the-distro/gerrit-monitoring
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Sort monitoring and logging components into sub-maps in the config

Browse source 
This is done in preparation to allow multiple logging stacks.

Change-Id: I950200805ec01851bfdf6ccc3a5243893a947616
This commit is contained in:
Thomas Draebing 2020-05-20 15:56:57 +02:00
parent 3887f2b53c
commit 3b4005a047
17 changed files with 120 additions and 118 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
README.md
View file

@ -77,43 +77,43 @@ setup, some configuration is highly dependent on the specific installation.
These options have to be configured in the `./config.yaml` before installing and
are listed here:
| option | description |
|-----------------------------------------|----------------------------------------------------------------------------------------|
| `gerritServers` | List of Gerrit servers to scrape. For details refer to section [below](#gerritServers) |
| `namespace` | The namespace the charts are installed to |
| `tls.skipVerify` | Whether to skip TLS certificate verification |
| `tls.caCert` | CA certificate used for TLS certificate verification |
| `prometheus.server.host` | Prometheus server ingress hostname |
| `prometheus.server.username` | Username for Prometheus |
| `prometheus.server.password` | Password for Prometheus |
| `prometheus.server.tls.cert` | TLS certificate |
| `prometheus.server.tls.key` | TLS key |
| `prometheus.alertmanager.slack.apiUrl` | API URL of the Slack Webhook |
| `prometheus.alertmanager.slack.channel` | Channel to which the alerts should be posted |
| `loki.host` | Loki ingress hostname |
| `loki.username` | Username for Loki |
| `loki.password` | Password for Loki |
| `loki.s3.protocol` | Protocol used for communicating with S3 |
| `loki.s3.host` | Hostname of the S3 object store |
| `loki.s3.accessToken` | The EC2 accessToken used for authentication with S3 |
| `loki.s3.secret` | The secret associated with the accessToken |
| `loki.s3.bucket` | The name of the S3 bucket |
| `loki.s3.region` | The region in which the S3 bucket is hosted |
| `loki.tls.cert` | TLS certificate |
| `loki.tls.key` | TLS key |
| `grafana.host` | Grafana ingress hostname |
| `grafana.tls.cert` | TLS certificate |
| `grafana.tls.key` | TLS key |
| `grafana.admin.username` | Username for the admin user |
| `grafana.admin.password` | Password for the admin user |
| `grafana.ldap.enabled` | Whether to enable LDAP |
| `grafana.ldap.host` | Hostname of LDAP server |
| `grafana.ldap.port` | Port of LDAP server (Has to be `quoted`!) |
| `grafana.ldap.password` | Password of LDAP server |
| `grafana.ldap.bind_dn` | Bind DN (username) of the LDAP server |
| `grafana.ldap.accountBases` | List of base DNs to discover accounts (Has to have the format `"['a', 'b']"`) |
| `grafana.ldap.groupBases` | List of base DNs to discover groups (Has to have the format `"['a', 'b']"`) |
| `grafana.dashboards.editable` | Whether dashboards can be edited manually in the UI |
| option | description |
|----------------------------------------------------|----------------------------------------------------------------------------------------|
| `gerritServers` | List of Gerrit servers to scrape. For details refer to section [below](#gerritServers) |
| `namespace` | The namespace the charts are installed to |
| `tls.skipVerify` | Whether to skip TLS certificate verification |
| `tls.caCert` | CA certificate used for TLS certificate verification |
| `monitoring.prometheus.server.host` | Prometheus server ingress hostname |
| `monitoring.prometheus.server.username` | Username for Prometheus |
| `monitoring.prometheus.server.password` | Password for Prometheus |
| `monitoring.prometheus.server.tls.cert` | TLS certificate |
| `monitoring.prometheus.server.tls.key` | TLS key |
| `monitoring.prometheus.alertmanager.slack.apiUrl` | API URL of the Slack Webhook |
| `monitoring.prometheus.alertmanager.slack.channel` | Channel to which the alerts should be posted |
| `monitoring.grafana.host` | Grafana ingress hostname |
| `monitoring.grafana.tls.cert` | TLS certificate |
| `monitoring.grafana.tls.key` | TLS key |
| `monitoring.grafana.admin.username` | Username for the admin user |
| `monitoring.grafana.admin.password` | Password for the admin user |
| `monitoring.grafana.ldap.enabled` | Whether to enable LDAP |
| `monitoring.grafana.ldap.host` | Hostname of LDAP server |
| `monitoring.grafana.ldap.port` | Port of LDAP server (Has to be `quoted`!) |
| `monitoring.grafana.ldap.password` | Password of LDAP server |
| `monitoring.grafana.ldap.bind_dn` | Bind DN (username) of the LDAP server |
| `monitoring.grafana.ldap.accountBases` | List of base DNs to discover accounts (Has to have the format `"['a', 'b']"`) |
| `monitoring.grafana.ldap.groupBases` | List of base DNs to discover groups (Has to have the format `"['a', 'b']"`) |
| `monitoring.grafana.dashboards.editable` | Whether dashboards can be edited manually in the UI |
| `logging.loki.host` | Loki ingress hostname |
| `logging.loki.username` | Username for Loki |
| `logging.loki.password` | Password for Loki |
| `logging.loki.s3.protocol` | Protocol used for communicating with S3 |
| `logging.loki.s3.host` | Hostname of the S3 object store |
| `logging.loki.s3.accessToken` | The EC2 accessToken used for authentication with S3 |
| `logging.loki.s3.secret` | The secret associated with the accessToken |
| `logging.loki.s3.bucket` | The name of the S3 bucket |
| `logging.loki.s3.region` | The region in which the S3 bucket is hosted |
| `logging.loki.tls.cert` | TLS certificate |
| `logging.loki.tls.key` | TLS key |
### `gerritServers`

4
cfgmgr/abstract.py
View file

@ -26,8 +26,8 @@ class AbstractConfigManager(abc.ABC):
self.config_path = config_path
self.requires_htpasswd = [
["loki"],
["prometheus", "server"],
["logging", "loki"],
["monitoring", "prometheus", "server"],
]
def get_config(self):

2
charts/grafana/configuration/grafana.ca.secret.yaml
View file

@ -1,6 +1,6 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:base64", "base64")
#@ if data.values.grafana.ldap.enabled and not data.values.tls.skipVerify:
#@ if data.values.monitoring.grafana.ldap.enabled and not data.values.tls.skipVerify:
apiVersion: v1
kind: Secret
metadata:

6
charts/grafana/configuration/grafana.secret.yaml
View file

@ -7,9 +7,9 @@ metadata:
name: grafana-credentials
namespace: #@ data.values.namespace
data:
admin-user: #@ base64.encode(data.values.grafana.admin.username)
admin-password: #@ base64.encode(data.values.grafana.admin.password)
#@ if data.values.grafana.ldap.enabled:
admin-user: #@ base64.encode(data.values.monitoring.grafana.admin.username)
admin-password: #@ base64.encode(data.values.monitoring.grafana.admin.password)
#@ if data.values.monitoring.grafana.ldap.enabled:
ldap-toml: #@ base64.encode(format_ldap_toml())
#@ end
type: Opaque

4
charts/grafana/configuration/grafana.tls.secret.yaml
View file

@ -7,5 +7,5 @@ metadata:
namespace: #@ data.values.namespace
type: kubernetes.io/tls
data:
tls.crt: #@ base64.encode(data.values.grafana.tls.cert)
tls.key: #@ base64.encode(data.values.grafana.tls.key)
tls.crt: #@ base64.encode(data.values.monitoring.grafana.tls.cert)
tls.key: #@ base64.encode(data.values.monitoring.grafana.tls.key)

12
charts/grafana/configuration/ldap.lib.txt
View file

@ -2,18 +2,18 @@
(@ def format_ldap_toml(): -@)
[[servers]]
host = "(@= data.values.grafana.ldap.host @)"
port = (@= data.values.grafana.ldap.port @)
host = "(@= data.values.monitoring.grafana.ldap.host @)"
port = (@= data.values.monitoring.grafana.ldap.port @)
use_ssl = true
start_tls = false
ssl_skip_verify = (@= "{}".format(data.values.tls.skipVerify).lower() @)
root_ca_cert = "/etc/secrets/server.ca.crt"
bind_dn = "(@= data.values.grafana.ldap.bind_dn @)"
bind_password = "(@= data.values.grafana.ldap.password @)"
bind_dn = "(@= data.values.monitoring.grafana.ldap.bind_dn @)"
bind_password = "(@= data.values.monitoring.grafana.ldap.password @)"
search_filter = "(cn=%s)"
search_base_dns = (@= data.values.grafana.ldap.accountBases @)
search_base_dns = (@= data.values.monitoring.grafana.ldap.accountBases @)
group_search_filter = "(cn=%s)"
group_search_base_dns = (@= data.values.grafana.ldap.groupBases @)
group_search_base_dns = (@= data.values.monitoring.grafana.ldap.groupBases @)
[[servers.group_mappings]]
group_dn = "*"

12
charts/grafana/grafana.yaml
View file

@ -130,7 +130,7 @@ ingress:
labels: {}
path: /
hosts:
- #@ data.values.grafana.host
- #@ data.values.monitoring.grafana.host
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
extraPaths: []
# - path: /*
@ -140,7 +140,7 @@ ingress:
tls:
- secretName: grafana-server-tls
hosts:
- #@ data.values.grafana.host
- #@ data.values.monitoring.grafana.host
resources:
limits:
@ -271,7 +271,7 @@ envRenderSecret: {}
## Additional grafana server secret mounts
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
extraSecretMounts:
#@ if data.values.grafana.ldap.enabled and not data.values.tls.skipVerify:
#@ if data.values.monitoring.grafana.ldap.enabled and not data.values.tls.skipVerify:
- name: tls-ca
mountPath: /etc/secrets
secretName: grafana-ca
@ -396,7 +396,7 @@ grafana.ini:
## LDAP Authentication can be enabled with the following values on grafana.ini
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
auth.ldap:
enabled: #@ data.values.grafana.ldap.enabled
enabled: #@ data.values.monitoring.grafana.ldap.enabled
allow_sign_up: true
config_file: /etc/grafana/ldap.toml
@ -406,7 +406,7 @@ grafana.ini:
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
## ref: http://docs.grafana.org/installation/ldap/#configuration
ldap:
enabled: #@ data.values.grafana.ldap.enabled
enabled: #@ data.values.monitoring.grafana.ldap.enabled
# `existingSecret` is a reference to an existing secret containing the ldap configuration
# for Grafana in a key `ldap-toml`.
existingSecret: "grafana-credentials"
@ -475,7 +475,7 @@ sidecar:
# disableDelete to activate a import-only behaviour
disableDelete: true
# allow updating provisioned dashboards from the UI
allowUiUpdates: #@ data.values.grafana.dashboards.editable
allowUiUpdates: #@ data.values.monitoring.grafana.dashboards.editable
datasources:
enabled: false
## Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.

2
charts/loki/configuration/loki.basic-auth.secret.yaml
View file

@ -6,5 +6,5 @@ metadata:
name: loki-basic-auth
namespace: #@ data.values.namespace
data:
auth: #@ base64.encode(data.values.loki.htpasswd)
auth: #@ base64.encode(data.values.logging.loki.htpasswd)
type: Opaque

4
charts/loki/configuration/loki.tls.secret.yaml
View file

@ -7,5 +7,5 @@ metadata:
namespace: #@ data.values.namespace
type: kubernetes.io/tls
data:
tls.crt: #@ base64.encode(data.values.loki.tls.cert)
tls.key: #@ base64.encode(data.values.loki.tls.key)
tls.crt: #@ base64.encode(data.values.logging.loki.tls.cert)
tls.key: #@ base64.encode(data.values.logging.loki.tls.key)

8
charts/loki/loki.yaml
View file

@ -14,13 +14,13 @@ ingress:
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
# kubernetes.io/tls-acme: "true"
hosts:
- host: #@ data.values.loki.host
- host: #@ data.values.logging.loki.host
paths:
- /
tls:
- secretName: loki-server-tls
hosts:
- #@ data.values.loki.host
- #@ data.values.logging.loki.host
## Affinity for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
@ -87,7 +87,7 @@ config:
boltdb:
directory: /data/loki/index
aws:
s3: #@ "{}://{}:{}@{}/{}".format(data.values.loki.s3.protocol, data.values.loki.s3.accessToken, data.values.loki.s3.secret, data.values.loki.s3.host, data.values.loki.s3.bucket)
s3: #@ "{}://{}:{}@{}/{}".format(data.values.logging.loki.s3.protocol, data.values.logging.loki.s3.accessToken, data.values.logging.loki.s3.secret, data.values.logging.loki.s3.host, data.values.logging.loki.s3.bucket)
s3forcepathstyle: true
chunk_store_config:
max_look_back_period: 0
@ -243,4 +243,4 @@ extraPorts: []
# Extra env variables to pass to the loki container
env:
- name: AWS_REGION
value: #@ data.values.loki.s3.region
value: #@ data.values.logging.loki.s3.region

2
charts/prometheus/configuration/prometheus.basic-auth.secret.yaml
View file

@ -6,5 +6,5 @@ metadata:
name: prometheus-basic-auth
namespace: #@ data.values.namespace
data:
auth: #@ base64.encode(data.values.prometheus.server.htpasswd)
auth: #@ base64.encode(data.values.monitoring.prometheus.server.htpasswd)
type: Opaque

4
charts/prometheus/configuration/prometheus.secret.yaml
View file

@ -17,7 +17,7 @@ data:
#@ if not data.values.tls.skipVerify:
server.ca.crt: #@ base64.encode(data.values.tls.caCert)
server.crt: #@ base64.encode(data.values.prometheus.server.tls.cert)
server.key: #@ base64.encode(data.values.prometheus.server.tls.key)
server.crt: #@ base64.encode(data.values.monitoring.prometheus.server.tls.cert)
server.key: #@ base64.encode(data.values.monitoring.prometheus.server.tls.key)
#@ end
type: Opaque

4
charts/prometheus/configuration/prometheus.tls.secret.yaml
View file

@ -7,5 +7,5 @@ metadata:
namespace: #@ data.values.namespace
type: kubernetes.io/tls
data:
tls.crt: #@ base64.encode(data.values.prometheus.server.tls.cert)
tls.key: #@ base64.encode(data.values.prometheus.server.tls.key)
tls.crt: #@ base64.encode(data.values.monitoring.prometheus.server.tls.cert)
tls.key: #@ base64.encode(data.values.monitoring.prometheus.server.tls.key)

8
charts/prometheus/prometheus.yaml
View file

@ -675,7 +675,7 @@ server:
## Must be provided if Ingress is enabled
##
hosts:
- #@ data.values.prometheus.server.host
- #@ data.values.monitoring.prometheus.server.host
# - prometheus.domain.com
# - domain.com/prometheus
@ -692,7 +692,7 @@ server:
tls:
- secretName: prometheus-server-tls
hosts:
- #@ data.values.prometheus.server.host
- #@ data.values.monitoring.prometheus.server.host
## Server Deployment Strategy type
# strategy:
@ -1055,12 +1055,12 @@ pushgateway:
alertmanagerFiles:
alertmanager.yml:
global:
slack_api_url: #@ data.values.prometheus.alertmanager.slack.apiUrl
slack_api_url: #@ data.values.monitoring.prometheus.alertmanager.slack.apiUrl
receivers:
- name: gerrit-admin
slack_configs:
- channel: #@ data.values.prometheus.alertmanager.slack.channel
- channel: #@ data.values.monitoring.prometheus.alertmanager.slack.channel
send_resolved: true
title: "{{ range .Alerts }}{{ .Annotations.summary }}\n{{ end }}"
text: "{{ range .Alerts }}{{ .Annotations.description }}\n{{ end }}"

4
charts/promtail/promtail.yaml
View file

@ -28,8 +28,8 @@ loki:
serviceName: #@ "loki-{}".format(data.values.namespace)
servicePort: 3100
serviceScheme: http
user: #@ data.values.loki.username
password: #@ data.values.loki.password
user: #@ data.values.logging.loki.username
password: #@ data.values.logging.loki.password
nameOverride: #@ "promtail-{}".format(data.values.namespace, data.values.namespace)

82
config.yaml
View file

@ -19,47 +19,49 @@ namespace: namespace
tls:
skipVerify: true
caCert:
prometheus:
server:
host: prometheus.example.com
username:
password:
monitoring:
prometheus:
server:
host: prometheus.example.com
username:
password:
tls:
cert:
key:
alertmanager:
slack:
apiUrl: https://hooks.slack.com/services/xxx/xxx
channel: '#alerts'
grafana:
host: grafana.example.com
tls:
cert:
key:
alertmanager:
slack:
apiUrl: https://hooks.slack.com/services/xxx/xxx
channel: '#alerts'
loki:
host: loki.example.com
username:
password:
s3:
protocol: https
host: s3.eu-de-1.example.com
accessToken: abcd
secret: "1234"
bucket: bucket
region: eu-de-1
tls:
cert:
key:
grafana:
host: grafana.example.com
tls:
cert:
key:
admin:
username: admin
password: secret
ldap:
enabled: false
host:
port: ""
admin:
username: admin
password: secret
ldap:
enabled: false
host:
port: ""
password:
bind_dn:
accountBases: "[]"
groupBases: "[]"
dashboards:
editable: false
logging:
loki:
host: loki.example.com
username:
password:
bind_dn:
accountBases: "[]"
groupBases: "[]"
dashboards:
editable: false
s3:
protocol: https
host: s3.eu-de-1.example.com
accessToken: abcd
secret: "1234"
bucket: bucket
region: eu-de-1
tls:
cert:
key:

6
promtail/promtailLocalConfig.yaml
View file

@ -10,15 +10,15 @@ positions:
filename: #@ "{}/positions.yaml".format(data.values.gerritServers.other[i].promtail.storagePath)
clients:
- url: #@ "https://{}/loki/api/v1/push".format(data.values.loki.host)
- url: #@ "https://{}/loki/api/v1/push".format(data.values.logging.loki.host)
tls_config:
insecure_skip_verify: #@ data.values.tls.skipVerify
#@ if not data.values.tls.skipVerify:
ca_file: #@ "{}/promtail.ca.crt".format(data.values.gerritServers.other[i].promtail.storagePath)
#@ end
basic_auth:
username: #@ data.values.loki.username
password: #@ data.values.loki.password
username: #@ data.values.logging.loki.username
password: #@ data.values.logging.loki.password
scrape_configs:
- job_name: gerrit_error
static_configs: