initial

2025-01-20 10:50:26 +01:00 · 2025-01-20 10:50:26 +01:00 · 522fb5d9a0
commit 522fb5d9a0
5 changed files with 135 additions and 0 deletions
--- a/ingress.yml
+++ b/ingress.yml
@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production-http
+spec:
+  tls:
+    - hosts:
+        - grafana.saerbeck.ib-hottgenroth.de
+      secretName: grafana-cert
+  rules:
+    - host: grafana.saerbeck.ib-hottgenroth.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service: 
+                name: grafana3
+                port: 
+                  number: 80
--- a/install.sh
+++ b/install.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+ARG1=$1
+NAMESPACE=$(cat namespace)
+VERSION=8.8.3
+
+echo "Namespace: $NAMESPACE"
+
+
+. ~/Workspace/MyKubernetesEnv/ENVDB1
+
+if [ "$ARG1" = "initial" ]; then
+  psql << EOF
+create user saerbeckgrafana;
+commit;
+create database saerbeckgrafana with owner saerbeckgrafana;
+EOF
+fi
+
+./roll-db-credential.sh
+
+helm repo add grafana https://grafana.github.io/helm-charts
+helm repo update
+helm upgrade --install -f values.yml grafana3 grafana/grafana --version $VERSION --namespace=$NAMESPACE
+
+kubectl annotate deployments grafana3 -n $NAMESPACE --overwrite=true secret.reloader.stakater.com/reload=grafana-db-cred
+
+kubectl -f ingress.yml -n $NAMESPACE apply
+
--- a/1
+++ b/1
@ -0,0 +1 @@
+saerbeck
--- a/roll-db-credential.sh
+++ b/roll-db-credential.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+
+
+DATABASE=saerbeckgrafana
+LOGIN=saerbeckgrafana
+PASSWORD=`openssl rand -base64 24`
+NAMESPACE=$(cat namespace)
+
+. ~/Workspace/MyKubernetesEnv/ENVDB1
+
+psql <<EOF
+do
+\$\$
+begin
+  if not exists (SELECT * FROM pg_user WHERE usename = '$LOGIN') then
+    CREATE USER $LOGIN WITH PASSWORD '$PASSWORD';
+  else
+    ALTER USER $LOGIN WITH PASSWORD '$PASSWORD';
+  end if;
+  GRANT ALL PRIVILEGES ON DATABASE $DATABASE TO $LOGIN;
+end
+\$\$
+;
+commit;
+EOF
+
+kubectl create secret generic grafana-db-cred \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=GF_DATABASE_USER="$LOGIN" \
+  --from-literal=GF_DATABASE_PASSWORD="$PASSWORD" | \
+kubectl apply -f - -n $NAMESPACE
+
+
--- a/values.yml
+++ b/values.yml
@ -0,0 +1,48 @@
+persistence:
+  enabled: true
+  storageClassName: nfs-client
+
+grafana.ini:
+  server:
+    root_url: https://grafana.saerbeck.ib-hottgenroth.de
+  smtp:
+    enabled: true
+    host: smtp.system.svc.cluster.local
+    from_address: saerbeckgrafana@ib-hottgenroth.de
+    from_name: "Saerbeck Grafana Pseudouser"
+  log:
+    level: debug
+  emails:
+    welcome_email_on_sign_up: true
+  security:
+    cookie_secure: true
+    cookie_samesite: none
+  auth.generic_oauth:
+    enabled: true
+    name: Hottis via Keycloak
+    allow_sign_up: true
+    client_id: saerbeckgrafana
+    scopes: openid email profile offline_access roles
+    email_attribute_path: email
+    login_attribute_path: username
+    name_attribute_path: fullname
+    auth_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/auth
+    token_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token
+    api_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo
+    role_attribute_path: "contains(roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || contains(roles[*], 'Viewer') && 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
+    tls_skip_verify_insecure: true
+  database:
+    type: postgres
+    host: database.database1.svc.cluster.local
+    name: saerbeckgrafana
+    ssl_mode: require
+
+# add the oauth client secret in this secret with the key GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+# example:
+# kubectl create secret generic grafana-oauth-secret --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="geheim"
+envFromSecrets:
+  - name: grafana-oauth-secret
+  - name: grafana-db-cred
+