feat(base-cluster/monitoring): cleanup values, add grafana settings

charts/base-cluster/ci/monitoring-ingress-unauthenticated-values.yaml

@@ -0,0 +1,7 @@
+monitoring:
+  prometheus:
+    ingress:
+      enabled: true
+    alertmanager:
+      ingress:
+        enabled: true

charts/base-cluster/ci/monitoring-oidc-ingress-disabled-values.yaml

@@ -0,0 +1,14 @@
+global:
+  authentication:
+    config:
+      clientId: clientId
+      clientSecret: clientSecret
+      issuerHost: host.de
+      issuerPath: /oidc
+monitoring:
+  prometheus:
+    ingress:
+      enabled: false
+    alertmanager:
+      ingress:
+        enabled: false

charts/base-cluster/ci/monitoring-oidc-values.yaml

@@ -0,0 +1,12 @@
+global:
+  authentication:
+    config:
+      clientId: clientId
+      clientSecret: clientSecret
+      issuerHost: keycloak.de
+      issuerPath: /auth/realms/test
+    grafana:
+      apiPath: /outh2/userinfo/grafana
+      authenticationPath: /OAuth2/Authorize/grafana
+      tokenPath: /OAuth2/Token/grafana
+      roleAttributePath: "contains(groups, 'admin') && 'Admin' || Viewer"

charts/base-cluster/templates/global/_reflector.tpl

@@ -9,5 +9,5 @@
       {{- $needsReflector = not (empty (.context.Values.global.imageCredentials | keys)) -}}
     {{- end -}}
   {{- end -}}
-  {{- $needsReflector -}}
-{{- end }}
+  {{- $needsReflector | ternary true "" -}}
+{{- end }}

charts/base-cluster/templates/global/certificates.yaml

@@ -45,7 +45,7 @@ spec:
     name: letsencrypt-production
   dnsNames: {{- $cert.dnsNames | toYaml | nindent 4 }}
   secretName: {{ printf "%s-certificate" $name | quote }}
-  {{- if eq (include "base-cluster.reflector.enabled" (dict "context" $.context)) "true" }}
+  {{- if include "base-cluster.reflector.enabled" (dict "context" $.context) }}
   secretTemplate:
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"

charts/base-cluster/templates/global/imagePullSecrets.yaml

@@ -6,7 +6,7 @@ metadata:
   namespace: {{ $.Release.Namespace }}
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
   annotations:
-    {{ if eq (include "base-cluster.reflector.enabled" (dict "context" $)) "true" -}}
+    {{ if include "base-cluster.reflector.enabled" (dict "context" $) -}}
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
     {{ if not (typeIs "string" ($cred.targetNamespaces | default "ALL")) }}

charts/base-cluster/templates/global/reflector.yaml

@@ -1,4 +1,4 @@
-{{- if eq (include "base-cluster.reflector.enabled" (dict "context" .)) "true" -}}
+{{- if include "base-cluster.reflector.enabled" (dict "context" .) -}}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml

@@ -5,13 +5,13 @@ enabled: false # TODO dependent on routes/receivers
 {{- if false }}
 podDisruptionBudget:
   enabled: true
-{{- if and (empty .Values.global.authentication.config.clientId) .Values.monitoring.prometheus.alertmanager.ingress.enabled }}
+{{- if include "base-cluster.monitoring.unauthenticated-ingress.enabled" (dict "name" "alertmanager" "context" .) }}
   {{- include "base-cluster.monitoring.ingress" (dict "name" "alertmanager" "context" $) | nindent 0 }}
 {{- end }}
 alertmanagerSpec:
   replicas: {{ .Values.monitoring.prometheus.alertmanager.replicas }}
   podAntiAffinity: soft
-  {{- if and .Values.global.authentication.config.clientId (or (empty .Values.monitoring.prometheus.ingress.enabled) .Values.monitoring.prometheus.ingress.enabled) }}
+  {{- if include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .) }}
   externalUrl: https://{{ include "base-cluster.alertmanager.host" $ }}
   {{- end }}
   retention: {{ .Values.monitoring.prometheus.alertmanager.retentionDuration }}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml

@@ -153,6 +153,21 @@ dashboards:
 grafana.ini:
   auth:
     signout_redirect_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}
+  {{- if .Values.global.authentication.config.clientId }}
+    oauth_auto_login: true
+    disable_login_form: true
+  auth.generic_oauth:
+    enabled: true
+    allow_sign_up: true
+    api_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.apiPath }}
+    auth_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.authenticationPath }}
+    token_url: {{ printf "https://%s%s" .Values.global.authentication.config.issuerHost .Values.global.authentication.grafana.tokenPath }}
+    client_id: {{ .Values.global.authentication.config.clientId }}
+    client_secret: {{ .Values.global.authentication.config.clientSecret }}
+    name: OAuth
+    role_attribute_path: {{ .Values.global.authentication.grafana.roleAttributePath }}
+    scopes: openid profile email
+  {{- end }}
   server:
     root_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }}
 {{- end }}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml

@@ -44,7 +44,7 @@ privileged: false
   {{- if not $ingress -}}
     {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}}
   {{- end -}}
-  {{- and (empty .Values.global.authentication.config.clientId) $ingress.enabled -}}
+  {{- and (empty .Values.global.authentication.config.clientId) $ingress.enabled | ternary true "" -}}
 {{- end -}}
 
 {{- define "base-cluster.monitoring.authenticated-ingress.enabled" -}}
@@ -53,5 +53,5 @@ privileged: false
   {{- if not $ingress -}}
     {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}}
   {{- end -}}
-  {{- and .Values.global.authentication.config.clientId (or (empty $ingress.enabled) $ingress.enabled) -}}
+  {{- and .Values.global.authentication.config.clientId (dig "enabled" true $ingress) | ternary true "" -}}
 {{- end -}}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml

@@ -1,6 +1,6 @@
 {{- define "base-cluster.prometheus-stack.prometheus.config" -}}
 enabled: true
-{{- if and (empty .Values.global.authentication.config.clientId) .Values.monitoring.prometheus.ingress.enabled }}
+{{- if include "base-cluster.monitoring.unauthenticated-ingress.enabled" (dict "name" "prometheus" "context" .) }}
   {{- include "base-cluster.monitoring.ingress" (dict "name" "prometheus" "context" $) | nindent 0 }}
 {{- end }}
 prometheusSpec:
@@ -9,7 +9,7 @@ prometheusSpec:
     name: additional-alertmanager-configs
     key: prometheus-additional-alertmanager-configs.yaml
   {{- end }}
-  {{- if and .Values.global.authentication.config.clientId (or (empty .Values.monitoring.prometheus.ingress.enabled) .Values.monitoring.prometheus.ingress.enabled) }}
+  {{- if include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .) }}
   externalUrl: {{ printf "https://%s" (include "base-cluster.prometheus.host" $) }}
   {{- end }}
   resources: {{- .Values.monitoring.prometheus.resources | toYaml | nindent 4 }}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/grafana-secret.yaml

@@ -13,4 +13,4 @@ data:
   username: {{ "admin" | b64enc }}
   # This might change on every `template` call, this can be ignored
   password: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "password" "providedValues" (list "monitoring.grafana.adminPassword") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
-{{- end }}
+{{- end }}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.global.authentication.config.clientId .Values.monitoring.prometheus.enabled (or (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .)) (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .))) }}
+{{- $name := include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $name }}
+  namespace: monitoring
+  labels: {{- include "common.labels.stable" $ | nindent 4 }}
+    app.kubernetes.io/component: oauth-proxy
+    app.kubernetes.io/part-of: monitoring
+type: Opaque
+data:
+  # This might change on every `template` call, this can be ignored
+  cookieSecret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookieSecret" "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
+  clientID: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
+  clientSecret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
+{{- end }}

charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml

@@ -0,0 +1,108 @@
+{{- if and .Values.global.authentication.config.clientId .Values.monitoring.prometheus.enabled }}
+{{- $backends := list -}}
+{{- if include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .) -}}
+  {{- $backends = append $backends (dict "host" "prometheus" "port" 9090) -}}
+{{- end -}}
+{{- if and (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .)) false -}}
+  {{- $backends = append $backends (dict "host" "alertmanager" "port" 9093) -}}
+{{- end -}}
+{{- range $backend := $backends }}
+  {{- $host := $backend.host -}}
+  {{- $port := $backend.port -}}
+  {{- $targetServiceName := printf "%s-%s" (include "common.names.dependency.fullname" (dict "chartName" "kube-prometheus-stack" "chartValues" (dict) "context" (dict "Release" (dict "Name" "kube-prometheus-stack")))) $host -}}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cluster-{{ $host }}-oauth-proxy
+  namespace: monitoring
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: oauth-proxy
+    app.kubernetes.io/part-of: prometheus
+spec:
+  chart:
+    spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "bitnami" "chart" "oauth2-proxy" "context" $) | nindent 6 }}
+  interval: 1h
+  values:
+    redis:
+      enabled: false
+  {{- if $.Values.global.imageRegistry }}
+    global:
+      imageRegistry: {{ $.Values.global.imageRegistry }}
+  {{- end }}
+    ingress:
+      enabled: true
+      hostname: {{ include (printf "base-cluster.%s.host" $host) $ }}
+      extraTls: |-
+        - hosts:
+          - {{ "{{ .Values.ingress.hostname }}" }}
+          secretName: cluster-wildcard-certificate
+    replicaCount: 2
+    pdb:
+      create: true
+      minAvailable: 1
+      maxUnavailable: ""
+    podSecurityContext:
+      enabled: true
+    containerSecurityContext:
+      enabled: true
+    resources: {{- toYaml $.Values.global.authentication.oauthProxy.resources | nindent 6 }}
+    configuration:
+      existingSecret: {{ include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) }}
+      content: |-
+        provider = "oidc"
+        reverse_proxy = true
+        oidc_issuer_url = {{ printf "https://%s%s" $.Values.global.authentication.config.issuerHost $.Values.global.authentication.config.issuerPath | quote }}
+        skip_provider_button = true
+        {{- if $.Values.global.authentication.oauthProxy.emailDomains }}
+        email_domains = [ "{{ $.Values.global.authentication.oauthProxy.emailDomains | join "\", \"" }}" ]
+        {{- end }}
+        upstreams = [ {{ printf "http://%s:%d" $targetServiceName $port | quote }} ]
+{{- if eq (include "common.networkPolicy.type" $) "cilium" }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: cluster-{{ $host }}-oauth-proxy
+  namespace: monitoring
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: oauth
+    app.kubernetes.io/part-of: prometheus
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: monitoring-cluster-{{ $host }}-oauth-proxy
+  ingress:
+    - fromRequires:
+        - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.ingressLabels "context" $) | nindent 12 }}
+      toPorts:
+        - ports:
+            - port: "4180"
+              protocol: TCP
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: {{ $host | quote }}
+            io.kubernetes.pod.namespace: monitoring
+      toPorts:
+        - ports:
+            - port: {{ $port | quote }}
+              protocol: TCP
+    - toFQDNs:
+        - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }}
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+    - toEndpoints:
+        - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.dnsLabels "context" $) | nindent 12 }}
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }}
+{{- end }}
+---
+{{- end }}
+{{- end }}