqunfiJ6wZKRCkuSZ5uRthlDwR2fAVqxbFjAhUxWuld7P5fZs6u63Qx/+cgd8WkLZZ8ikNI249eDn0rzTo1UfGSI4eAozejvCufyuGh/L+o2MCKQc=,iv:o557kvzdsWv+3VkT+WH1i0iyhxFc2sR1FIO8hlzSfIU=,tag:lzVtBxhbs5aRA7XhCnfS/Q==,type:str] + lastmodified: "2024-04-03T20:30:42Z" + mac: ENC[AES256_GCM,data:7isbGbxz0t0NxjhGER9Mq/TWUK20My9Z4b0yYcD1SWJ+toAGH36NmxC2i36bChU16d0ZPanlW6wmUL7O+1Ihvp/5tQyFp7ZW+6cPIAhWekdFYOrFk68pfB+IlD/YYOt6HO6bmcfXispqyqDZkr9k8UgirsEt7sA36NMs/nByWXY=,iv:y7jqoj+G/HzAKXmY6yI82AEfwo/ueGw1p8gbS9/GkTA=,tag:QagM09nKrdiO/mCBFDOSzw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml index 37f385eb3..c6048ea5d 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml @@ -31,7 +31,7 @@ spec: TZ: ${SETTING_TZ} envFromSecrets: - - name: grafana-auth-google + - name: grafana-env admin: existingSecret: grafana-admin diff --git a/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml b/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml index 88f8d0d4e..a03967a8f 100644 --- a/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml +++ b/kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml @@ -5,7 +5,7 @@ kind: Kustomization namespace: observability resources: - grafana-admin.sops.yaml - - grafana-auth-google.sops.yaml + - grafana-env.sops.yaml - helm-release.yaml configMapGenerator: - name: grafana-contactpoints