feat(grafana): add configmaps

kubernetes/talos-flux/apps/observability/grafana/app/config/contactpoints.yaml

@@ -0,0 +1,12 @@
+---
+# https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#import-contact-points
+apiVersion: 1
+contactPoints:
+  - orgId: 1
+    name: alertmanager-notifications
+    receivers:
+      - uid: cp1
+        type: prometheus-alertmanager
+        disableResolveMessage: false
+        settings:
+          url: $ALERTMANAGER_URL

kubernetes/talos-flux/apps/observability/grafana/app/config/datasources.yaml

@@ -0,0 +1,28 @@
+---
+# https://grafana.com/docs/grafana/latest/datasources/
+apiVersion: 1
+# list of datasources that should be deleted from the database
+deleteDatasources:
+  - name: Loki
+    orgId: 1
+  - name: Prometheus
+    orgId: 1
+  - name: GitHub
+    orgId: 1
+datasources:
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://prometheus-prometheus:9090/
+    isDefault: true
+  - name: Loki
+    type: loki
+    access: proxy
+    url: http://loki-gateway:80/
+  - name: GitHub
+    type: grafana-github-datasource
+    jsonData:
+      owner: "tyriis"
+      repository: "home-ops"
+    secureJsonData:
+      accessToken: ${SECRET_GH_PAT}

kubernetes/talos-flux/apps/observability/grafana/app/config/grafana.ini

@@ -0,0 +1,29 @@
+;https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/
+[analytics]
+check_for_updates = false
+[auth.google]
+enabled = true
+allow_sign_up = true
+allowed_domains = ${SECRET_DOMAIN}
+auth_url = https://accounts.google.com/o/oauth2/auth
+scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+token_url = https://accounts.google.com/o/oauth2/token
+[date_formats]
+use_browser_locale = true
+[explore]
+enabled = true
+[log]
+mode = console
+level = info
+[panels]
+disable_sanitize_html = true
+[paths]
+data = /var/lib/grafana/
+logs = /var/log/grafana
+plugins = /var/lib/grafana/plugins
+provisioning = /etc/grafana/provisioning
+[server]
+domain = grafana.${SECRET_DOMAIN}
+root_url = https://grafana.${SECRET_DOMAIN}
+[users]
+auto_assign_org_role = Admin

kubernetes/talos-flux/apps/observability/grafana/app/config/policies.yaml

@@ -0,0 +1,12 @@
+---
+# https://grafana.com/docs/grafana/latest/alerting/set-up/provision-alerting-resources/file-provisioning/#import-notification-policies
+apiVersion: 1
+policies:
+  - orgId: 1
+    receiver: alertmanager-notifications
+    group_by:
+      - grafana_folder
+      - alertname
+    group_wait: 30s
+    group_interval: 5m
+    repeat_interval: 12h

kubernetes/talos-flux/apps/observability/grafana/app/grafana-admin.sops.yaml

@@ -0,0 +1,29 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+    name: grafana-admin
+stringData:
+    USERNAME: ENC[AES256_GCM,data:n57P/S4=,iv:7qajI1QASF15zpMqcVjal8XvBEG+BxezxegKPrJePdg=,tag:tbf5BF3JKgFkeFI+4FFJ5g==,type:str]
+    PASSWORD: ENC[AES256_GCM,data:J4Zg6RQ8K2ECZRg2/1jbjHS2u+T7j7U1f2OZOAUuVbFHt7yjpNFEN8tiUts=,iv:s2ifsOTwHK/h4CMBfpDx75ibAuzeo6+tNJshR7xfgCs=,tag:dzsXSSgspFSTdLFhOk2TFg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16zqeqx5y6ay3flwz0d06rn83yjv9ckys3j8tpkysf9v6295fhc6sf4r0uj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZzFkbDhYbElUcTJQZ1ls
+            T25TeWN3M3NXRzAvMXJjQXVsa0VGSk1tYjNrClJrb0JQbjk2NnhaUjNtbVN1U1JU
+            dVpXZW9OaUh0YU1GQmhiOHIyNnBYNDAKLS0tIHdZdk4rUVdIYzUyMURzc2FsV3hL
+            TTcwSDlkQ3VPM1NTWFdoTzZ5MVBEeDAKXeIe9FM/ZenGa8kVJjMIC9hcAwktLR/U
+            T5O1xTcVAhgBUDYbKdrexWuFIAsqhXVMAh0xhQEs3m9gdygDPAL6Mw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-02T22:00:12Z"
+    mac: ENC[AES256_GCM,data:EGShcemEHAQOZ58+2fS1kt416dUUROQ0RTgbxZsfM7TQ+ueDGHPybePhPauYn/V6AeirrU7soNY0Es3BcjfG/pKNcKS/OYXCpKOWaQzE0m+r/PCPPHtdSMemb9Jvky/7wRVI9OgU+SFtOrVslQS/gVjsXgeVsC3mpILX2l7dx+Y=,iv:STI/yC8BWa+V/z7hpqNRSJa+tqJXhYi4LDGn+5XjaiA=,tag:mqdeAmh8U4J9fPhJqkGC9g==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/talos-flux/apps/observability/grafana/app/grafana-env.sops.yaml → kubernetes/talos-flux/apps/observability/grafana/app/grafana-auth-google.sops.yaml

@@ -3,9 +3,8 @@ apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
-    name: grafana-env
+    name: grafana-auth-google
 stringData:
-    GF_AUTH_GOOGLE_ENABLED: ENC[AES256_GCM,data:Vf684g==,iv:lb3T33RlQFvsJUwhQsJc4fySF+ricMiO1LgCZ0hs3ro=,tag:Pjr0vd0Eallec2eorwU51g==,type:str]
     GF_AUTH_GOOGLE_CLIENT_ID: ENC[AES256_GCM,data:EaJ5MS9jmXKZ1gbBwJU8xL09E95Lzog/ncqnq8+TYC/e27JpcE4LdQC2ZwjIWPcTDuUM5m7NpjMzUzIvISXoOJdDSxe/waRr,iv:Oub/mmnsIBGMB4GMMvL2eUK7Uz4XgHdIIdPiAeFuiXY=,tag:gKByk2mmlmJc5+yJmkXcAQ==,type:str]
     GF_AUTH_GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:YLlBwyOWV0zksdQoc2Rp0GrNxXCBtsxbvhPSSBHy/By4djo=,iv:sHFcGqQj6Ak0GvA+I7guGLPY40bHO3re7XPV2xsToPA=,tag:1Ns/P/xXdUpNS6iYjv4Rxw==,type:str]
 sops:
@@ -23,8 +22,8 @@ sops:
             eUQwcWJxQWZIUkRsb291SHpGSDhqT1EKgTQ1qSb4D0VNoXTiTkz9sHrHFPNHcPCW
             IQ8/QYEA6iWVt+v8s+ATb2OaLZhha5FgwCOGVyIv6GJLP1kBlz8RwQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-13T23:45:15Z"
-    mac: ENC[AES256_GCM,data:/r1EiqbWn/ho1aIXzVsc/ZlcTZTff4bhGA8pP1W0QbI/DCsyFkc7h/BNQkthEseVeXbDLjqvE7OKchuGJKGaQTMwt+19WRCJSUmayJponTitay3ZKvRDmAgaT13u7pXteHalccjankpE4cBy2bdiVzQw0FQnhVqx+wY//uyb3OI=,iv:mzlgJJXYDQCbumfWvhPutdicue/aHwjyA2dhy9nA/Bs=,tag:b8iuZwbP4h5lbr7asY2tjw==,type:str]
+    lastmodified: "2024-04-02T21:27:47Z"
+    mac: ENC[AES256_GCM,data:oZqVunsLWCslIaZlRUOX3FHd66bIfhmHLuywVnQeda8ZrQX13LEJmbvEvApUrJGtoY5Zi8qFKank/NIwskNVGZpaOLcrGEm2tlLPuNn7e5ViLdjcqZu095zIEKQbx2wTeSZPMGe1wRbsjhivuHXmewEfAiQlmpuMu5ni2jE6nI8=,iv:LOGm+ROa6KYR+sD+aVgJWW3ifkA5Xx/893scQPryclw=,tag:yszeKmOf73y8311FI8fkAA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1

kubernetes/talos-flux/apps/observability/grafana/app/helm-release.yaml

@@ -27,105 +27,20 @@ spec:
   values:
     replicas: 1
 
-    alerting:
-      contactpoints.yaml:
-        secret:
-          apiVersion: 1
-          contactPoints:
-            - orgId: 1
-              name: alertmanager-notifications
-              receivers:
-                - uid: test
-                  type: prometheus-alertmanager
-                  settings:
-                    url: $TEST_URL
-                    send_resolved: true
-
     env:
       TZ: ${SETTING_TZ}
-      GF_EXPLORE_ENABLED: "true"
-      GF_PANELS_DISABLE_SANITIZE_HTML: "true"
-      GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
-      VAR_BLOCKY_URL: http://blocky.networking.svc.cluster.local:4000
-      TEST_URL: http://prometheus-alertmanager.observability.svc.cluster.local:9093
+      VAR_BLOCKY_URL: http://blocky.networking.svc.cluster.local:4000 # for dashboard
+      ALERTMANAGER_URL: http://prometheus-alertmanager.observability.svc.cluster.local:9093
 
     envFromSecrets:
-      - name: grafana-env
-
-    adminPassword: "${SECRET_GRAFANA_PASSWORD}"
-    grafana.ini:
-      server:
-        root_url: "https://grafana.${SECRET_DOMAIN}"
-      users:
-        auto_assign_org_role: "Admin"
-      auth.google:
-        enabled: true
-        scopes: https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
-        auth_url: https://accounts.google.com/o/oauth2/auth
-        token_url: https://accounts.google.com/o/oauth2/token
-        allowed_domains: "${SECRET_DOMAIN}"
-        allow_sign_up: true
+      - name: grafana-auth-google
 
-    dashboardProviders:
-      dashboardproviders.yaml:
-        apiVersion: 1
-        providers:
-          - name: default
-            orgId: 1
-            folder: ""
-            type: file
-            disableDeletion: false
-            # allowUiUpdates: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/default
-          - name: flux
-            orgId: 1
-            folder: Flux
-            type: file
-            disableDeletion: false
-            editable: true
-            # allowUiUpdates: true
-            options:
-              path: /var/lib/grafana/dashboards/flux
-    datasources:
-      datasources.yaml:
-        apiVersion: 1
-        # list of datasources that should be deleted from the database
-        deleteDatasources:
-          - name: Loki
-            orgId: 1
-          - name: Prometheus
-            orgId: 1
-          - name: GitHub
-            orgId: 1
-        datasources:
-          - name: Prometheus
-            type: prometheus
-            access: proxy
-            url: http://prometheus-prometheus:9090/
-            isDefault: true
-          - name: Loki
-            type: loki
-            access: proxy
-            url: http://loki-gateway
-          - name: GitHub
-            type: grafana-github-datasource
-            jsonData:
-              owner: "tyriis"
-              repository: "home-ops"
-            secureJsonData:
-              accessToken: "${SECRET_GH_PAT}"
+    admin:
+      existingSecret: grafana-admin
+      userKey: USERNAME
+      passwordKey: PASSWORD
 
     dashboards:
-      # default:
-      # flux:
-      #   flux-cluster:
-      #     url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/cluster.json
-      #     datasource: Prometheus
-      #   flux-control-plane:
-      #     url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/control-plane.json
-      #     datasource: Prometheus
       default:
         # Ref: https://grafana.com/grafana/dashboards/11074
         "Node Exporter for Prometheus Dashboard":
@@ -155,8 +70,6 @@ spec:
       - grafana-github-datasource
     serviceMonitor:
       enabled: true
-    rbac:
-      pspEnabled: false
 
     ingress:
       enabled: true
@@ -181,3 +94,26 @@ spec:
 
     persistence:
       enabled: false
+
+    createConfigmap: true
+    extraConfigmapMounts:
+      - name: grafana-contactpoints
+        mountPath: /etc/grafana/alerting/
+        subPath: contactpoints.yaml
+        configMap: grafana-contactpoints
+        readOnly: true
+      - name: grafana-datasources
+        mountPath: /etc/grafana/datasources/
+        subPath: datasources.yaml
+        configMap: grafana-datasources
+        readOnly: true
+      - name: grafana-ini
+        mountPath: /etc/grafana/
+        subPath: grafana.ini
+        configMap: grafana-ini
+        readOnly: true
+      - name: grafana-policies
+        mountPath: /etc/grafana/alerting/
+        subPath: policies.yaml
+        configMap: grafana-policies
+        readOnly: true

kubernetes/talos-flux/apps/observability/grafana/app/kustomization.yaml

@@ -4,5 +4,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: observability
 resources:
-  - grafana-env.sops.yaml
+  - grafana-admin.sops.yaml
+  - grafana-auth-google.sops.yaml
   - helm-release.yaml
+configMapGenerator:
+  - name: grafana-contactpoints
+    files:
+      - contactpoints.yaml=config/contactpoints.yaml
+  - name: grafana-datasources
+    files:
+      - datasources.yaml=config/datasources.yaml
+  - name: grafana-ini
+    files:
+      - grafana.ini=config/grafana.ini
+  - name: grafana-policies
+    files:
+      - policies.yaml=config/policies.yaml
+commonLabels:
+  app.kubernetes.io/name: grafana
+  app.kubernetes.io/instance: grafana
+generatorOptions:
+  disableNameSuffixHash: true