Sort monitoring and logging components into sub-maps in the config

This is done in preparation to allow multiple logging stacks.

Change-Id: I950200805ec01851bfdf6ccc3a5243893a947616
This commit is contained in:
Thomas Draebing 2020-05-20 15:56:57 +02:00
parent 3887f2b53c
commit 3b4005a047
17 changed files with 120 additions and 118 deletions

View file

@ -77,43 +77,43 @@ setup, some configuration is highly dependent on the specific installation.
These options have to be configured in the `./config.yaml` before installing and
are listed here:
| option | description |
|-----------------------------------------|----------------------------------------------------------------------------------------|
| `gerritServers` | List of Gerrit servers to scrape. For details refer to section [below](#gerritServers) |
| `namespace` | The namespace the charts are installed to |
| `tls.skipVerify` | Whether to skip TLS certificate verification |
| `tls.caCert` | CA certificate used for TLS certificate verification |
| `prometheus.server.host` | Prometheus server ingress hostname |
| `prometheus.server.username` | Username for Prometheus |
| `prometheus.server.password` | Password for Prometheus |
| `prometheus.server.tls.cert` | TLS certificate |
| `prometheus.server.tls.key` | TLS key |
| `prometheus.alertmanager.slack.apiUrl` | API URL of the Slack Webhook |
| `prometheus.alertmanager.slack.channel` | Channel to which the alerts should be posted |
| `loki.host` | Loki ingress hostname |
| `loki.username` | Username for Loki |
| `loki.password` | Password for Loki |
| `loki.s3.protocol` | Protocol used for communicating with S3 |
| `loki.s3.host` | Hostname of the S3 object store |
| `loki.s3.accessToken` | The EC2 accessToken used for authentication with S3 |
| `loki.s3.secret` | The secret associated with the accessToken |
| `loki.s3.bucket` | The name of the S3 bucket |
| `loki.s3.region` | The region in which the S3 bucket is hosted |
| `loki.tls.cert` | TLS certificate |
| `loki.tls.key` | TLS key |
| `grafana.host` | Grafana ingress hostname |
| `grafana.tls.cert` | TLS certificate |
| `grafana.tls.key` | TLS key |
| `grafana.admin.username` | Username for the admin user |
| `grafana.admin.password` | Password for the admin user |
| `grafana.ldap.enabled` | Whether to enable LDAP |
| `grafana.ldap.host` | Hostname of LDAP server |
| `grafana.ldap.port` | Port of LDAP server (Has to be `quoted`!) |
| `grafana.ldap.password` | Password of LDAP server |
| `grafana.ldap.bind_dn` | Bind DN (username) of the LDAP server |
| `grafana.ldap.accountBases` | List of base DNs to discover accounts (Has to have the format `"['a', 'b']"`) |
| `grafana.ldap.groupBases` | List of base DNs to discover groups (Has to have the format `"['a', 'b']"`) |
| `grafana.dashboards.editable` | Whether dashboards can be edited manually in the UI |
| option | description |
|----------------------------------------------------|----------------------------------------------------------------------------------------|
| `gerritServers` | List of Gerrit servers to scrape. For details refer to section [below](#gerritServers) |
| `namespace` | The namespace the charts are installed to |
| `tls.skipVerify` | Whether to skip TLS certificate verification |
| `tls.caCert` | CA certificate used for TLS certificate verification |
| `monitoring.prometheus.server.host` | Prometheus server ingress hostname |
| `monitoring.prometheus.server.username` | Username for Prometheus |
| `monitoring.prometheus.server.password` | Password for Prometheus |
| `monitoring.prometheus.server.tls.cert` | TLS certificate |
| `monitoring.prometheus.server.tls.key` | TLS key |
| `monitoring.prometheus.alertmanager.slack.apiUrl` | API URL of the Slack Webhook |
| `monitoring.prometheus.alertmanager.slack.channel` | Channel to which the alerts should be posted |
| `monitoring.grafana.host` | Grafana ingress hostname |
| `monitoring.grafana.tls.cert` | TLS certificate |
| `monitoring.grafana.tls.key` | TLS key |
| `monitoring.grafana.admin.username` | Username for the admin user |
| `monitoring.grafana.admin.password` | Password for the admin user |
| `monitoring.grafana.ldap.enabled` | Whether to enable LDAP |
| `monitoring.grafana.ldap.host` | Hostname of LDAP server |
| `monitoring.grafana.ldap.port` | Port of LDAP server (Has to be `quoted`!) |
| `monitoring.grafana.ldap.password` | Password of LDAP server |
| `monitoring.grafana.ldap.bind_dn` | Bind DN (username) of the LDAP server |
| `monitoring.grafana.ldap.accountBases` | List of base DNs to discover accounts (Has to have the format `"['a', 'b']"`) |
| `monitoring.grafana.ldap.groupBases` | List of base DNs to discover groups (Has to have the format `"['a', 'b']"`) |
| `monitoring.grafana.dashboards.editable` | Whether dashboards can be edited manually in the UI |
| `logging.loki.host` | Loki ingress hostname |
| `logging.loki.username` | Username for Loki |
| `logging.loki.password` | Password for Loki |
| `logging.loki.s3.protocol` | Protocol used for communicating with S3 |
| `logging.loki.s3.host` | Hostname of the S3 object store |
| `logging.loki.s3.accessToken` | The EC2 accessToken used for authentication with S3 |
| `logging.loki.s3.secret` | The secret associated with the accessToken |
| `logging.loki.s3.bucket` | The name of the S3 bucket |
| `logging.loki.s3.region` | The region in which the S3 bucket is hosted |
| `logging.loki.tls.cert` | TLS certificate |
| `logging.loki.tls.key` | TLS key |
### `gerritServers`

View file

@ -26,8 +26,8 @@ class AbstractConfigManager(abc.ABC):
self.config_path = config_path
self.requires_htpasswd = [
["loki"],
["prometheus", "server"],
["logging", "loki"],
["monitoring", "prometheus", "server"],
]
def get_config(self):

View file

@ -1,6 +1,6 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:base64", "base64")
#@ if data.values.grafana.ldap.enabled and not data.values.tls.skipVerify:
#@ if data.values.monitoring.grafana.ldap.enabled and not data.values.tls.skipVerify:
apiVersion: v1
kind: Secret
metadata:

View file

@ -7,9 +7,9 @@ metadata:
name: grafana-credentials
namespace: #@ data.values.namespace
data:
admin-user: #@ base64.encode(data.values.grafana.admin.username)
admin-password: #@ base64.encode(data.values.grafana.admin.password)
#@ if data.values.grafana.ldap.enabled:
admin-user: #@ base64.encode(data.values.monitoring.grafana.admin.username)
admin-password: #@ base64.encode(data.values.monitoring.grafana.admin.password)
#@ if data.values.monitoring.grafana.ldap.enabled:
ldap-toml: #@ base64.encode(format_ldap_toml())
#@ end
type: Opaque

View file

@ -7,5 +7,5 @@ metadata:
namespace: #@ data.values.namespace
type: kubernetes.io/tls
data:
tls.crt: #@ base64.encode(data.values.grafana.tls.cert)
tls.key: #@ base64.encode(data.values.grafana.tls.key)
tls.crt: #@ base64.encode(data.values.monitoring.grafana.tls.cert)
tls.key: #@ base64.encode(data.values.monitoring.grafana.tls.key)

View file

@ -2,18 +2,18 @@
(@ def format_ldap_toml(): -@)
[[servers]]
host = "(@= data.values.grafana.ldap.host @)"
port = (@= data.values.grafana.ldap.port @)
host = "(@= data.values.monitoring.grafana.ldap.host @)"
port = (@= data.values.monitoring.grafana.ldap.port @)
use_ssl = true
start_tls = false
ssl_skip_verify = (@= "{}".format(data.values.tls.skipVerify).lower() @)
root_ca_cert = "/etc/secrets/server.ca.crt"
bind_dn = "(@= data.values.grafana.ldap.bind_dn @)"
bind_password = "(@= data.values.grafana.ldap.password @)"
bind_dn = "(@= data.values.monitoring.grafana.ldap.bind_dn @)"
bind_password = "(@= data.values.monitoring.grafana.ldap.password @)"
search_filter = "(cn=%s)"
search_base_dns = (@= data.values.grafana.ldap.accountBases @)
search_base_dns = (@= data.values.monitoring.grafana.ldap.accountBases @)
group_search_filter = "(cn=%s)"
group_search_base_dns = (@= data.values.grafana.ldap.groupBases @)
group_search_base_dns = (@= data.values.monitoring.grafana.ldap.groupBases @)
[[servers.group_mappings]]
group_dn = "*"

View file

@ -130,7 +130,7 @@ ingress:
labels: {}
path: /
hosts:
- #@ data.values.grafana.host
- #@ data.values.monitoring.grafana.host
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
extraPaths: []
# - path: /*
@ -140,7 +140,7 @@ ingress:
tls:
- secretName: grafana-server-tls
hosts:
- #@ data.values.grafana.host
- #@ data.values.monitoring.grafana.host
resources:
limits:
@ -271,7 +271,7 @@ envRenderSecret: {}
## Additional grafana server secret mounts
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
extraSecretMounts:
#@ if data.values.grafana.ldap.enabled and not data.values.tls.skipVerify:
#@ if data.values.monitoring.grafana.ldap.enabled and not data.values.tls.skipVerify:
- name: tls-ca
mountPath: /etc/secrets
secretName: grafana-ca
@ -396,7 +396,7 @@ grafana.ini:
## LDAP Authentication can be enabled with the following values on grafana.ini
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
auth.ldap:
enabled: #@ data.values.grafana.ldap.enabled
enabled: #@ data.values.monitoring.grafana.ldap.enabled
allow_sign_up: true
config_file: /etc/grafana/ldap.toml
@ -406,7 +406,7 @@ grafana.ini:
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
## ref: http://docs.grafana.org/installation/ldap/#configuration
ldap:
enabled: #@ data.values.grafana.ldap.enabled
enabled: #@ data.values.monitoring.grafana.ldap.enabled
# `existingSecret` is a reference to an existing secret containing the ldap configuration
# for Grafana in a key `ldap-toml`.
existingSecret: "grafana-credentials"
@ -475,7 +475,7 @@ sidecar:
# disableDelete to activate a import-only behaviour
disableDelete: true
# allow updating provisioned dashboards from the UI
allowUiUpdates: #@ data.values.grafana.dashboards.editable
allowUiUpdates: #@ data.values.monitoring.grafana.dashboards.editable
datasources:
enabled: false
## Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.

View file

@ -6,5 +6,5 @@ metadata:
name: loki-basic-auth
namespace: #@ data.values.namespace
data:
auth: #@ base64.encode(data.values.loki.htpasswd)
auth: #@ base64.encode(data.values.logging.loki.htpasswd)
type: Opaque

View file

@ -7,5 +7,5 @@ metadata:
namespace: #@ data.values.namespace
type: kubernetes.io/tls
data:
tls.crt: #@ base64.encode(data.values.loki.tls.cert)
tls.key: #@ base64.encode(data.values.loki.tls.key)
tls.crt: #@ base64.encode(data.values.logging.loki.tls.cert)
tls.key: #@ base64.encode(data.values.logging.loki.tls.key)

View file

@ -14,13 +14,13 @@ ingress:
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
# kubernetes.io/tls-acme: "true"
hosts:
- host: #@ data.values.loki.host
- host: #@ data.values.logging.loki.host
paths:
- /
tls:
- secretName: loki-server-tls
hosts:
- #@ data.values.loki.host
- #@ data.values.logging.loki.host
## Affinity for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
@ -87,7 +87,7 @@ config:
boltdb:
directory: /data/loki/index
aws:
s3: #@ "{}://{}:{}@{}/{}".format(data.values.loki.s3.protocol, data.values.loki.s3.accessToken, data.values.loki.s3.secret, data.values.loki.s3.host, data.values.loki.s3.bucket)
s3: #@ "{}://{}:{}@{}/{}".format(data.values.logging.loki.s3.protocol, data.values.logging.loki.s3.accessToken, data.values.logging.loki.s3.secret, data.values.logging.loki.s3.host, data.values.logging.loki.s3.bucket)
s3forcepathstyle: true
chunk_store_config:
max_look_back_period: 0
@ -243,4 +243,4 @@ extraPorts: []
# Extra env variables to pass to the loki container
env:
- name: AWS_REGION
value: #@ data.values.loki.s3.region
value: #@ data.values.logging.loki.s3.region

View file

@ -6,5 +6,5 @@ metadata:
name: prometheus-basic-auth
namespace: #@ data.values.namespace
data:
auth: #@ base64.encode(data.values.prometheus.server.htpasswd)
auth: #@ base64.encode(data.values.monitoring.prometheus.server.htpasswd)
type: Opaque

View file

@ -17,7 +17,7 @@ data:
#@ if not data.values.tls.skipVerify:
server.ca.crt: #@ base64.encode(data.values.tls.caCert)
server.crt: #@ base64.encode(data.values.prometheus.server.tls.cert)
server.key: #@ base64.encode(data.values.prometheus.server.tls.key)
server.crt: #@ base64.encode(data.values.monitoring.prometheus.server.tls.cert)
server.key: #@ base64.encode(data.values.monitoring.prometheus.server.tls.key)
#@ end
type: Opaque

View file

@ -7,5 +7,5 @@ metadata:
namespace: #@ data.values.namespace
type: kubernetes.io/tls
data:
tls.crt: #@ base64.encode(data.values.prometheus.server.tls.cert)
tls.key: #@ base64.encode(data.values.prometheus.server.tls.key)
tls.crt: #@ base64.encode(data.values.monitoring.prometheus.server.tls.cert)
tls.key: #@ base64.encode(data.values.monitoring.prometheus.server.tls.key)

View file

@ -675,7 +675,7 @@ server:
## Must be provided if Ingress is enabled
##
hosts:
- #@ data.values.prometheus.server.host
- #@ data.values.monitoring.prometheus.server.host
# - prometheus.domain.com
# - domain.com/prometheus
@ -692,7 +692,7 @@ server:
tls:
- secretName: prometheus-server-tls
hosts:
- #@ data.values.prometheus.server.host
- #@ data.values.monitoring.prometheus.server.host
## Server Deployment Strategy type
# strategy:
@ -1055,12 +1055,12 @@ pushgateway:
alertmanagerFiles:
alertmanager.yml:
global:
slack_api_url: #@ data.values.prometheus.alertmanager.slack.apiUrl
slack_api_url: #@ data.values.monitoring.prometheus.alertmanager.slack.apiUrl
receivers:
- name: gerrit-admin
slack_configs:
- channel: #@ data.values.prometheus.alertmanager.slack.channel
- channel: #@ data.values.monitoring.prometheus.alertmanager.slack.channel
send_resolved: true
title: "{{ range .Alerts }}{{ .Annotations.summary }}\n{{ end }}"
text: "{{ range .Alerts }}{{ .Annotations.description }}\n{{ end }}"

View file

@ -28,8 +28,8 @@ loki:
serviceName: #@ "loki-{}".format(data.values.namespace)
servicePort: 3100
serviceScheme: http
user: #@ data.values.loki.username
password: #@ data.values.loki.password
user: #@ data.values.logging.loki.username
password: #@ data.values.logging.loki.password
nameOverride: #@ "promtail-{}".format(data.values.namespace, data.values.namespace)

View file

@ -19,47 +19,49 @@ namespace: namespace
tls:
skipVerify: true
caCert:
prometheus:
server:
host: prometheus.example.com
username:
password:
monitoring:
prometheus:
server:
host: prometheus.example.com
username:
password:
tls:
cert:
key:
alertmanager:
slack:
apiUrl: https://hooks.slack.com/services/xxx/xxx
channel: '#alerts'
grafana:
host: grafana.example.com
tls:
cert:
key:
alertmanager:
slack:
apiUrl: https://hooks.slack.com/services/xxx/xxx
channel: '#alerts'
loki:
host: loki.example.com
username:
password:
s3:
protocol: https
host: s3.eu-de-1.example.com
accessToken: abcd
secret: "1234"
bucket: bucket
region: eu-de-1
tls:
cert:
key:
grafana:
host: grafana.example.com
tls:
cert:
key:
admin:
username: admin
password: secret
ldap:
enabled: false
host:
port: ""
admin:
username: admin
password: secret
ldap:
enabled: false
host:
port: ""
password:
bind_dn:
accountBases: "[]"
groupBases: "[]"
dashboards:
editable: false
logging:
loki:
host: loki.example.com
username:
password:
bind_dn:
accountBases: "[]"
groupBases: "[]"
dashboards:
editable: false
s3:
protocol: https
host: s3.eu-de-1.example.com
accessToken: abcd
secret: "1234"
bucket: bucket
region: eu-de-1
tls:
cert:
key:

View file

@ -10,15 +10,15 @@ positions:
filename: #@ "{}/positions.yaml".format(data.values.gerritServers.other[i].promtail.storagePath)
clients:
- url: #@ "https://{}/loki/api/v1/push".format(data.values.loki.host)
- url: #@ "https://{}/loki/api/v1/push".format(data.values.logging.loki.host)
tls_config:
insecure_skip_verify: #@ data.values.tls.skipVerify
#@ if not data.values.tls.skipVerify:
ca_file: #@ "{}/promtail.ca.crt".format(data.values.gerritServers.other[i].promtail.storagePath)
#@ end
basic_auth:
username: #@ data.values.loki.username
password: #@ data.values.loki.password
username: #@ data.values.logging.loki.username
password: #@ data.values.logging.loki.password
scrape_configs:
- job_name: gerrit_error
static_configs: