aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/namespaces/default/grafana
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/namespaces/default/grafana')
-rw-r--r--kubernetes/namespaces/default/grafana/README.md11
-rw-r--r--kubernetes/namespaces/default/grafana/configmap.yaml38
-rw-r--r--kubernetes/namespaces/default/grafana/deployment-grafana.yaml47
-rw-r--r--kubernetes/namespaces/default/grafana/deployment-image-renderer.yaml33
-rw-r--r--kubernetes/namespaces/default/grafana/ingress.yaml24
-rw-r--r--kubernetes/namespaces/default/grafana/secrets.yamlbin0 -> 329 bytes
-rw-r--r--kubernetes/namespaces/default/grafana/services.yaml19
-rw-r--r--kubernetes/namespaces/default/grafana/volume.yaml13
8 files changed, 185 insertions, 0 deletions
diff --git a/kubernetes/namespaces/default/grafana/README.md b/kubernetes/namespaces/default/grafana/README.md
new file mode 100644
index 0000000..03a9682
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/README.md
@@ -0,0 +1,11 @@
+# Grafana
+
+This folder contains the manifests for deploying our Grafana instance, the service we use to query our data.
+
+This deployment expects a number of secrets and environment variables to exist in a secret called `grafana-secret-env`.
+
+| Environment | Description |
+|------------------------------|-----------------------------------------------------|
+| GF_AUTH_GITHUB_CLIENT_ID | The client ID of the Github app to use for auth |
+| GF_AUTH_GITHUB_CLIENT_SECRET | The client secret of the Github app to use for auth |
+| GF_SECURITY_ADMIN_PASSWORD | The admin password the the grafana admin console |
diff --git a/kubernetes/namespaces/default/grafana/configmap.yaml b/kubernetes/namespaces/default/grafana/configmap.yaml
new file mode 100644
index 0000000..87eeba9
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/configmap.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: grafana-default
+data:
+ # Root settings
+ GF_INSTANCE_NAME: "pythondiscord"
+ GF_SERVER_DOMAIN: "grafana.pythondiscord.com"
+ GF_SERVER_ROOT_URL: "https://grafana.pythondiscord.com"
+ GF_SECURITY_COOKIE_SECURE: "true"
+
+ # GitHub Auth
+ GF_AUTH_GITHUB_ENABLED: "true"
+ GF_AUTH_GITHUB_SCOPES: "user:email,read:org"
+ # IDs can be retrieved via `gh api orgs/python-discord/teams`.
+ GF_AUTH_GITHUB_TEAM_IDS: "2638565,3854739,3114246"
+ GF_AUTH_GITHUB_AUTH_URL: "https://github.com/login/oauth/authorize"
+ GF_AUTH_GITHUB_TOKEN_URL: "https://github.com/login/oauth/access_token"
+ GF_AUTH_GITHUB_API_URL: "https://api.github.com/user"
+ GF_AUTH_ALLOW_SIGN_UP: "true"
+
+ # Image renderer
+ GF_RENDERING_SERVER_URL: "http://grafana-image-renderer.default.svc.cluster.local:8081/render"
+ GF_RENDERING_CALLBACK_URL: "http://grafana.default.svc.cluster.local:3000/"
+ GF_RENDERING_CONCURRENT_RENDER_REQUEST_LIMIT: "3"
+
+ # Image storage
+ GF_EXTERNAL_IMAGE_STORAGE_PROVIDED: "local"
+
+ # Metrics
+ GF_METRICS_ENABLED: "false"
+
+ # User sign up
+ GF_USERS_AUTO_ASSIGN_ORG: "true"
+ GF_USERS_AUTO_ASSIGN_ORG_ID: "2"
+
+ # Feature toggles
+ GF_FEATURE_TOGGLES_ENABLE: ""
diff --git a/kubernetes/namespaces/default/grafana/deployment-grafana.yaml b/kubernetes/namespaces/default/grafana/deployment-grafana.yaml
new file mode 100644
index 0000000..3acef14
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/deployment-grafana.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: grafana
+spec:
+ replicas: 1
+ strategy:
+ type: Recreate
+ selector:
+ matchLabels:
+ app: grafana
+ template:
+ metadata:
+ labels:
+ app: grafana
+ spec:
+ containers:
+ - name: grafana
+ image: grafana/grafana:9.1.7
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 3000
+ resources:
+ requests:
+ cpu: 200m
+ memory: 100Mi
+ limits:
+ cpu: 300m
+ memory: 250Mi
+ envFrom:
+ - configMapRef:
+ name: grafana-default
+ - secretRef:
+ name: grafana-secret-env
+ volumeMounts:
+ - mountPath: /var/lib/grafana
+ name: grafana-volume
+ securityContext:
+ readOnlyRootFilesystem: true
+ volumes:
+ - name: grafana-volume
+ persistentVolumeClaim:
+ claimName: grafana-storage
+ securityContext:
+ fsGroup: 2000
+ runAsUser: 1000
+ runAsNonRoot: true
diff --git a/kubernetes/namespaces/default/grafana/deployment-image-renderer.yaml b/kubernetes/namespaces/default/grafana/deployment-image-renderer.yaml
new file mode 100644
index 0000000..ea3e297
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/deployment-image-renderer.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: grafana-image-renderer
+spec:
+ replicas: 0
+ selector:
+ matchLabels:
+ app: grafana-image-renderer
+ template:
+ metadata:
+ labels:
+ app: grafana-image-renderer
+ spec:
+ securityContext:
+ fsGroup: 2000
+ runAsUser: 1000
+ runAsNonRoot: true
+ containers:
+ - name: grafana-image-renderer
+ image: grafana/grafana-image-renderer:latest
+ resources:
+ requests:
+ cpu: 500m
+ memory: 300Mi
+ limits:
+ cpu: 1000m
+ memory: 500Mi
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8081
+ securityContext:
+ readOnlyRootFilesystem: true
diff --git a/kubernetes/namespaces/default/grafana/ingress.yaml b/kubernetes/namespaces/default/grafana/ingress.yaml
new file mode 100644
index 0000000..60138af
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+ nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+ nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+ name: grafana
+spec:
+ tls:
+ - hosts:
+ - "*.pythondiscord.com"
+ secretName: pythondiscord.com-tls
+ rules:
+ - host: grafana.pythondiscord.com
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: grafana
+ port:
+ number: 3000
diff --git a/kubernetes/namespaces/default/grafana/secrets.yaml b/kubernetes/namespaces/default/grafana/secrets.yaml
new file mode 100644
index 0000000..bb492d1
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/secrets.yaml
Binary files differ
diff --git a/kubernetes/namespaces/default/grafana/services.yaml b/kubernetes/namespaces/default/grafana/services.yaml
new file mode 100644
index 0000000..e5430a2
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/services.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: grafana
+spec:
+ ports:
+ - port: 3000
+ selector:
+ app: grafana
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: grafana-image-renderer
+spec:
+ ports:
+ - port: 8081
+ selector:
+ app: grafana-image-renderer
diff --git a/kubernetes/namespaces/default/grafana/volume.yaml b/kubernetes/namespaces/default/grafana/volume.yaml
new file mode 100644
index 0000000..6283a7c
--- /dev/null
+++ b/kubernetes/namespaces/default/grafana/volume.yaml
@@ -0,0 +1,13 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: grafana-storage
+ labels:
+ app: grafana
+spec:
+ storageClassName: linode-block-storage-retain
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 10Gi
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-20 04:07:16 +0000