vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-01-28 10:00:47 +01:00
parent ccb828c881
commit 0961759af7
173 changed files with 449 additions and 8800 deletions
Download Patch File Download Diff File Expand all files Collapse all files

298
monitor/grafana/apps_v1_Deployment_grafana.yaml
View File

@@ -1,298 +0,0 @@
# Source: grafana/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
namespace: vynil-monitor
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
strategy:
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
annotations:
checksum/config: 0e9cbd0ea8e24e32f7dfca5bab17a2ba05652642f0a09a4882833ae88e4cc4a3
checksum/sc-dashboard-provider-config: 593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c
kubectl.kubernetes.io/default-container: grafana
spec:
serviceAccountName: grafana
automountServiceAccountToken: true
securityContext:
fsGroup: 472
runAsGroup: 472
runAsNonRoot: true
runAsUser: 472
initContainers:
- name: init-chown-data
image: "docker.io/library/busybox:1.31.1"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- CHOWN
runAsNonRoot: false
runAsUser: 0
seccompProfile:
type: RuntimeDefault
command:
- chown
- -R
- 472:472
- /var/lib/grafana
volumeMounts:
- name: storage
mountPath: "/var/lib/grafana"
enableServiceLinks: true
containers:
- name: grafana-sc-dashboard
image: "quay.io/kiwigrid/k8s-sidecar:1.25.2"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "grafana_dashboard"
- name: FOLDER
value: "/tmp/dashboards"
- name: RESOURCE
value: "both"
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: username
- name: REQ_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: password
- name: REQ_URL
value: http://localhost:3000/api/admin/provisioning/dashboards/reload
- name: REQ_METHOD
value: POST
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: grafana-sc-datasources
image: "quay.io/kiwigrid/k8s-sidecar:1.25.2"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "grafana_datasource"
- name: FOLDER
value: "/etc/grafana/provisioning/datasources"
- name: RESOURCE
value: "both"
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: username
- name: REQ_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: password
- name: REQ_URL
value: http://localhost:3000/api/admin/provisioning/datasources/reload
- name: REQ_METHOD
value: POST
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: grafana-sc-notifiers
image: "quay.io/kiwigrid/k8s-sidecar:1.25.2"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "grafana_notifier"
- name: FOLDER
value: "/etc/grafana/provisioning/notifiers"
- name: RESOURCE
value: "both"
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: username
- name: REQ_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: password
- name: REQ_URL
value: http://localhost:3000/api/admin/provisioning/notifications/reload
- name: REQ_METHOD
value: POST
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: sc-notifiers-volume
mountPath: "/etc/grafana/provisioning/notifiers"
- name: grafana-sc-plugins
image: "quay.io/kiwigrid/k8s-sidecar:1.25.2"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "grafana_plugin"
- name: FOLDER
value: "/etc/grafana/provisioning/plugins"
- name: RESOURCE
value: "both"
- name: REQ_USERNAME
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: username
- name: REQ_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: password
- name: REQ_URL
value: http://localhost:3000/api/admin/provisioning/plugins/reload
- name: REQ_METHOD
value: POST
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: sc-plugins-volume
mountPath: "/etc/grafana/provisioning/plugins"
- name: grafana
image: "docker.io/grafana/grafana:10.2.3"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: config
mountPath: "/etc/grafana/grafana.ini"
subPath: grafana.ini
- name: storage
mountPath: "/var/lib/grafana"
- name: sc-dashboard-volume
mountPath: "/tmp/dashboards"
- name: sc-dashboard-provider
mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml"
subPath: provider.yaml
- name: sc-datasources-volume
mountPath: "/etc/grafana/provisioning/datasources"
- name: sc-plugins-volume
mountPath: "/etc/grafana/provisioning/plugins"
- name: sc-notifiers-volume
mountPath: "/etc/grafana/provisioning/notifiers"
ports:
- name: grafana
containerPort: 3000
protocol: TCP
- name: gossip-tcp
containerPort: 9094
protocol: TCP
- name: gossip-udp
containerPort: 9094
protocol: UDP
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: username
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin-user
key: password
- name: GF_PATHS_DATA
value: /var/lib/grafana/
- name: GF_PATHS_LOGS
value: /var/log/grafana
- name: GF_PATHS_PLUGINS
value: /var/lib/grafana/plugins
- name: GF_PATHS_PROVISIONING
value: /etc/grafana/provisioning
livenessProbe:
failureThreshold: 10
httpGet:
path: /api/health
port: 3000
initialDelaySeconds: 60
timeoutSeconds: 30
readinessProbe:
httpGet:
path: /api/health
port: 3000
volumes:
- name: config
configMap:
name: grafana
- name: storage
persistentVolumeClaim:
claimName: grafana
- name: sc-dashboard-volume
emptyDir:
{}
- name: sc-dashboard-provider
configMap:
name: grafana-config-dashboards
- name: sc-datasources-volume
emptyDir:
{}
- name: sc-plugins-volume
emptyDir:
{}
- name: sc-notifiers-volume
emptyDir:
{}

43
monitor/grafana/config.tf
View File

@@ -1,43 +0,0 @@
resource "kubernetes_config_map_v1" "config" {
metadata {
name = "grafana"
namespace = var.namespace
labels = local.common-labels
}
data = {
"grafana.ini" = <<-EOF
[analytics]
check_for_updates = true
[grafana_net]
url = https://grafana.net
[log]
mode = console
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
domain = ''
root_url = 'https://${local.dns_name}/'
[users]
auto_assign_org = true
auto_assign_org_id = 1
[auth]
oauth_allow_insecure_email_lookup = true
signout_redirect_url = '${module.oauth2.sso_signout_url}'
oauth_auto_login = true
[auth.generic_oauth]
enabled = true
name = vynil
scopes = openid profile email
${var.issuer=="letsencrypt-prod"?";":""}tls_client_ca = /etc/local-certs/ca.crt
client_id = '${module.oauth2.client_id}'
client_secret = '${module.oauth2.client_secret}'
auth_url = '${module.oauth2.sso_authorize_url}'
api_url = '${module.oauth2.sso_userinfo_url}'
token_url = '${module.oauth2.sso_token_url}'
role_attribute_path = contains(groups, '${module.application.main_group}-admin') && 'Admin' || contains(groups, '${module.application.main_group}') && 'Editor' || 'Viewer'
EOF
}
}

112
monitor/grafana/datas.tf
View File

@@ -1,112 +0,0 @@
locals {
authentik_url = "http://authentik.${var.domain}-auth.svc"
authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/instance" = var.instance
}
pvc_spec = merge({
"accessModes" = [var.storage.volume.accessMode]
"volumeMode" = var.storage.volume.type
"resources" = {
"requests" = {
"storage" = "${var.storage.volume.size}"
}
}
}, var.storage.volume.class != "" ?{
"storageClassName" = var.storage.volume.class
}:{})
}
data "kubernetes_secret_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1]
images {
name = "docker.io/grafana/grafana"
new_name = "${var.images.grafana.registry}/${var.images.grafana.repository}"
new_tag = "${var.images.grafana.tag}"
}
images {
name = "docker.io/library/busybox"
new_name = "${var.images.busybox.registry}/${var.images.busybox.repository}"
new_tag = "${var.images.busybox.tag}"
}
images {
name = "quay.io/kiwigrid/k8s-sidecar"
new_name = "${var.images.sidecar.registry}/${var.images.sidecar.repository}"
new_tag = "${var.images.sidecar.tag}"
}
patches {
target {
kind = "PersistentVolumeClaim"
name = "grafana"
}
patch = <<-EOF
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: grafana
annotations:
k8up.io/backup: "true"
spec: ${jsonencode(local.pvc_spec)}
EOF
}
patches {
target {
kind = "ServiceMonitor"
name = "grafana"
}
patch = <<-EOF
- op: replace
path: /spec/namespaceSelector/matchNames/0
value: "${var.namespace}"
EOF
}
patches {
target {
kind = "Deployment"
name = "grafana"
}
patch = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
annotations:
configmap.reloader.stakater.com/reload: "grafana"
spec:
template:
spec:
containers:
- name: grafana
volumeMounts:
- name: local-certs
mountPath: "/etc/local-certs"
volumes:
- name: local-certs
secret:
secretName: "${var.instance}-cert"
defaultMode: 0444
EOF
}
}

193
monitor/grafana/index.yaml
View File

@@ -1,193 +0,0 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: monitor
metadata:
name: grafana
description: null
options:
domain:
default: your-company
examples:
- your-company
type: string
images:
default:
busybox:
registry: docker.io
repository: library/busybox
tag: 1.31.1
grafana:
pullPolicy: IfNotPresent
registry: docker.io
repository: grafana/grafana
tag: 10.2.3
sidecar:
pullPolicy: IfNotPresent
registry: quay.io
repository: kiwigrid/k8s-sidecar
tag: 1.25.2
examples:
- busybox:
registry: docker.io
repository: library/busybox
tag: 1.31.1
grafana:
pullPolicy: IfNotPresent
registry: docker.io
repository: grafana/grafana
tag: 10.2.3
sidecar:
pullPolicy: IfNotPresent
registry: quay.io
repository: kiwigrid/k8s-sidecar
tag: 1.25.2
properties:
busybox:
default:
registry: docker.io
repository: library/busybox
tag: 1.31.1
properties:
registry:
default: docker.io
type: string
repository:
default: library/busybox
type: string
tag:
default: 1.31.1
type: string
type: object
grafana:
default:
pullPolicy: IfNotPresent
registry: docker.io
repository: grafana/grafana
tag: 10.2.3
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: docker.io
type: string
repository:
default: grafana/grafana
type: string
tag:
default: 10.2.3
type: string
type: object
sidecar:
default:
pullPolicy: IfNotPresent
registry: quay.io
repository: kiwigrid/k8s-sidecar
tag: 1.25.2
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: quay.io
type: string
repository:
default: kiwigrid/k8s-sidecar
type: string
tag:
default: 1.25.2
type: string
type: object
type: object
ingress_class:
default: traefik
examples:
- traefik
type: string
domain_name:
default: your_company.com
examples:
- your_company.com
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
admin_name:
default: grafana_admin
examples:
- grafana_admin
type: string
sub_domain:
default: grafana
examples:
- grafana
type: string
app_group:
default: monitor
examples:
- monitor
type: string
storage:
default:
volume:
accessMode: ReadWriteOnce
class: ''
size: 10Gi
type: Filesystem
description: Configure this app storage
examples:
- volume:
accessMode: ReadWriteOnce
class: ''
size: 10Gi
type: Filesystem
properties:
volume:
default:
accessMode: ReadWriteOnce
class: ''
size: 10Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
class:
default: ''
type: string
size:
default: 10Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
type: object
dependencies: []
providers:
kubernetes: true
authentik: true
kubectl: true
postgresql: null
restapi: true
http: true
gitea: null
tfaddtype: null

28
monitor/grafana/monitoring.coreos.com_v1_ServiceMonitor_grafana.yaml
View File

@@ -1,28 +0,0 @@
# Source: grafana/templates/servicemonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: grafana
namespace: vynil-monitor
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
spec:
endpoints:
- port: service
interval: 30s
scrapeTimeout: 30s
honorLabels: true
path: /metrics
scheme: http
jobLabel: "grafana"
selector:
matchLabels:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
namespaceSelector:
matchNames:
- vynil-monitor

72
monitor/grafana/presentation.tf
View File

@@ -1,72 +0,0 @@
locals {
dns_name = "${var.sub_domain}.${var.domain_name}"
dns_names = [local.dns_name]
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
icon = "public/img/grafana_icon.svg"
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]}"
}
service = {
"name" = "grafana"
"port" = {
"number" = 80
}
}
}
module "ingress" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//ingress"
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress_class = var.ingress_class
labels = local.common-labels
dns_names = local.dns_names
middlewares = []
services = [local.service]
providers = {
kubectl = kubectl
}
}
module "application" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//application"
component = var.component
instance = var.instance
app_group = var.app_group
dns_name = local.dns_name
icon = local.icon
sub_groups = ["admin"]
protocol_provider = module.oauth2.provider-id
providers = {
authentik = authentik
}
}
module "oauth2" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//oauth2"
component = var.component
instance = var.instance
namespace = var.namespace
domain = var.domain
labels = local.common-labels
dns_name = local.dns_name
redirect_path = "login/generic_oauth"
providers = {
kubernetes = kubernetes
kubectl = kubectl
authentik = authentik
}
}
provider "restapi" {
uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
headers = local.request_headers
create_method = "PATCH"
update_method = "PATCH"
destroy_method = "PATCH"
write_returns_object = true
id_attribute = "name"
}

20
monitor/grafana/rbac.authorization.k8s.io_v1_RoleBinding_grafana.yaml
View File

@@ -1,20 +0,0 @@
# Source: grafana/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: grafana
namespace: vynil-monitor
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: grafana
subjects:
- kind: ServiceAccount
name: grafana
namespace: vynil-monitor

16
monitor/grafana/rbac.authorization.k8s.io_v1_Role_grafana.yaml
View File

@@ -1,16 +0,0 @@
# Source: grafana/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: grafana
namespace: vynil-monitor
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "secrets"]
verbs: ["get", "watch", "list"]

19
monitor/grafana/secret.tf
View File

@@ -1,19 +0,0 @@
resource "kubectl_manifest" "grafana_secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "grafana-admin-user"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
forceRegenerate: false
data:
username: "${var.admin_name}"
fields:
- fieldName: "password"
length: "32"
EOF
}

26
monitor/grafana/v1_ConfigMap_grafana-config-dashboards.yaml
View File

@@ -1,26 +0,0 @@
# Source: grafana/templates/configmap-dashboard-provider.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
name: grafana-config-dashboards
namespace: vynil-monitor
data:
provider.yaml: |-
apiVersion: 1
providers:
- name: 'sidecarProvider'
orgId: 1
folder: ''
type: file
disableDeletion: false
allowUiUpdates: false
updateIntervalSeconds: 30
options:
foldersFromFilesStructure: false
path: /tmp/dashboards

20
monitor/grafana/v1_PersistentVolumeClaim_grafana.yaml
View File

@@ -1,20 +0,0 @@
# Source: grafana/templates/pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grafana
namespace: vynil-monitor
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
finalizers:
- kubernetes.io/pvc-protection
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "10Gi"

13
monitor/grafana/v1_ServiceAccount_grafana.yaml
View File

@@ -1,13 +0,0 @@
---
# Source: grafana/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
name: grafana
namespace: vynil-monitor

22
monitor/grafana/v1_Service_grafana.yaml
View File

@@ -1,22 +0,0 @@
# Source: grafana/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: vynil-monitor
labels:
helm.sh/chart: grafana-7.2.4
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana
app.kubernetes.io/version: "10.2.3"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- name: service
port: 80
protocol: TCP
targetPort: 3000
selector:
app.kubernetes.io/name: grafana
app.kubernetes.io/instance: grafana