initial

2025-01-20 10:50:26 +01:00 · 2025-01-20 10:50:26 +01:00 · 522fb5d9a0
commit 522fb5d9a0
5 changed files with 135 additions and 0 deletions
--- a/ingress.yml
+++ b/ingress.yml
@ -0,0 +1,22 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: grafana
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production-http
 spec:
  tls:
    - hosts:
        - grafana.saerbeck.ib-hottgenroth.de
      secretName: grafana-cert
  rules:
    - host: grafana.saerbeck.ib-hottgenroth.de
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service: 
                name: grafana3
                port: 
                  number: 80
--- a/install.sh
+++ b/install.sh
@ -0,0 +1,29 @@
 #!/bin/bash
 ARG1=$1
 NAMESPACE=$(cat namespace)
 VERSION=8.8.3
 echo "Namespace: $NAMESPACE"
 . ~/Workspace/MyKubernetesEnv/ENVDB1
 if [ "$ARG1" = "initial" ]; then
  psql << EOF
 create user saerbeckgrafana;
 commit;
 create database saerbeckgrafana with owner saerbeckgrafana;
 EOF
 fi
 ./roll-db-credential.sh
 helm repo add grafana https://grafana.github.io/helm-charts
 helm repo update
 helm upgrade --install -f values.yml grafana3 grafana/grafana --version $VERSION --namespace=$NAMESPACE
 kubectl annotate deployments grafana3 -n $NAMESPACE --overwrite=true secret.reloader.stakater.com/reload=grafana-db-cred
 kubectl -f ingress.yml -n $NAMESPACE apply
--- a/1
+++ b/1
@ -0,0 +1 @@
 saerbeck
--- a/roll-db-credential.sh
+++ b/roll-db-credential.sh
@ -0,0 +1,35 @@
 #!/bin/bash
 DATABASE=saerbeckgrafana
 LOGIN=saerbeckgrafana
 PASSWORD=`openssl rand -base64 24`
 NAMESPACE=$(cat namespace)
 . ~/Workspace/MyKubernetesEnv/ENVDB1
 psql <<EOF
 do
 \$\$
 begin
  if not exists (SELECT * FROM pg_user WHERE usename = '$LOGIN') then
    CREATE USER $LOGIN WITH PASSWORD '$PASSWORD';
  else
    ALTER USER $LOGIN WITH PASSWORD '$PASSWORD';
  end if;
  GRANT ALL PRIVILEGES ON DATABASE $DATABASE TO $LOGIN;
 end
 \$\$
 ;
 commit;
 EOF
 kubectl create secret generic grafana-db-cred \
  --dry-run=client \
  -o yaml \
  --save-config \
  --from-literal=GF_DATABASE_USER="$LOGIN" \
  --from-literal=GF_DATABASE_PASSWORD="$PASSWORD" | \
 kubectl apply -f - -n $NAMESPACE
--- a/values.yml
+++ b/values.yml
@ -0,0 +1,48 @@
 persistence:
  enabled: true
  storageClassName: nfs-client
 grafana.ini:
  server:
    root_url: https://grafana.saerbeck.ib-hottgenroth.de
  smtp:
    enabled: true
    host: smtp.system.svc.cluster.local
    from_address: saerbeckgrafana@ib-hottgenroth.de
    from_name: "Saerbeck Grafana Pseudouser"
  log:
    level: debug
  emails:
    welcome_email_on_sign_up: true
  security:
    cookie_secure: true
    cookie_samesite: none
  auth.generic_oauth:
    enabled: true
    name: Hottis via Keycloak
    allow_sign_up: true
    client_id: saerbeckgrafana
    scopes: openid email profile offline_access roles
    email_attribute_path: email
    login_attribute_path: username
    name_attribute_path: fullname
    auth_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/auth
    token_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token
    api_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo
    role_attribute_path: "contains(roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || contains(roles[*], 'Viewer') && 'Viewer'"
    role_attribute_strict: true
    allow_assign_grafana_admin: true
    tls_skip_verify_insecure: true
  database:
    type: postgres
    host: database.database1.svc.cluster.local
    name: saerbeckgrafana
    ssl_mode: require
 # add the oauth client secret in this secret with the key GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
 # example:
 # kubectl create secret generic grafana-oauth-secret --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="geheim"
 envFromSecrets:
  - name: grafana-oauth-secret
  - name: grafana-db-cred