From 9f62bacdb93007e38fd768f96d78ae122361c792 Mon Sep 17 00:00:00 2001 From: nicholaskuechler Date: Wed, 11 Sep 2024 12:59:16 -0500 Subject: [PATCH] feat: Adds prometheus and grafana stack for monitoring --- apps/appsets/argocd-operators-project.yaml | 5 +++ apps/appsets/operators.yaml | 20 ++++++++++ components/dex/secretstore-dex.yaml | 1 + components/dex/values.yaml | 10 +++++ docs/user-guide/monitoring.md | 7 ++++ mkdocs.yml | 1 + operators/monitoring/README.md | 3 ++ .../external-secret-grafana-sso.yaml | 20 ++++++++++ operators/monitoring/values.tpl.yaml | 39 +++++++++++++++++++ scripts/gitops-secrets-gen.sh | 2 +- 10 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 docs/user-guide/monitoring.md create mode 100644 operators/monitoring/README.md create mode 100644 operators/monitoring/external-secret-grafana-sso.yaml create mode 100644 operators/monitoring/values.tpl.yaml diff --git a/apps/appsets/argocd-operators-project.yaml b/apps/appsets/argocd-operators-project.yaml index 2fab7d7f..1f2206dc 100644 --- a/apps/appsets/argocd-operators-project.yaml +++ b/apps/appsets/argocd-operators-project.yaml @@ -20,6 +20,11 @@ spec: server: '*' - namespace: 'rook-ceph' server: '*' + - namespace: 'monitoring' + server: '*' + # kube-system is used by kube-prometheus-stack + - namespace: 'kube-system' + server: '*' clusterResourceWhitelist: - group: '*' kind: '*' diff --git a/apps/appsets/operators.yaml b/apps/appsets/operators.yaml index 29b07d84..494e3b2a 100644 --- a/apps/appsets/operators.yaml +++ b/apps/appsets/operators.yaml @@ -69,6 +69,26 @@ spec: - repoURL: '{{index .metadata.annotations "uc_repo_git_url"}}' targetRevision: '{{index .metadata.annotations "uc_repo_ref"}}' path: 'operators/rabbitmq-system' + - component: monitoring + componentNamespace: monitoring + skipComponent: '{{has "monitoring" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}' + sources: + - repoURL: '{{index .metadata.annotations "uc_repo_git_url"}}' + targetRevision: '{{index .metadata.annotations "uc_repo_ref"}}' + path: 'operators/monitoring' + ref: understack + - repoURL: '{{index .metadata.annotations "uc_deploy_git_url"}}' + targetRevision: '{{index .metadata.annotations "uc_deploy_ref"}}' + ref: deploy + - repoURL: https://prometheus-community.github.io/helm-charts + chart: kube-prometheus-stack + targetRevision: 62.6.0 + helm: + releaseName: kube-prometheus-stack + valueFiles: + - $understack/operators/monitoring/values.yaml + - $deploy/helm-configs/{{.name}}/monitoring.yaml + ignoreMissingValueFiles: true selector: # by setting the key in the elements 'skipComponent' to 'true' it will skip installing it # ArgoCD's templating operates with strings so it's the string "true" diff --git a/components/dex/secretstore-dex.yaml b/components/dex/secretstore-dex.yaml index 6afb2df0..561cd170 100644 --- a/components/dex/secretstore-dex.yaml +++ b/components/dex/secretstore-dex.yaml @@ -29,6 +29,7 @@ rules: - argocd-sso - nautobot-sso - keystone-sso + - grafana-sso - apiGroups: - authorization.k8s.io resources: diff --git a/components/dex/values.yaml b/components/dex/values.yaml index c040f3a0..f1ea2a57 100644 --- a/components/dex/values.yaml +++ b/components/dex/values.yaml @@ -54,6 +54,11 @@ config: name: "OpenStack Keystone" redirectURIs: - "https://keystone.$DNS_ZONE/redirect_uri" + - id: grafana + secretEnv: GRAFANA_SSO_CLIENT_SECRET + name: "Undercloud Grafana" + redirectURIs: + - "https://grafana.$DNS_ZONE/login/generic_oauth" envVars: - name: NAUTOBOT_SSO_CLIENT_SECRET @@ -100,3 +105,8 @@ envVars: name: oidc-sso key: redirect-uri optional: true + - name: GRAFANA_SSO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: grafana-sso + key: client-secret diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md new file mode 100644 index 00000000..d0b2b1f4 --- /dev/null +++ b/docs/user-guide/monitoring.md @@ -0,0 +1,7 @@ +# Monitoring Stack + +UnderStack uses the `kube-prometheus-stack` which is a prometheus + grafana monitoring stack + + + +It uses the namespace: `monitoring` diff --git a/mkdocs.yml b/mkdocs.yml index 9dec2cd5..2d555eda 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -126,4 +126,5 @@ nav: - user-guide/rabbitmq-cheat-sheet.md - user-guide/mariadb-operator-cheat-sheet.md - user-guide/postgres-operator-cheat-sheet.md + - user-guide/monitoring.md - Workflows: workflows/ diff --git a/operators/monitoring/README.md b/operators/monitoring/README.md new file mode 100644 index 00000000..3431f1e0 --- /dev/null +++ b/operators/monitoring/README.md @@ -0,0 +1,3 @@ +# kube-prometheus-stack for monitoring + +Read more in the docs: diff --git a/operators/monitoring/external-secret-grafana-sso.yaml b/operators/monitoring/external-secret-grafana-sso.yaml new file mode 100644 index 00000000..b2fc9907 --- /dev/null +++ b/operators/monitoring/external-secret-grafana-sso.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-sso +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: dex + target: + name: grafana-sso + creationPolicy: Owner + deletionPolicy: Delete + dataFrom: + - extract: + key: grafana-sso + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None diff --git a/operators/monitoring/values.tpl.yaml b/operators/monitoring/values.tpl.yaml new file mode 100644 index 00000000..9d5c905f --- /dev/null +++ b/operators/monitoring/values.tpl.yaml @@ -0,0 +1,39 @@ +grafana: + envValueFrom: + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: + secretKeyRef: + name: grafana-sso + key: client-id + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: + secretKeyRef: + name: grafana-sso + key: client-secret + GF_AUTH_GENERIC_OAUTH_ISSUER: + secretKeyRef: + name: grafana-sso + key: issuer + grafana.ini: + auth.generic_oauth: + name: Dex + enabled: true + client_id: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_ID} + client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET} + scopes: openid email profile groups offline_access + auth_url: $__env{GF_AUTH_GENERIC_OAUTH_ISSUER}/auth + token_url: $__env{GF_AUTH_GENERIC_OAUTH_ISSUER}/token + api_url: $__env{GF_AUTH_GENERIC_OAUTH_ISSUER}/userinfo + server: + root_url: https://%(domain)s + + ingress: + enabled: true + ingressClassName: "nginx" + hosts: + - grafana.${DNS_ZONE} + tls: + - hosts: + - grafana.${DNS_ZONE} + secretName: grafana-ingress-tls + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh index 87c372f6..39b57f82 100755 --- a/scripts/gitops-secrets-gen.sh +++ b/scripts/gitops-secrets-gen.sh @@ -215,7 +215,7 @@ echo "Checking dex" ## Dex based SSO Auth. Client Configurations mkdir -p "${DEST_DIR}/dex/" # clients generated are in the list below -for client in nautobot argo argocd keystone; do +for client in nautobot argo argocd keystone grafana; do if [ ! -f "${DEST_DIR}/dex/secret-${client}-sso-dex.yaml" ]; then SSO_SECRET=$("${SCRIPTS_DIR}/pwgen.sh") kubectl --namespace dex \