From 9b4893d1c375d6597651fec5d2201f512181cf20 Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Mon, 15 Apr 2024 18:33:44 +0100 Subject: Move Grafana to monitoring namespace --- kubernetes/namespaces/default/grafana/README.md | 11 ----- .../namespaces/default/grafana/configmap.yaml | 37 -------------- .../default/grafana/deployment-grafana.yaml | 52 -------------------- kubernetes/namespaces/default/grafana/ingress.yaml | 24 ---------- kubernetes/namespaces/default/grafana/secrets.yaml | Bin 342 -> 0 bytes .../namespaces/default/grafana/services.yaml | 9 ---- kubernetes/namespaces/default/grafana/volume.yaml | 13 ----- kubernetes/namespaces/monitoring/grafana/README.md | 11 +++++ .../namespaces/monitoring/grafana/configmap.yaml | 38 +++++++++++++++ .../monitoring/grafana/deployment-grafana.yaml | 53 +++++++++++++++++++++ .../namespaces/monitoring/grafana/ingress.yaml | 25 ++++++++++ .../namespaces/monitoring/grafana/secrets.yaml | Bin 0 -> 345 bytes .../namespaces/monitoring/grafana/services.yaml | 10 ++++ .../namespaces/monitoring/grafana/volume.yaml | 14 ++++++ 14 files changed, 151 insertions(+), 146 deletions(-) delete mode 100644 kubernetes/namespaces/default/grafana/README.md delete mode 100644 kubernetes/namespaces/default/grafana/configmap.yaml delete mode 100644 kubernetes/namespaces/default/grafana/deployment-grafana.yaml delete mode 100644 kubernetes/namespaces/default/grafana/ingress.yaml delete mode 100644 kubernetes/namespaces/default/grafana/secrets.yaml delete mode 100644 kubernetes/namespaces/default/grafana/services.yaml delete mode 100644 kubernetes/namespaces/default/grafana/volume.yaml create mode 100644 kubernetes/namespaces/monitoring/grafana/README.md create mode 100644 kubernetes/namespaces/monitoring/grafana/configmap.yaml create mode 100644 kubernetes/namespaces/monitoring/grafana/deployment-grafana.yaml create mode 100644 kubernetes/namespaces/monitoring/grafana/ingress.yaml create mode 100644 kubernetes/namespaces/monitoring/grafana/secrets.yaml create mode 100644 kubernetes/namespaces/monitoring/grafana/services.yaml create mode 100644 kubernetes/namespaces/monitoring/grafana/volume.yaml (limited to 'kubernetes') diff --git a/kubernetes/namespaces/default/grafana/README.md b/kubernetes/namespaces/default/grafana/README.md deleted file mode 100644 index 03a9682..0000000 --- a/kubernetes/namespaces/default/grafana/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Grafana - -This folder contains the manifests for deploying our Grafana instance, the service we use to query our data. - -This deployment expects a number of secrets and environment variables to exist in a secret called `grafana-secret-env`. - -| Environment | Description | -|------------------------------|-----------------------------------------------------| -| GF_AUTH_GITHUB_CLIENT_ID | The client ID of the Github app to use for auth | -| GF_AUTH_GITHUB_CLIENT_SECRET | The client secret of the Github app to use for auth | -| GF_SECURITY_ADMIN_PASSWORD | The admin password the the grafana admin console | diff --git a/kubernetes/namespaces/default/grafana/configmap.yaml b/kubernetes/namespaces/default/grafana/configmap.yaml deleted file mode 100644 index 18fb16f..0000000 --- a/kubernetes/namespaces/default/grafana/configmap.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-default -data: - # Root settings - GF_INSTANCE_NAME: "pythondiscord" - GF_SERVER_DOMAIN: "grafana.pythondiscord.com" - GF_SERVER_ROOT_URL: "https://grafana.pythondiscord.com" - GF_SECURITY_COOKIE_SECURE: "true" - - # GitHub Auth - GF_AUTH_GITHUB_ENABLED: "true" - GF_AUTH_GITHUB_SCOPES: "user:email,read:org" - # IDs can be retrieved via `gh api orgs/python-discord/teams`. - GF_AUTH_GITHUB_TEAM_IDS: "2638565,3854739,3114246,7361120,9120709" - GF_AUTH_GITHUB_ROLE_ATTRIBUTE_PATH: "contains(groups[*], '@python-discord/directors') && 'Admin' || contains(groups[*], '@python-discord/sudo-devops') && 'Admin' || contains(groups[*], '@python-discord/admins') && 'Editor' || 'Viewer'" - GF_AUTH_GITHUB_AUTH_URL: "https://github.com/login/oauth/authorize" - GF_AUTH_GITHUB_TOKEN_URL: "https://github.com/login/oauth/access_token" - GF_AUTH_GITHUB_API_URL: "https://api.github.com/user" - GF_AUTH_ALLOW_SIGN_UP: "true" - - # Image storage - GF_EXTERNAL_IMAGE_STORAGE_PROVIDED: "local" - - # Metrics - GF_METRICS_ENABLED: "false" - - # User sign up - GF_USERS_AUTO_ASSIGN_ORG: "true" - GF_USERS_AUTO_ASSIGN_ORG_ID: "2" - - # Feature toggles - GF_FEATURE_TOGGLES_ENABLE: "autoMigrateOldPanels,nestedFolders,newVizTooltips,prometheusMetricEncyclopedia,datatrails" - - # Plugins - GF_INSTALL_PLUGINS: "https://storage.googleapis.com/integration-artifacts/grafana-lokiexplore-app/grafana-lokiexplore-app-latest.zip;grafana-lokiexplore-app" diff --git a/kubernetes/namespaces/default/grafana/deployment-grafana.yaml b/kubernetes/namespaces/default/grafana/deployment-grafana.yaml deleted file mode 100644 index 436b932..0000000 --- a/kubernetes/namespaces/default/grafana/deployment-grafana.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: grafana - template: - metadata: - labels: - app: grafana - spec: - containers: - - name: grafana - image: grafana/grafana:11.0.0-preview - imagePullPolicy: Always - ports: - - containerPort: 3000 - resources: - requests: - cpu: 200m - memory: 100Mi - limits: - cpu: 300m - memory: 250Mi - envFrom: - - configMapRef: - name: grafana-default - - secretRef: - name: grafana-secret-env - volumeMounts: - - mountPath: /var/lib/grafana - name: grafana-volume - - mountPath: /tmp - name: grafana-tmp - securityContext: - readOnlyRootFilesystem: true - volumes: - - name: grafana-volume - persistentVolumeClaim: - claimName: grafana-storage - - name: grafana-tmp - emptyDir: - medium: Memory - securityContext: - fsGroup: 2000 - runAsUser: 1000 - runAsNonRoot: true diff --git a/kubernetes/namespaces/default/grafana/ingress.yaml b/kubernetes/namespaces/default/grafana/ingress.yaml deleted file mode 100644 index 60138af..0000000 --- a/kubernetes/namespaces/default/grafana/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle" - nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" - name: grafana -spec: - tls: - - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls - rules: - - host: grafana.pythondiscord.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: grafana - port: - number: 3000 diff --git a/kubernetes/namespaces/default/grafana/secrets.yaml b/kubernetes/namespaces/default/grafana/secrets.yaml deleted file mode 100644 index ab29ba8..0000000 Binary files a/kubernetes/namespaces/default/grafana/secrets.yaml and /dev/null differ diff --git a/kubernetes/namespaces/default/grafana/services.yaml b/kubernetes/namespaces/default/grafana/services.yaml deleted file mode 100644 index 947ba40..0000000 --- a/kubernetes/namespaces/default/grafana/services.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: grafana -spec: - ports: - - port: 3000 - selector: - app: grafana diff --git a/kubernetes/namespaces/default/grafana/volume.yaml b/kubernetes/namespaces/default/grafana/volume.yaml deleted file mode 100644 index 6283a7c..0000000 --- a/kubernetes/namespaces/default/grafana/volume.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: grafana-storage - labels: - app: grafana -spec: - storageClassName: linode-block-storage-retain - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/kubernetes/namespaces/monitoring/grafana/README.md b/kubernetes/namespaces/monitoring/grafana/README.md new file mode 100644 index 0000000..03a9682 --- /dev/null +++ b/kubernetes/namespaces/monitoring/grafana/README.md @@ -0,0 +1,11 @@ +# Grafana + +This folder contains the manifests for deploying our Grafana instance, the service we use to query our data. + +This deployment expects a number of secrets and environment variables to exist in a secret called `grafana-secret-env`. + +| Environment | Description | +|------------------------------|-----------------------------------------------------| +| GF_AUTH_GITHUB_CLIENT_ID | The client ID of the Github app to use for auth | +| GF_AUTH_GITHUB_CLIENT_SECRET | The client secret of the Github app to use for auth | +| GF_SECURITY_ADMIN_PASSWORD | The admin password the the grafana admin console | diff --git a/kubernetes/namespaces/monitoring/grafana/configmap.yaml b/kubernetes/namespaces/monitoring/grafana/configmap.yaml new file mode 100644 index 0000000..931e2da --- /dev/null +++ b/kubernetes/namespaces/monitoring/grafana/configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-default + namespace: monitoring +data: + # Root settings + GF_INSTANCE_NAME: "pythondiscord" + GF_SERVER_DOMAIN: "grafana.pythondiscord.com" + GF_SERVER_ROOT_URL: "https://grafana.pythondiscord.com" + GF_SECURITY_COOKIE_SECURE: "true" + + # GitHub Auth + GF_AUTH_GITHUB_ENABLED: "true" + GF_AUTH_GITHUB_SCOPES: "user:email,read:org" + # IDs can be retrieved via `gh api orgs/python-discord/teams`. + GF_AUTH_GITHUB_TEAM_IDS: "2638565,3854739,3114246,7361120,9120709" + GF_AUTH_GITHUB_ROLE_ATTRIBUTE_PATH: "contains(groups[*], '@python-discord/directors') && 'Admin' || contains(groups[*], '@python-discord/sudo-devops') && 'Admin' || contains(groups[*], '@python-discord/admins') && 'Editor' || 'Viewer'" + GF_AUTH_GITHUB_AUTH_URL: "https://github.com/login/oauth/authorize" + GF_AUTH_GITHUB_TOKEN_URL: "https://github.com/login/oauth/access_token" + GF_AUTH_GITHUB_API_URL: "https://api.github.com/user" + GF_AUTH_ALLOW_SIGN_UP: "true" + + # Image storage + GF_EXTERNAL_IMAGE_STORAGE_PROVIDED: "local" + + # Metrics + GF_METRICS_ENABLED: "false" + + # User sign up + GF_USERS_AUTO_ASSIGN_ORG: "true" + GF_USERS_AUTO_ASSIGN_ORG_ID: "2" + + # Feature toggles + GF_FEATURE_TOGGLES_ENABLE: "autoMigrateOldPanels,nestedFolders,newVizTooltips,prometheusMetricEncyclopedia,datatrails" + + # Plugins + GF_INSTALL_PLUGINS: "https://storage.googleapis.com/integration-artifacts/grafana-lokiexplore-app/grafana-lokiexplore-app-latest.zip;grafana-lokiexplore-app" diff --git a/kubernetes/namespaces/monitoring/grafana/deployment-grafana.yaml b/kubernetes/namespaces/monitoring/grafana/deployment-grafana.yaml new file mode 100644 index 0000000..87e3059 --- /dev/null +++ b/kubernetes/namespaces/monitoring/grafana/deployment-grafana.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: monitoring +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: grafana + template: + metadata: + labels: + app: grafana + spec: + containers: + - name: grafana + image: grafana/grafana:11.0.0-preview + imagePullPolicy: Always + ports: + - containerPort: 3000 + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + cpu: 300m + memory: 250Mi + envFrom: + - configMapRef: + name: grafana-default + - secretRef: + name: grafana-secret-env + volumeMounts: + - mountPath: /var/lib/grafana + name: grafana-volume + - mountPath: /tmp + name: grafana-tmp + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: grafana-volume + persistentVolumeClaim: + claimName: grafana-storage + - name: grafana-tmp + emptyDir: + medium: Memory + securityContext: + fsGroup: 2000 + runAsUser: 1000 + runAsNonRoot: true diff --git a/kubernetes/namespaces/monitoring/grafana/ingress.yaml b/kubernetes/namespaces/monitoring/grafana/ingress.yaml new file mode 100644 index 0000000..4331333 --- /dev/null +++ b/kubernetes/namespaces/monitoring/grafana/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle" + nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" + name: grafana + namespace: monitoring +spec: + tls: + - hosts: + - "*.pythondiscord.com" + secretName: pythondiscord.com-tls + rules: + - host: grafana.pythondiscord.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana + port: + number: 3000 diff --git a/kubernetes/namespaces/monitoring/grafana/secrets.yaml b/kubernetes/namespaces/monitoring/grafana/secrets.yaml new file mode 100644 index 0000000..b817eca Binary files /dev/null and b/kubernetes/namespaces/monitoring/grafana/secrets.yaml differ diff --git a/kubernetes/namespaces/monitoring/grafana/services.yaml b/kubernetes/namespaces/monitoring/grafana/services.yaml new file mode 100644 index 0000000..de2d76b --- /dev/null +++ b/kubernetes/namespaces/monitoring/grafana/services.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: monitoring +spec: + ports: + - port: 3000 + selector: + app: grafana diff --git a/kubernetes/namespaces/monitoring/grafana/volume.yaml b/kubernetes/namespaces/monitoring/grafana/volume.yaml new file mode 100644 index 0000000..735a4c5 --- /dev/null +++ b/kubernetes/namespaces/monitoring/grafana/volume.yaml @@ -0,0 +1,14 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: grafana-storage + namespace: monitoring + labels: + app: grafana +spec: + storageClassName: linode-block-storage-retain + accessModes: + - ReadWriteOncePod + resources: + requests: + storage: 10Gi -- cgit v1.2.3