diff --git a/_apps/graphs.yaml b/_apps/graphs.yaml new file mode 100644 index 0000000..dd26de2 --- /dev/null +++ b/_apps/graphs.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: graphs + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: graphs + server: https://kubernetes.default.svc + project: default + source: + path: graphs + repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git + targetRevision: HEAD +--- +apiVersion: v1 +kind: Namespace +metadata: + name: graphs diff --git a/graphs/Makefile b/graphs/Makefile new file mode 100644 index 0000000..4a7eab5 --- /dev/null +++ b/graphs/Makefile @@ -0,0 +1,10 @@ +build: + helm3 template graphs --namespace=graphs stable/grafana \ + -f grafana-config.yaml \ + > grafana.yaml +.PHONY: build + +update: + helm3 repo update + helm3 search repo grafana +.PHONY: update diff --git a/graphs/grafana-config.yaml b/graphs/grafana-config.yaml new file mode 100644 index 0000000..ae9ba3a --- /dev/null +++ b/graphs/grafana-config.yaml @@ -0,0 +1,18 @@ +ingress: + enabled: true + hosts: + - graphs.tbrnt.ch + tls: + - hosts: + - graphs.tbrnt.ch + secretName: graphs-tbrnt-ch-cert + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + +persistence: + enabled: true + size: 1Gi + storageClassName: local-path + +rbac: + namespaced: true diff --git a/graphs/grafana.yaml b/graphs/grafana.yaml new file mode 100644 index 0000000..4d41de9 --- /dev/null +++ b/graphs/grafana.yaml @@ -0,0 +1,462 @@ +--- +# Source: grafana/templates/podsecuritypolicy.yaml +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, without DAC_OVERRIDE or CHOWN + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - SETPCAP + - NET_BIND_SERVICE + - NET_RAW + - SYS_CHROOT + - MKNOD + - AUDIT_WRITE + - SETFCAP + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +# Source: grafana/templates/tests/test-podsecuritypolicy.yaml +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: graphs-grafana-test + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +spec: + allowPrivilegeEscalation: true + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + fsGroup: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - projected + - secret +--- +# Source: grafana/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm + name: graphs-grafana + namespace: graphs +--- +# Source: grafana/templates/tests/test-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm + name: graphs-grafana-test + namespace: graphs +--- +# Source: grafana/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +type: Opaque +data: + admin-user: "YWRtaW4=" + admin-password: "aHJYRjhyYWlERnU4dXZXSEV1MG1wU3pNNDlvS0ZEWXZ1WHl3dTRiYw==" + ldap-toml: "" +--- +# Source: grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +data: + grafana.ini: | + [analytics] + check_for_updates = true + [grafana_net] + url = https://grafana.net + [log] + mode = console + [paths] + data = /var/lib/grafana/data + logs = /var/log/grafana + plugins = /var/lib/grafana/plugins + provisioning = /etc/grafana/provisioning +--- +# Source: grafana/templates/tests/test-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: graphs-grafana-test + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +data: + run.sh: |- + @test "Test Health" { + url="http://graphs-grafana/api/health" + + code=$(wget --server-response --spider --timeout 10 --tries 1 ${url} 2>&1 | awk '/^ HTTP/{print $2}') + [ "$code" == "200" ] + } +--- +# Source: grafana/templates/pvc.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm + finalizers: + - kubernetes.io/pvc-protection +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "1Gi" + storageClassName: local-path +--- +# Source: grafana/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [graphs-grafana] +--- +# Source: grafana/templates/tests/test-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: graphs-grafana-test + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [graphs-grafana-test] +--- +# Source: grafana/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: graphs-grafana +subjects: +- kind: ServiceAccount + name: graphs-grafana + namespace: graphs +roleRef: + kind: Role + name: graphs-grafana + apiGroup: rbac.authorization.k8s.io +--- +# Source: grafana/templates/tests/test-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: graphs-grafana-test + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: graphs-grafana-test +subjects: +- kind: ServiceAccount + name: graphs-grafana-test + namespace: graphs +--- +# Source: grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: service + port: 80 + protocol: TCP + targetPort: 3000 + + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs +--- +# Source: grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + annotations: + checksum/config: 378f8b0535bbb95fa6bc2a67c0998ab74f1a81e500ded52735991a4544090318 + checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/secret: 192d9b188535705296445a5c4c2fe86de6e0b4058777e7cdb2709917f9bf7c55 + spec: + + serviceAccountName: graphs-grafana + securityContext: + fsGroup: 472 + runAsUser: 472 + initContainers: + - name: init-chown-data + image: "busybox:1.31.1" + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 0 + command: ["chown", "-R", "472:472", "/var/lib/grafana"] + resources: + {} + volumeMounts: + - name: storage + mountPath: "/var/lib/grafana" + containers: + - name: grafana + image: "grafana/grafana:6.6.2" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + - name: storage + mountPath: "/var/lib/grafana" + ports: + - name: service + containerPort: 80 + protocol: TCP + - name: grafana + containerPort: 3000 + protocol: TCP + env: + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: graphs-grafana + key: admin-user + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: graphs-grafana + key: admin-password + livenessProbe: + failureThreshold: 10 + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + {} + volumes: + - name: config + configMap: + name: graphs-grafana + - name: storage + persistentVolumeClaim: + claimName: graphs-grafana +--- +# Source: grafana/templates/ingress.yaml +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: graphs-grafana + namespace: graphs + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + tls: + - hosts: + - graphs.tbrnt.ch + secretName: graphs-tbrnt-ch-cert + rules: + - host: graphs.tbrnt.ch + http: + paths: + + - path: / + backend: + serviceName: graphs-grafana + servicePort: 80 +--- +# Source: grafana/templates/tests/test.yaml +apiVersion: v1 +kind: Pod +metadata: + name: graphs-grafana-test + labels: + helm.sh/chart: grafana-5.0.7 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: graphs + app.kubernetes.io/version: "6.6.2" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test-success + namespace: graphs +spec: + serviceAccountName: graphs-grafana-test + containers: + - name: graphs-test + image: "bats/bats:v1.1.0" + command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] + volumeMounts: + - mountPath: /tests + name: tests + readOnly: true + volumes: + - name: tests + configMap: + name: graphs-grafana-test + restartPolicy: Never