Monitoring deployment

deployments/ocis-monitoring/README.md

@@ -0,0 +1,48 @@
+# oCIS with monitoring deployment example
+
+## Introduction
+
+This example shows how to deploy oCIS with monitoring, in this case Grafana.
+
+***Note***: This example is not intended for production use. It is intended to get a working oCIS
+with Grafana running in Kubernetes as quickly as possible. It is not hardened in any way. This also applies to password and http usage, so the password for Grafana at the beginning of the `helmfile` should be changed. This example uses unencypted HTTP between the Grafana-Agent and mimir/loki/tempo.
+
+## Getting started
+
+### Prerequisites
+
+This example requires the following things to be installed:
+
+- [Kubernetes](https://kubernetes.io/) cluster, with an ingress controller installed.
+- [Helm](https://helm.sh/) v3
+- [Helmfile](https://github.com/helmfile/helmfile)
+
+### End result
+
+After following the steps in this guide, you should be able to access the following endpoint, you
+may want to add these to your `/etc/hosts` file pointing to your ingress controller IP:
+
+- https://ocis.kube.owncloud.test
+- https://grafana.kube.owncloud.test
+
+Note that if you want to use your own hostname and domain, you will have to change the `externalDomain` value in oCIS and the Domains for Loki, Mimir and Tempo at the beginning of the `helmfile`. Please also ensure that the hostnames for Loki, Mimir and Tempo can be resolved within the cluster.
+
+### Deploying
+
+In this directory, run the following commands:
+
+```bash
+$ helmfile sync
+```
+
+This will deploy oCIS and Grafana.
+
+### Logging in
+
+You can get the admin password with the following command:
+
+```bash
+$ kubectl -n ocis get secrets/admin-user --template='{{.data.password | base64decode | printf "%s\n" }}'
+```
+
+You can use this password to login with the user `admin`.

deployments/ocis-monitoring/grafana-agent/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+name: grafana-agent
+type: application
+version: 0.0.0

deployments/ocis-monitoring/grafana-agent/templates/grafana-agent.yaml

@@ -0,0 +1,171 @@
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-agent
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: grafana-agent
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - nodes/proxy
+  - nodes/metrics
+  - services
+  - endpoints
+  - pods
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- nonResourceURLs:
+  - /metrics
+  - /metrics/cadvisor
+  verbs:
+  - get
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grafana-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: grafana-agent
+subjects:
+- kind: ServiceAccount
+  name: grafana-agent
+  namespace: grafana-agent
+
+---
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: GrafanaAgent
+metadata:
+  name: grafana-agent-metrics
+  labels:
+    app: grafana-agent-metrics
+spec:
+  {{- with .Values.imagePullSecrets }}
+  imagePullSecrets:
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
+  # resources:
+  #   requests:
+  #     cpu: 500m
+  #     memory: 11Gi
+  image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
+  logLevel: info
+  serviceAccountName: grafana-agent
+  metrics:
+    instanceSelector:
+      matchLabels:
+        agent: grafana-agent-metrics
+    externalLabels:
+      cluster: {{ .Values.clusterName }}
+
+  integrations:
+    selector:
+      matchLabels:
+        agent: grafana-agent-integrations
+
+---
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: GrafanaAgent
+metadata:
+  name: grafana-agent-logs
+  labels:
+    app: grafana-agent-logs
+spec:
+  {{- with .Values.imagePullSecrets }}
+  imagePullSecrets:
+    {{- toYaml . | nindent 8 }}
+  {{- end }}
+  image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
+  logLevel: info
+  resources:
+    requests:
+      cpu: 100m
+      memory: 300Mi
+  serviceAccountName: grafana-agent
+
+  logs:
+    instanceSelector:
+      matchLabels:
+        agent: grafana-agent-logs
+    clients:
+      # default value, is overwritten in LogsInstance
+      - url: http://{{ .Values.remoteLokiHost }}/loki/api/v1/push
+        externalLabels:
+          cluster: {{ .Values.clusterName }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: extra-jobs
+stringData:
+  jobs.yaml: |
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: integrations/kubernetes/kubelet
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        source_labels: [__meta_kubernetes_node_name]
+        replacement: /api/v1/nodes/$1/proxy/metrics
+        target_label: __metrics_path__
+      - action: hashmod
+        modulus: $(SHARDS)
+        source_labels:
+        - __address__
+        target_label: __tmp_hash
+      - action: keep
+        regex: $(SHARD)
+        source_labels:
+        - __tmp_hash
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: integrations/kubernetes/cadvisor
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
+        source_labels:
+        - __meta_kubernetes_node_name
+        target_label: __metrics_path__
+      - action: hashmod
+        modulus: $(SHARDS)
+        source_labels:
+        - __address__
+        target_label: __tmp_hash
+      - action: keep
+        regex: $(SHARD)
+        source_labels:
+        - __tmp_hash
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

deployments/ocis-monitoring/grafana-agent/templates/logs-instance.yaml

@@ -0,0 +1,28 @@
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: LogsInstance
+metadata:
+  name: primary
+  labels:
+    agent: grafana-agent-logs
+spec:
+  clients:
+    - url: http://{{ .Values.remoteLokiHost }}/loki/api/v1/push
+      basicAuth:
+        username:
+          name: primary-credentials-logs
+          key: username
+        password:
+          name: primary-credentials-logs
+          key: password
+      headers:
+        ## TODO template to have the same value in grafana datasources.yaml
+        X-Scope-OrgID: monitoring-dev
+      externalLabels:
+        cluster: {{ .Values.clusterName }}
+
+  # Supply an empty namespace selector to look in all namespaces. Remove
+  # this to only look in the same namespace as the LogsInstance CR
+  podLogsNamespaceSelector: {}
+  podLogsSelector:
+    matchLabels:
+      instance: primary

deployments/ocis-monitoring/grafana-agent/templates/logs-secrets.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: primary-credentials-logs
+stringData:
+  username: {{ .Values.loki.username }}
+  password: {{ .Values.loki.password }}

deployments/ocis-monitoring/grafana-agent/templates/metrics-instance.yaml

@@ -0,0 +1,54 @@
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: MetricsInstance
+metadata:
+  name: grafana-agent-metrics
+  namespace: grafana-agent
+  labels:
+    agent: grafana-agent-metrics
+spec:
+  remoteWrite:
+    - url: http://{{ .Values.remoteMimirHost }}/api/v1/push
+      basicAuth:
+        username:
+          name: primary-credentials-metrics
+          key: username
+        password:
+          name: primary-credentials-metrics
+          key: password
+      headers:
+        ## TODO template to have the same value in grafana datasources.yaml
+        X-Scope-OrgID: monitoring-dev
+
+  # As an alternative authentication method, Grafana Agent also supports OAuth2.
+  # - url: your_remote_write_URL
+  #   oauth2:
+  #     clientId:
+  #       secret:
+  #         key: username # Kubernetes Secret Key
+  #         name: primary-credentials-metrics # Kubernetes Secret Name
+  #     clientSecret:
+  #       key: password # Kubernetes Secret Key
+  #       name: primary-credentials-metrics # Kubernetes Secret Name
+  #     tokenUrl: https://auth.example.com/realms/master/protocol/openid-connect/token
+
+
+  # Supply an empty namespace selector to look in all namespaces. Remove
+  # this to only look in the same namespace as the MetricsInstance CR
+  serviceMonitorNamespaceSelector: {}
+  serviceMonitorSelector: {}
+    # matchLabels:
+    #   instance: primary
+
+  # Supply an empty namespace selector to look in all namespaces. Remove
+  # this to only look in the same namespace as the MetricsInstance CR.
+  podMonitorNamespaceSelector: {}
+  podMonitorSelector: {}
+    # matchLabels:
+    #   instance: primary
+
+  # Supply an empty namespace selector to look in all namespaces. Remove
+  # this to only look in the same namespace as the MetricsInstance CR.
+  probeNamespaceSelector: {}
+  probeSelector:
+    matchLabels:
+      instance: primary

deployments/ocis-monitoring/grafana-agent/templates/metrics-secrets.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: primary-credentials-metrics
+stringData:
+  username: {{ .Values.mimir.username }}
+  password: {{ .Values.mimir.password }}

deployments/ocis-monitoring/grafana-agent/templates/pod-logs.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.grafana.com/v1alpha1
+kind: PodLogs
+metadata:
+  labels:
+    instance: primary
+  name: kubernetes-pods
+spec:
+  pipelineStages:
+    - cri: {}
+    - replace:
+        expression: (([[:alnum:]]+).:)
+        replace: "{{`{{ .Value | ToLower }}`}}"
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels: {}