diff --git a/cluster-scope/base/core/namespaces/grafana/kustomization.yaml b/cluster-scope/base/core/namespaces/grafana/kustomization.yaml new file mode 100644 index 00000000..db7b3a84 --- /dev/null +++ b/cluster-scope/base/core/namespaces/grafana/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml diff --git a/cluster-scope/base/core/namespaces/grafana/namespace.yaml b/cluster-scope/base/core/namespaces/grafana/namespace.yaml new file mode 100644 index 00000000..a0227a9f --- /dev/null +++ b/cluster-scope/base/core/namespaces/grafana/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: grafana +spec: {} diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml index 4c5005e5..ca816db7 100644 --- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml @@ -16,6 +16,7 @@ resources: - ../../bundles/multicluster-engine-operator - ../../base/core/namespaces/dex - ../../base/core/namespaces/nerc-ocp-prod +- ../../base/core/namespaces/grafana - ../../base/operators.coreos.com/subscriptions/openshift-pipelines-operator - ../../base/operators.coreos.com/subscriptions/loki-operator - clusterversion.yaml diff --git a/dex/overlays/nerc-ocp-infra/configmaps/files/config.yaml b/dex/overlays/nerc-ocp-infra/configmaps/files/config.yaml index 961f5aae..c7727f9c 100644 --- a/dex/overlays/nerc-ocp-infra/configmaps/files/config.yaml +++ b/dex/overlays/nerc-ocp-infra/configmaps/files/config.yaml @@ -26,6 +26,7 @@ staticClients: name: Grafana redirectURIs: - https://logging-grafana.apps.nerc-ocp-infra.rc.fas.harvard.edu/login/generic_oauth + - https://grafana.apps.nerc-ocp-infra.rc.fas.harvard.edu/login/generic_oauth secretEnv: GRAFANA_SECRET connectors: diff --git a/grafana/base/clusterrolebindings/grafana-serviceaccount-cluster-monitoring-view.yaml b/grafana/base/clusterrolebindings/grafana-serviceaccount-cluster-monitoring-view.yaml new file mode 100644 index 00000000..c2534d98 --- /dev/null +++ b/grafana/base/clusterrolebindings/grafana-serviceaccount-cluster-monitoring-view.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: grafana-serviceaccount-cluster-monitoring-view +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-monitoring-view +subjects: +- kind: ServiceAccount + name: grafana-serviceaccount + namespace: grafana diff --git a/grafana/base/clusterrolebindings/kustomization.yaml b/grafana/base/clusterrolebindings/kustomization.yaml new file mode 100644 index 00000000..fd973d2f --- /dev/null +++ b/grafana/base/clusterrolebindings/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - grafana-serviceaccount-cluster-monitoring-view.yaml diff --git a/grafana/base/kustomization.yaml b/grafana/base/kustomization.yaml new file mode 100644 index 00000000..e408c25e --- /dev/null +++ b/grafana/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - operatorgroups + - subscriptions + - routes + - clusterrolebindings +commonLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/component: grafana + app.kubernetes.io/part-of: observability diff --git a/grafana/base/operatorgroups/grafana.yaml b/grafana/base/operatorgroups/grafana.yaml new file mode 100644 index 00000000..175c9470 --- /dev/null +++ b/grafana/base/operatorgroups/grafana.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: grafana + namespace: grafana +spec: + targetNamespaces: + - grafana diff --git a/grafana/base/operatorgroups/kustomization.yaml b/grafana/base/operatorgroups/kustomization.yaml new file mode 100644 index 00000000..7070604e --- /dev/null +++ b/grafana/base/operatorgroups/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - grafana.yaml diff --git a/grafana/base/routes/kustomization.yaml b/grafana/base/routes/kustomization.yaml new file mode 100644 index 00000000..17cb406e --- /dev/null +++ b/grafana/base/routes/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- route.yaml diff --git a/grafana/base/routes/route.yaml b/grafana/base/routes/route.yaml new file mode 100644 index 00000000..eee7e683 --- /dev/null +++ b/grafana/base/routes/route.yaml @@ -0,0 +1,17 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: grafana + namespace: grafana +spec: + host: REPLACE_IN_OVERLAY + to: + kind: Service + name: grafana-service + weight: 100 + port: + targetPort: grafana + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None diff --git a/grafana/base/subscriptions/grafana-operator.yaml b/grafana/base/subscriptions/grafana-operator.yaml new file mode 100644 index 00000000..f19bda9e --- /dev/null +++ b/grafana/base/subscriptions/grafana-operator.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: grafana-operator + namespace: grafana +spec: + channel: v4 + installPlanApproval: Automatic + name: grafana-operator + source: community-operators + sourceNamespace: openshift-marketplace diff --git a/grafana/base/subscriptions/kustomization.yaml b/grafana/base/subscriptions/kustomization.yaml new file mode 100644 index 00000000..02f3c336 --- /dev/null +++ b/grafana/base/subscriptions/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - grafana-operator.yaml diff --git a/grafana/overlays/nerc-ocp-infra/externalsecrets/kustomization.yaml b/grafana/overlays/nerc-ocp-infra/externalsecrets/kustomization.yaml new file mode 100644 index 00000000..a7f259f5 --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/externalsecrets/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- oauth-client-secret.yaml diff --git a/grafana/overlays/nerc-ocp-infra/externalsecrets/oauth-client-secret.yaml b/grafana/overlays/nerc-ocp-infra/externalsecrets/oauth-client-secret.yaml new file mode 100644 index 00000000..33b09ced --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/externalsecrets/oauth-client-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: oauth-client-secret + namespace: grafana +spec: + secretStoreRef: + name: nerc-cluster-secrets + kind: ClusterSecretStore + target: + name: oauth-client-secret + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: nerc/nerc-ocp-infra/dex/dex-clients + property: GRAFANA_SECRET diff --git a/grafana/overlays/nerc-ocp-infra/grafanadatasources/kustomization.yaml b/grafana/overlays/nerc-ocp-infra/grafanadatasources/kustomization.yaml new file mode 100644 index 00000000..0d3b41ca --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/grafanadatasources/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - observability-metrics.yaml diff --git a/grafana/overlays/nerc-ocp-infra/grafanadatasources/observability-metrics.yaml b/grafana/overlays/nerc-ocp-infra/grafanadatasources/observability-metrics.yaml new file mode 100644 index 00000000..58ce0280 --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/grafanadatasources/observability-metrics.yaml @@ -0,0 +1,21 @@ +apiVersion: integreatly.org/v1alpha1 +kind: GrafanaDataSource +metadata: + name: observability-metrics + namespace: grafana +spec: + name: observability-metrics + datasources: + - name: observability-metrics + access: proxy + editable: false + isDefault: true + jsonData: + httpHeaderName1: Authorization + timeInterval: 5s + tlsAuthWithCACert: true + secureJsonData: + httpHeaderValue1: "Bearer ${token}" + tlsCACert: "${service-ca.crt}" + type: prometheus + url: 'http://observability-thanos-query.open-cluster-management-observability.svc.cluster.local:9090/' diff --git a/grafana/overlays/nerc-ocp-infra/grafanas/grafana.yaml b/grafana/overlays/nerc-ocp-infra/grafanas/grafana.yaml new file mode 100644 index 00000000..a866441d --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/grafanas/grafana.yaml @@ -0,0 +1,31 @@ +apiVersion: integreatly.org/v1alpha1 +kind: Grafana +metadata: + name: grafana + namespace: grafana +spec: + deployment: + envFrom: + - secretRef: + name: oauth-client-secret + - secretRef: + name: grafana-serviceaccount-token + - configMapRef: + name: openshift-service-ca.crt + config: + server: + root_url: https://grafana.apps.nerc-ocp-infra.rc.fas.harvard.edu + auth.generic_oauth: + enabled: true + scopes: openid email groups profile + email_attribute_path: name + api_url: https://dex-dex.apps.nerc-ocp-infra.rc.fas.harvard.edu/userinfo + auth_url: https://dex-dex.apps.nerc-ocp-infra.rc.fas.harvard.edu/auth + token_url: https://dex-dex.apps.nerc-ocp-infra.rc.fas.harvard.edu/token + role_attribute_path: >- + contains(groups[*], 'cluster-admins') && 'Admin' || + contains(groups[*], 'nerc-org-admins') && 'Admin' || + contains(groups[*], 'nerc-ops') && 'Editor' || + 'Deny' + role_attribute_strict: true + client_id: grafana diff --git a/grafana/overlays/nerc-ocp-infra/grafanas/kustomization.yaml b/grafana/overlays/nerc-ocp-infra/grafanas/kustomization.yaml new file mode 100644 index 00000000..7070604e --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/grafanas/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - grafana.yaml diff --git a/grafana/overlays/nerc-ocp-infra/kustomization.yaml b/grafana/overlays/nerc-ocp-infra/kustomization.yaml new file mode 100644 index 00000000..7a14722c --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: grafana + +resources: + - ../../base/ + - externalsecrets/ + - grafanas + - grafanadatasources + +patches: + - path: patches/grafana-route.yaml + +secretGenerator: + - name: grafana-serviceaccount-token + type: kubernetes.io/service-account-token + options: + disableNameSuffixHash: true + annotations: + kubernetes.io/service-account.name: grafana-serviceaccount diff --git a/grafana/overlays/nerc-ocp-infra/patches/grafana-route.yaml b/grafana/overlays/nerc-ocp-infra/patches/grafana-route.yaml new file mode 100644 index 00000000..a0e6a952 --- /dev/null +++ b/grafana/overlays/nerc-ocp-infra/patches/grafana-route.yaml @@ -0,0 +1,7 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: grafana + namespace: grafana +spec: + host: grafana.apps.nerc-ocp-infra.rc.fas.harvard.edu