Custom grafana dashboard #317
Conversation
Why? |
schwesig
force-pushed
the
custom-grafana-dashboard
branch
from
271f199 to
f01f908
Compare
|
@larsks after a couple hours going crazy testing out a custom dashboard in the ACM grafana, I can't explain why, but naming the dashboard anything but |
|
@computate thanks for checking the argocd naming problem we had and confirming it. |
computate
force-pushed
the
custom-grafana-dashboard
branch
4 times, most recently
from
2a74c05 to
513a5a7
Compare
|
@larsks I'm having trouble with the Patch Operator with this PR. I have applied the changes from this branch to test it: The Patches say oc --as system:admin -n grafana get patch/grafana-oauth -o yaml | grep 'status:' -A 20
oc --as system:admin -n grafana get patch/grafanadatasource-observability-metrics -o yaml | grep 'status:' -A 20But the objects are not patched: oc --as system:admin -n grafana get grafana/grafana -o yaml | grep 'root_url:'
oc --as system:admin -n grafana get grafanadatasource/observability-metrics -o yaml | grep 'secureJsonData:' -A 2@larsks Can you please help me understand why the patches are not working, and if I need this ClusterRoleBinding? apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: grafana-node-labeler-patcher
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-labeler
subjects:
- kind: ServiceAccount
name: patcher
namespace: grafana |
|
@computate, looking at the logs for the patch operator, we see the following errors after creating the Patch resource: It looks like a permissions issue; we'll need to add some RBAC to provide the necessary permissions. ...but the |
|
Add this RBAC to your pr and things seem to work as expected: Following our organizational model, that should go into the |
...or not, since I see the |
|
@computate, looking at https://github.com/grafana-operator/grafana-operator/blob/v3.6.0/documentation/env_vars.md this patching may no longer be necessary. I'm not 100% positive; followed grafana/grafana-operator#130 to find that link and I'm taking a closer look now. |
|
I think you ought to be able to do something like this... In the Grafana resource: And in grafana-secrets: You should be patching |
|
@computate with this latest set of changes I think everything is working (and no more patch operator required). |
larsks
force-pushed
the
custom-grafana-dashboard
branch
from
89a9b74 to
39577cb
Compare
This will allow cluster-admins, nerc-org-admins, and nerc-ops teams to develop new dashboards using the existing multi-cluster observability metrics. rh-pre-commit.version: 2.0.3 rh-pre-commit.check-secrets: ENABLED
We're reusing the dex configuration for logging-grafana, but we had not updated the list of valid redirect urls in Dex, so oauth logins were failing.
Previously we were storing a service account token in the vault and retrieving it via an ExternalSecret. This is not necessary; Kubernetes already has the ability to populate a Secret with the token for a service account [1]. [1]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token
This commit removes the patch-operator [1] based patches and accompanying support resources such as service accounts, RBAC, etc. [1]: https://github.com/redhat-cop/patch-operator
We're not using the grafana-config-overrides ConfigMap.
Grafana supports setting configuration from environment variables [1]. This commit renames the secret key in the oauth-client-secret resource to match the required variable name pattern so that Grafana will get the oauth client secret from the environment. [1]: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#override-configuration-with-environment-variables
Grafana supports environment variable substitution in data sources [1]. This commit modifies the observability-metrics datasource to get the service account token and CA certificate from the environment, rather than using a live patch. [1]: https://grafana.com/docs/grafana/latest/administration/provisioning/#using-environment-variables
The server root_url and the oauth client id are not dynamic nor are they secret, so we can set them statically rather than patching them.
This commit modifies the Grafana resource to read environment variables from the oauth-client-secret and grafana-serviceaccount-token Secrets and the openshift-service-ca.crt ConfigMap.
This commit has some minor formatting changes that didn't really fit in anywhere else.
larsks
force-pushed
the
custom-grafana-dashboard
branch
from
39577cb to
968d127
Compare
grafana/overlays/nerc-ocp-infra/grafanadatasources/observability-metrics.yaml
Outdated
Show resolved
Hide resolved
computate
force-pushed
the
custom-grafana-dashboard
branch
from
960850c to
ca68014
Compare
A new custom Grafana dashboard was created and tested by bringing in metrics from ArgoCD. ArgoCD provides a JSON template download, and code from the JSON download could be copied into the config file and appropriate changes made to ensure metrics from ArgoCD dashboard are pulled in and made visible in the custom Grafana dashboard. Additional information is available at https://grafana.com/grafana/dashboards/14584-argocd/
A key item to make a note of is that one cannot use the word "ArgoCD" or "argocd" just by itself in the value for the key "title" in the grafana-dashboard-argocd.yaml. When changed to "ArgoCD xxxxx" ("ArgoCD stats" in our case and it worked fine.