Add Grafana

deploy/base/kustomization.yaml

@@ -21,3 +21,56 @@ helmCharts:
   includeCRDs: true
   releaseName: prometheus
   valuesInline: {}
+- name: grafana
+  repo: https://grafana.github.io/helm-charts
+  version: "6.29.1"
+  releaseName: grafana
+  valuesInline:
+    admin:
+      existingSecret: grafana-credentials
+    # Seems to launch a failing container, disabling for now:
+    testFramework:
+      enabled: false
+    persistence:
+      enabled: false
+    # Note: datasources are patched in overlays to correct the URLs.
+    # Including here is required for the helm chart to mount the configmap
+    # volume.
+    datasources:
+      datasources.yaml:
+        apiVersion: 1
+        datasources:
+        - isDefault: true
+          name: Prometheus
+          type: prometheus
+          url: http://prometheus-server
+    dashboardProviders:
+      dashboardproviders.yaml:
+        apiVersion: 1
+        providers:
+        - name: 'default'
+          orgId: 1
+          folder: ''
+          type: file
+          disableDeletion: false
+          editable: true
+          options:
+            path: /var/lib/grafana/dashboards/default
+    dashboards:
+      default:
+        postgresql:
+          gnetId: 9628
+          revision: 7
+          datasource: Prometheus
+        node:
+          gnetId: 1860
+          revision: 26
+          datasource: Prometheus
+        nginx-ingress:
+          gnetId: 9614
+          revision: 1
+          datasource: Prometheus
+        kubernetes-apiserver:
+          gnetId: 12006
+          revision: 1
+          datasource: Prometheus

deploy/dev/deploy-grafana.yaml

@@ -0,0 +1,31 @@
+---
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_TYPE
+    value: postgres
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_HOST
+    value: dev-db
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_PORT
+    value: "5432"
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_USER
+    value: postgres
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_PASSWORD
+    value: testme
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_NAME
+    value: grafana

deploy/dev/grafana-datasources.yaml

@@ -0,0 +1,6 @@
+apiVersion: 1
+datasources:
+- isDefault: true
+  name: Prometheus
+  type: prometheus
+  url: http://dev-prometheus-server

deploy/dev/grafana.ini

@@ -0,0 +1,15 @@
+[analytics]
+reporting_enabled = false
+check_for_updates = false
+check_for_plugin_updates = false
+enable_feedback_links = false
+[grafana_net]
+url = https://grafana.net
+[log]
+mode = console
+; level = debug
+[paths]
+data = /var/lib/grafana/
+logs = /var/log/grafana
+plugins = /var/lib/grafana/plugins
+provisioning = /etc/grafana/provisioning

deploy/dev/kustomization.yaml

@@ -21,6 +21,17 @@ configMapGenerator:
   behavior: merge
   files:
   - prometheus.yml=prometheus.yaml
+- name: grafana
+  behavior: merge
+  files:
+  - grafana.ini
+  - datasources.yaml=grafana-datasources.yaml
+
+secretGenerator:
+- name: grafana-credentials
+  literals:
+  - admin-user=rob
+  - admin-password=testme
 
 patches:
 # Patch the ingress-nginx deployment to allow it to use a service with a
@@ -29,3 +40,9 @@ patches:
     kind: Deployment
     name: ingress-nginx-controller
   path: deploy-ingress-nginx.yaml
+
+# Patch Grafana deployment to inject PostgreSQL credentials:
+- target:
+    kind: Deployment
+    name: grafana
+  path: deploy-grafana.yaml

deploy/prod/deploy-grafana.yaml

@@ -0,0 +1,36 @@
+---
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_TYPE
+    value: postgres
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_HOST
+    value: prod-db
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_PORT
+    value: "5432"
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_USER
+    value: grafana
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_PASSWORD
+    value: ${GRAFANA_POSTGRESQL_PASSWORD}
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_NAME
+    value: grafana
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GF_DATABASE_SSL_MODE
+    value: require

deploy/prod/grafana-datasources.yaml

@@ -0,0 +1,7 @@
+apiVersion: 1
+datasources:
+- isDefault: true
+  name: Prometheus
+  type: prometheus
+  url: http://prod-prometheus-server
+

deploy/prod/grafana.ini

@@ -0,0 +1,15 @@
+[analytics]
+reporting_enabled = false
+check_for_updates = false
+check_for_plugin_updates = false
+enable_feedback_links = false
+[grafana_net]
+url = https://grafana.net
+[log]
+mode = console
+; level = debug
+[paths]
+data = /var/lib/grafana/
+logs = /var/log/grafana
+plugins = /var/lib/grafana/plugins
+provisioning = /etc/grafana/provisioning

deploy/prod/kustomization.yaml

@@ -9,13 +9,29 @@ configMapGenerator:
   behavior: merge
   files:
   - prometheus.yml=prometheus.yaml
+- name: grafana
+  behavior: merge
+  files:
+  - grafana.ini
+  - datasources.yaml=grafana-datasources.yaml
 
 secretGenerator:
 - name: prometheus-credentials
   files:
   - secrets/exporter-password
+- name: grafana-credentials
+  files:
+  - admin-user=secrets/grafana-admin-user
+  - admin-password=secrets/grafana-admin-password
 
 patches:
+# Patch the ingress-nginx deployment to allow it to use a service with a
+# namePrefix. See https://github.com/kubernetes/ingress-nginx/issues/2599#issuecomment-601170289.
+- target:
+    kind: Deployment
+    name: ingress-nginx-controller
+  path: deploy-ingress-nginx.yaml
+
 # Patch prometheus-server pod to mount the secrets volume.
 - target:
     kind: Deployment
@@ -25,7 +41,6 @@ patches:
       path: /spec/template/spec/volumes/-
       value:
         secret:
-          defaultMode: 420
           secretName: prod-prometheus-credentials
         name: secrets-volume
     - op: add
@@ -35,9 +50,8 @@ patches:
         name: secrets-volume
         readOnly: true
 
-# Patch the ingress-nginx deployment to allow it to use a service with a
+# Patch Grafana deployment to inject PostgreSQL credentials:
-# namePrefix. See https://github.com/kubernetes/ingress-nginx/issues/2599#issuecomment-601170289.
 - target:
     kind: Deployment
-    name: ingress-nginx-controller
+    name: grafana
-  path: deploy-ingress-nginx.yaml
+  path: deploy-grafana.yaml

deploy/prod/secrets/README.md

@@ -5,3 +5,7 @@ TODO: find a way to encrypt these secrets at rest on dev machine.
 ### exporter-password
 
 The basic auth password required to access node-exporter endpoints. See ansible-vault.
+
+### grafana-admin-user, grafana-admin-password
+
+The credentials used to create the Grafana admin user. See 1password.

deploy/prod/secrets/env.example

@@ -1,2 +1,3 @@
 NETFLUX_PRIVATE_IP=1.2.3.4
 POSTGRESQL_IP=1.2.3.4
+GRAFANA_POSTGRESQL_PASSWORD=hackme