Sort monitoring and logging components into sub-maps in the config
This is done in preparation to allow multiple logging stacks.
Change-Id: I950200805ec01851bfdf6ccc3a5243893a947616
This commit is contained in:
parent
3887f2b53c
commit
3b4005a047
64
README.md
64
README.md
|
@ -78,42 +78,42 @@ These options have to be configured in the `./config.yaml` before installing and
|
|||
are listed here:
|
||||
|
||||
| option | description |
|
||||
|-----------------------------------------|----------------------------------------------------------------------------------------|
|
||||
|----------------------------------------------------|----------------------------------------------------------------------------------------|
|
||||
| `gerritServers` | List of Gerrit servers to scrape. For details refer to section [below](#gerritServers) |
|
||||
| `namespace` | The namespace the charts are installed to |
|
||||
| `tls.skipVerify` | Whether to skip TLS certificate verification |
|
||||
| `tls.caCert` | CA certificate used for TLS certificate verification |
|
||||
| `prometheus.server.host` | Prometheus server ingress hostname |
|
||||
| `prometheus.server.username` | Username for Prometheus |
|
||||
| `prometheus.server.password` | Password for Prometheus |
|
||||
| `prometheus.server.tls.cert` | TLS certificate |
|
||||
| `prometheus.server.tls.key` | TLS key |
|
||||
| `prometheus.alertmanager.slack.apiUrl` | API URL of the Slack Webhook |
|
||||
| `prometheus.alertmanager.slack.channel` | Channel to which the alerts should be posted |
|
||||
| `loki.host` | Loki ingress hostname |
|
||||
| `loki.username` | Username for Loki |
|
||||
| `loki.password` | Password for Loki |
|
||||
| `loki.s3.protocol` | Protocol used for communicating with S3 |
|
||||
| `loki.s3.host` | Hostname of the S3 object store |
|
||||
| `loki.s3.accessToken` | The EC2 accessToken used for authentication with S3 |
|
||||
| `loki.s3.secret` | The secret associated with the accessToken |
|
||||
| `loki.s3.bucket` | The name of the S3 bucket |
|
||||
| `loki.s3.region` | The region in which the S3 bucket is hosted |
|
||||
| `loki.tls.cert` | TLS certificate |
|
||||
| `loki.tls.key` | TLS key |
|
||||
| `grafana.host` | Grafana ingress hostname |
|
||||
| `grafana.tls.cert` | TLS certificate |
|
||||
| `grafana.tls.key` | TLS key |
|
||||
| `grafana.admin.username` | Username for the admin user |
|
||||
| `grafana.admin.password` | Password for the admin user |
|
||||
| `grafana.ldap.enabled` | Whether to enable LDAP |
|
||||
| `grafana.ldap.host` | Hostname of LDAP server |
|
||||
| `grafana.ldap.port` | Port of LDAP server (Has to be `quoted`!) |
|
||||
| `grafana.ldap.password` | Password of LDAP server |
|
||||
| `grafana.ldap.bind_dn` | Bind DN (username) of the LDAP server |
|
||||
| `grafana.ldap.accountBases` | List of base DNs to discover accounts (Has to have the format `"['a', 'b']"`) |
|
||||
| `grafana.ldap.groupBases` | List of base DNs to discover groups (Has to have the format `"['a', 'b']"`) |
|
||||
| `grafana.dashboards.editable` | Whether dashboards can be edited manually in the UI |
|
||||
| `monitoring.prometheus.server.host` | Prometheus server ingress hostname |
|
||||
| `monitoring.prometheus.server.username` | Username for Prometheus |
|
||||
| `monitoring.prometheus.server.password` | Password for Prometheus |
|
||||
| `monitoring.prometheus.server.tls.cert` | TLS certificate |
|
||||
| `monitoring.prometheus.server.tls.key` | TLS key |
|
||||
| `monitoring.prometheus.alertmanager.slack.apiUrl` | API URL of the Slack Webhook |
|
||||
| `monitoring.prometheus.alertmanager.slack.channel` | Channel to which the alerts should be posted |
|
||||
| `monitoring.grafana.host` | Grafana ingress hostname |
|
||||
| `monitoring.grafana.tls.cert` | TLS certificate |
|
||||
| `monitoring.grafana.tls.key` | TLS key |
|
||||
| `monitoring.grafana.admin.username` | Username for the admin user |
|
||||
| `monitoring.grafana.admin.password` | Password for the admin user |
|
||||
| `monitoring.grafana.ldap.enabled` | Whether to enable LDAP |
|
||||
| `monitoring.grafana.ldap.host` | Hostname of LDAP server |
|
||||
| `monitoring.grafana.ldap.port` | Port of LDAP server (Has to be `quoted`!) |
|
||||
| `monitoring.grafana.ldap.password` | Password of LDAP server |
|
||||
| `monitoring.grafana.ldap.bind_dn` | Bind DN (username) of the LDAP server |
|
||||
| `monitoring.grafana.ldap.accountBases` | List of base DNs to discover accounts (Has to have the format `"['a', 'b']"`) |
|
||||
| `monitoring.grafana.ldap.groupBases` | List of base DNs to discover groups (Has to have the format `"['a', 'b']"`) |
|
||||
| `monitoring.grafana.dashboards.editable` | Whether dashboards can be edited manually in the UI |
|
||||
| `logging.loki.host` | Loki ingress hostname |
|
||||
| `logging.loki.username` | Username for Loki |
|
||||
| `logging.loki.password` | Password for Loki |
|
||||
| `logging.loki.s3.protocol` | Protocol used for communicating with S3 |
|
||||
| `logging.loki.s3.host` | Hostname of the S3 object store |
|
||||
| `logging.loki.s3.accessToken` | The EC2 accessToken used for authentication with S3 |
|
||||
| `logging.loki.s3.secret` | The secret associated with the accessToken |
|
||||
| `logging.loki.s3.bucket` | The name of the S3 bucket |
|
||||
| `logging.loki.s3.region` | The region in which the S3 bucket is hosted |
|
||||
| `logging.loki.tls.cert` | TLS certificate |
|
||||
| `logging.loki.tls.key` | TLS key |
|
||||
|
||||
### `gerritServers`
|
||||
|
||||
|
|
|
@ -26,8 +26,8 @@ class AbstractConfigManager(abc.ABC):
|
|||
self.config_path = config_path
|
||||
|
||||
self.requires_htpasswd = [
|
||||
["loki"],
|
||||
["prometheus", "server"],
|
||||
["logging", "loki"],
|
||||
["monitoring", "prometheus", "server"],
|
||||
]
|
||||
|
||||
def get_config(self):
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#@ load("@ytt:data", "data")
|
||||
#@ load("@ytt:base64", "base64")
|
||||
#@ if data.values.grafana.ldap.enabled and not data.values.tls.skipVerify:
|
||||
#@ if data.values.monitoring.grafana.ldap.enabled and not data.values.tls.skipVerify:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
|
|
|
@ -7,9 +7,9 @@ metadata:
|
|||
name: grafana-credentials
|
||||
namespace: #@ data.values.namespace
|
||||
data:
|
||||
admin-user: #@ base64.encode(data.values.grafana.admin.username)
|
||||
admin-password: #@ base64.encode(data.values.grafana.admin.password)
|
||||
#@ if data.values.grafana.ldap.enabled:
|
||||
admin-user: #@ base64.encode(data.values.monitoring.grafana.admin.username)
|
||||
admin-password: #@ base64.encode(data.values.monitoring.grafana.admin.password)
|
||||
#@ if data.values.monitoring.grafana.ldap.enabled:
|
||||
ldap-toml: #@ base64.encode(format_ldap_toml())
|
||||
#@ end
|
||||
type: Opaque
|
||||
|
|
|
@ -7,5 +7,5 @@ metadata:
|
|||
namespace: #@ data.values.namespace
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: #@ base64.encode(data.values.grafana.tls.cert)
|
||||
tls.key: #@ base64.encode(data.values.grafana.tls.key)
|
||||
tls.crt: #@ base64.encode(data.values.monitoring.grafana.tls.cert)
|
||||
tls.key: #@ base64.encode(data.values.monitoring.grafana.tls.key)
|
||||
|
|
|
@ -2,18 +2,18 @@
|
|||
(@ def format_ldap_toml(): -@)
|
||||
[[servers]]
|
||||
|
||||
host = "(@= data.values.grafana.ldap.host @)"
|
||||
port = (@= data.values.grafana.ldap.port @)
|
||||
host = "(@= data.values.monitoring.grafana.ldap.host @)"
|
||||
port = (@= data.values.monitoring.grafana.ldap.port @)
|
||||
use_ssl = true
|
||||
start_tls = false
|
||||
ssl_skip_verify = (@= "{}".format(data.values.tls.skipVerify).lower() @)
|
||||
root_ca_cert = "/etc/secrets/server.ca.crt"
|
||||
bind_dn = "(@= data.values.grafana.ldap.bind_dn @)"
|
||||
bind_password = "(@= data.values.grafana.ldap.password @)"
|
||||
bind_dn = "(@= data.values.monitoring.grafana.ldap.bind_dn @)"
|
||||
bind_password = "(@= data.values.monitoring.grafana.ldap.password @)"
|
||||
search_filter = "(cn=%s)"
|
||||
search_base_dns = (@= data.values.grafana.ldap.accountBases @)
|
||||
search_base_dns = (@= data.values.monitoring.grafana.ldap.accountBases @)
|
||||
group_search_filter = "(cn=%s)"
|
||||
group_search_base_dns = (@= data.values.grafana.ldap.groupBases @)
|
||||
group_search_base_dns = (@= data.values.monitoring.grafana.ldap.groupBases @)
|
||||
|
||||
[[servers.group_mappings]]
|
||||
group_dn = "*"
|
||||
|
|
|
@ -130,7 +130,7 @@ ingress:
|
|||
labels: {}
|
||||
path: /
|
||||
hosts:
|
||||
- #@ data.values.grafana.host
|
||||
- #@ data.values.monitoring.grafana.host
|
||||
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
|
||||
extraPaths: []
|
||||
# - path: /*
|
||||
|
@ -140,7 +140,7 @@ ingress:
|
|||
tls:
|
||||
- secretName: grafana-server-tls
|
||||
hosts:
|
||||
- #@ data.values.grafana.host
|
||||
- #@ data.values.monitoring.grafana.host
|
||||
|
||||
resources:
|
||||
limits:
|
||||
|
@ -271,7 +271,7 @@ envRenderSecret: {}
|
|||
## Additional grafana server secret mounts
|
||||
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
|
||||
extraSecretMounts:
|
||||
#@ if data.values.grafana.ldap.enabled and not data.values.tls.skipVerify:
|
||||
#@ if data.values.monitoring.grafana.ldap.enabled and not data.values.tls.skipVerify:
|
||||
- name: tls-ca
|
||||
mountPath: /etc/secrets
|
||||
secretName: grafana-ca
|
||||
|
@ -396,7 +396,7 @@ grafana.ini:
|
|||
## LDAP Authentication can be enabled with the following values on grafana.ini
|
||||
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
|
||||
auth.ldap:
|
||||
enabled: #@ data.values.grafana.ldap.enabled
|
||||
enabled: #@ data.values.monitoring.grafana.ldap.enabled
|
||||
allow_sign_up: true
|
||||
config_file: /etc/grafana/ldap.toml
|
||||
|
||||
|
@ -406,7 +406,7 @@ grafana.ini:
|
|||
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
|
||||
## ref: http://docs.grafana.org/installation/ldap/#configuration
|
||||
ldap:
|
||||
enabled: #@ data.values.grafana.ldap.enabled
|
||||
enabled: #@ data.values.monitoring.grafana.ldap.enabled
|
||||
# `existingSecret` is a reference to an existing secret containing the ldap configuration
|
||||
# for Grafana in a key `ldap-toml`.
|
||||
existingSecret: "grafana-credentials"
|
||||
|
@ -475,7 +475,7 @@ sidecar:
|
|||
# disableDelete to activate a import-only behaviour
|
||||
disableDelete: true
|
||||
# allow updating provisioned dashboards from the UI
|
||||
allowUiUpdates: #@ data.values.grafana.dashboards.editable
|
||||
allowUiUpdates: #@ data.values.monitoring.grafana.dashboards.editable
|
||||
datasources:
|
||||
enabled: false
|
||||
## Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
|
||||
|
|
|
@ -6,5 +6,5 @@ metadata:
|
|||
name: loki-basic-auth
|
||||
namespace: #@ data.values.namespace
|
||||
data:
|
||||
auth: #@ base64.encode(data.values.loki.htpasswd)
|
||||
auth: #@ base64.encode(data.values.logging.loki.htpasswd)
|
||||
type: Opaque
|
||||
|
|
|
@ -7,5 +7,5 @@ metadata:
|
|||
namespace: #@ data.values.namespace
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: #@ base64.encode(data.values.loki.tls.cert)
|
||||
tls.key: #@ base64.encode(data.values.loki.tls.key)
|
||||
tls.crt: #@ base64.encode(data.values.logging.loki.tls.cert)
|
||||
tls.key: #@ base64.encode(data.values.logging.loki.tls.key)
|
||||
|
|
|
@ -14,13 +14,13 @@ ingress:
|
|||
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- host: #@ data.values.loki.host
|
||||
- host: #@ data.values.logging.loki.host
|
||||
paths:
|
||||
- /
|
||||
tls:
|
||||
- secretName: loki-server-tls
|
||||
hosts:
|
||||
- #@ data.values.loki.host
|
||||
- #@ data.values.logging.loki.host
|
||||
|
||||
## Affinity for pod assignment
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
||||
|
@ -87,7 +87,7 @@ config:
|
|||
boltdb:
|
||||
directory: /data/loki/index
|
||||
aws:
|
||||
s3: #@ "{}://{}:{}@{}/{}".format(data.values.loki.s3.protocol, data.values.loki.s3.accessToken, data.values.loki.s3.secret, data.values.loki.s3.host, data.values.loki.s3.bucket)
|
||||
s3: #@ "{}://{}:{}@{}/{}".format(data.values.logging.loki.s3.protocol, data.values.logging.loki.s3.accessToken, data.values.logging.loki.s3.secret, data.values.logging.loki.s3.host, data.values.logging.loki.s3.bucket)
|
||||
s3forcepathstyle: true
|
||||
chunk_store_config:
|
||||
max_look_back_period: 0
|
||||
|
@ -243,4 +243,4 @@ extraPorts: []
|
|||
# Extra env variables to pass to the loki container
|
||||
env:
|
||||
- name: AWS_REGION
|
||||
value: #@ data.values.loki.s3.region
|
||||
value: #@ data.values.logging.loki.s3.region
|
||||
|
|
|
@ -6,5 +6,5 @@ metadata:
|
|||
name: prometheus-basic-auth
|
||||
namespace: #@ data.values.namespace
|
||||
data:
|
||||
auth: #@ base64.encode(data.values.prometheus.server.htpasswd)
|
||||
auth: #@ base64.encode(data.values.monitoring.prometheus.server.htpasswd)
|
||||
type: Opaque
|
||||
|
|
|
@ -17,7 +17,7 @@ data:
|
|||
|
||||
#@ if not data.values.tls.skipVerify:
|
||||
server.ca.crt: #@ base64.encode(data.values.tls.caCert)
|
||||
server.crt: #@ base64.encode(data.values.prometheus.server.tls.cert)
|
||||
server.key: #@ base64.encode(data.values.prometheus.server.tls.key)
|
||||
server.crt: #@ base64.encode(data.values.monitoring.prometheus.server.tls.cert)
|
||||
server.key: #@ base64.encode(data.values.monitoring.prometheus.server.tls.key)
|
||||
#@ end
|
||||
type: Opaque
|
||||
|
|
|
@ -7,5 +7,5 @@ metadata:
|
|||
namespace: #@ data.values.namespace
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: #@ base64.encode(data.values.prometheus.server.tls.cert)
|
||||
tls.key: #@ base64.encode(data.values.prometheus.server.tls.key)
|
||||
tls.crt: #@ base64.encode(data.values.monitoring.prometheus.server.tls.cert)
|
||||
tls.key: #@ base64.encode(data.values.monitoring.prometheus.server.tls.key)
|
||||
|
|
|
@ -675,7 +675,7 @@ server:
|
|||
## Must be provided if Ingress is enabled
|
||||
##
|
||||
hosts:
|
||||
- #@ data.values.prometheus.server.host
|
||||
- #@ data.values.monitoring.prometheus.server.host
|
||||
# - prometheus.domain.com
|
||||
# - domain.com/prometheus
|
||||
|
||||
|
@ -692,7 +692,7 @@ server:
|
|||
tls:
|
||||
- secretName: prometheus-server-tls
|
||||
hosts:
|
||||
- #@ data.values.prometheus.server.host
|
||||
- #@ data.values.monitoring.prometheus.server.host
|
||||
|
||||
## Server Deployment Strategy type
|
||||
# strategy:
|
||||
|
@ -1055,12 +1055,12 @@ pushgateway:
|
|||
alertmanagerFiles:
|
||||
alertmanager.yml:
|
||||
global:
|
||||
slack_api_url: #@ data.values.prometheus.alertmanager.slack.apiUrl
|
||||
slack_api_url: #@ data.values.monitoring.prometheus.alertmanager.slack.apiUrl
|
||||
|
||||
receivers:
|
||||
- name: gerrit-admin
|
||||
slack_configs:
|
||||
- channel: #@ data.values.prometheus.alertmanager.slack.channel
|
||||
- channel: #@ data.values.monitoring.prometheus.alertmanager.slack.channel
|
||||
send_resolved: true
|
||||
title: "{{ range .Alerts }}{{ .Annotations.summary }}\n{{ end }}"
|
||||
text: "{{ range .Alerts }}{{ .Annotations.description }}\n{{ end }}"
|
||||
|
|
|
@ -28,8 +28,8 @@ loki:
|
|||
serviceName: #@ "loki-{}".format(data.values.namespace)
|
||||
servicePort: 3100
|
||||
serviceScheme: http
|
||||
user: #@ data.values.loki.username
|
||||
password: #@ data.values.loki.password
|
||||
user: #@ data.values.logging.loki.username
|
||||
password: #@ data.values.logging.loki.password
|
||||
|
||||
nameOverride: #@ "promtail-{}".format(data.values.namespace, data.values.namespace)
|
||||
|
||||
|
|
34
config.yaml
34
config.yaml
|
@ -19,7 +19,8 @@ namespace: namespace
|
|||
tls:
|
||||
skipVerify: true
|
||||
caCert:
|
||||
prometheus:
|
||||
monitoring:
|
||||
prometheus:
|
||||
server:
|
||||
host: prometheus.example.com
|
||||
username:
|
||||
|
@ -31,21 +32,7 @@ prometheus:
|
|||
slack:
|
||||
apiUrl: https://hooks.slack.com/services/xxx/xxx
|
||||
channel: '#alerts'
|
||||
loki:
|
||||
host: loki.example.com
|
||||
username:
|
||||
password:
|
||||
s3:
|
||||
protocol: https
|
||||
host: s3.eu-de-1.example.com
|
||||
accessToken: abcd
|
||||
secret: "1234"
|
||||
bucket: bucket
|
||||
region: eu-de-1
|
||||
tls:
|
||||
cert:
|
||||
key:
|
||||
grafana:
|
||||
grafana:
|
||||
host: grafana.example.com
|
||||
tls:
|
||||
cert:
|
||||
|
@ -63,3 +50,18 @@ grafana:
|
|||
groupBases: "[]"
|
||||
dashboards:
|
||||
editable: false
|
||||
logging:
|
||||
loki:
|
||||
host: loki.example.com
|
||||
username:
|
||||
password:
|
||||
s3:
|
||||
protocol: https
|
||||
host: s3.eu-de-1.example.com
|
||||
accessToken: abcd
|
||||
secret: "1234"
|
||||
bucket: bucket
|
||||
region: eu-de-1
|
||||
tls:
|
||||
cert:
|
||||
key:
|
||||
|
|
|
@ -10,15 +10,15 @@ positions:
|
|||
filename: #@ "{}/positions.yaml".format(data.values.gerritServers.other[i].promtail.storagePath)
|
||||
|
||||
clients:
|
||||
- url: #@ "https://{}/loki/api/v1/push".format(data.values.loki.host)
|
||||
- url: #@ "https://{}/loki/api/v1/push".format(data.values.logging.loki.host)
|
||||
tls_config:
|
||||
insecure_skip_verify: #@ data.values.tls.skipVerify
|
||||
#@ if not data.values.tls.skipVerify:
|
||||
ca_file: #@ "{}/promtail.ca.crt".format(data.values.gerritServers.other[i].promtail.storagePath)
|
||||
#@ end
|
||||
basic_auth:
|
||||
username: #@ data.values.loki.username
|
||||
password: #@ data.values.loki.password
|
||||
username: #@ data.values.logging.loki.username
|
||||
password: #@ data.values.logging.loki.password
|
||||
scrape_configs:
|
||||
- job_name: gerrit_error
|
||||
static_configs:
|
||||
|
|
Loading…
Reference in a new issue