diff --git a/charts/base-cluster/ci/monitoring-ingress-unauthenticated-values.yaml b/charts/base-cluster/ci/monitoring-ingress-unauthenticated-values.yaml new file mode 100644 index 000000000..bb2f884ee --- /dev/null +++ b/charts/base-cluster/ci/monitoring-ingress-unauthenticated-values.yaml @@ -0,0 +1,7 @@ +monitoring: + prometheus: + ingress: + enabled: true + alertmanager: + ingress: + enabled: true diff --git a/charts/base-cluster/ci/monitoring-oidc-ingress-disabled-values.yaml b/charts/base-cluster/ci/monitoring-oidc-ingress-disabled-values.yaml new file mode 100644 index 000000000..193bfd782 --- /dev/null +++ b/charts/base-cluster/ci/monitoring-oidc-ingress-disabled-values.yaml @@ -0,0 +1,14 @@ +global: + authentication: + config: + clientId: clientId + clientSecret: clientSecret + issuerHost: host.de + issuerPath: /oidc +monitoring: + prometheus: + ingress: + enabled: false + alertmanager: + ingress: + enabled: false diff --git a/charts/base-cluster/ci/monitoring-oidc-values.yaml b/charts/base-cluster/ci/monitoring-oidc-values.yaml new file mode 100644 index 000000000..2d47ae96b --- /dev/null +++ b/charts/base-cluster/ci/monitoring-oidc-values.yaml @@ -0,0 +1,12 @@ +global: + authentication: + config: + clientId: clientId + clientSecret: clientSecret + issuerHost: keycloak.de + issuerPath: /auth/realms/test + grafana: + apiPath: /outh2/userinfo/grafana + authenticationPath: /OAuth2/Authorize/grafana + tokenPath: /OAuth2/Token/grafana + roleAttributePath: "contains(groups, 'admin') && 'Admin' || Viewer" diff --git a/charts/base-cluster/templates/_hosts.tpl b/charts/base-cluster/templates/_hosts.tpl index 29d095302..97169c958 100644 --- a/charts/base-cluster/templates/_hosts.tpl +++ b/charts/base-cluster/templates/_hosts.tpl @@ -6,15 +6,15 @@ {{- if .Values.monitoring.grafana.ingress.customDomain -}} {{- .Values.monitoring.grafana.ingress.customDomain -}} {{- else -}} - {{- printf "%s.%s" (required "You must provide a host for the grafana server" .Values.monitoring.grafana.ingress.host) (include "base-cluster.domain" $) }} + {{- printf "%s.%s" (required "You must provide a host for the grafana server" .Values.monitoring.grafana.ingress.host) (include "base-cluster.domain" $) -}} {{- end -}} {{- end -}} {{- define "base-cluster.prometheus.host" -}} {{- if .Values.monitoring.prometheus.ingress.customDomain -}} {{- .Values.monitoring.prometheus.ingress.customDomain -}} - {{- else -}} - {{- printf "%s.%s" (required "You must provide a host for the prometheus server" .Values.monitoring.prometheus.ingress.host) (include "base-cluster.domain" $) }} + {{- else -}} + {{- printf "%s.%s" (required "You must provide a host for the prometheus server" .Values.monitoring.prometheus.ingress.host) (include "base-cluster.domain" $) -}} {{- end -}} {{- end -}} @@ -22,6 +22,6 @@ {{- if .Values.monitoring.prometheus.alertmanager.ingress.customDomain -}} {{- .Values.monitoring.prometheus.alertmanager.ingress.customDomain -}} {{- else -}} - {{- printf "%s.%s" (required "You must provide a host for the prometheus alertmanager server" .Values.monitoring.prometheus.alertmanager.ingress.host) (include "base-cluster.domain" $) }} + {{- printf "%s.%s" (required "You must provide a host for the prometheus alertmanager server" .Values.monitoring.prometheus.alertmanager.ingress.host) (include "base-cluster.domain" $) -}} {{- end -}} {{- end -}} diff --git a/charts/base-cluster/templates/global/_reflector.tpl b/charts/base-cluster/templates/global/_reflector.tpl index 8a46ed9b3..84df0bf83 100644 --- a/charts/base-cluster/templates/global/_reflector.tpl +++ b/charts/base-cluster/templates/global/_reflector.tpl @@ -9,5 +9,5 @@ {{- $needsReflector = not (empty (.context.Values.global.imageCredentials | keys)) -}} {{- end -}} {{- end -}} - {{- $needsReflector -}} -{{- end }} \ No newline at end of file + {{- $needsReflector | ternary true "" -}} +{{- end }} diff --git a/charts/base-cluster/templates/global/certificates.yaml b/charts/base-cluster/templates/global/certificates.yaml index 0aa614cf5..378d23207 100644 --- a/charts/base-cluster/templates/global/certificates.yaml +++ b/charts/base-cluster/templates/global/certificates.yaml @@ -45,7 +45,7 @@ spec: name: letsencrypt-production dnsNames: {{- $cert.dnsNames | toYaml | nindent 4 }} secretName: {{ printf "%s-certificate" $name | quote }} - {{- if eq (include "base-cluster.reflector.enabled" (dict "context" $.context)) "true" }} + {{- if include "base-cluster.reflector.enabled" (dict "context" $.context) }} secretTemplate: annotations: reflector.v1.k8s.emberstack.com/reflection-allowed: "true" diff --git a/charts/base-cluster/templates/global/imagePullSecrets.yaml b/charts/base-cluster/templates/global/imagePullSecrets.yaml index 21691a546..cc7b7d26e 100644 --- a/charts/base-cluster/templates/global/imagePullSecrets.yaml +++ b/charts/base-cluster/templates/global/imagePullSecrets.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ $.Release.Namespace }} labels: {{- include "common.labels.standard" $ | nindent 4 }} annotations: - {{ if eq (include "base-cluster.reflector.enabled" (dict "context" $)) "true" -}} + {{ if include "base-cluster.reflector.enabled" (dict "context" $) -}} reflector.v1.k8s.emberstack.com/reflection-allowed: "true" reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" {{ if not (typeIs "string" ($cred.targetNamespaces | default "ALL")) }} diff --git a/charts/base-cluster/templates/global/reflector.yaml b/charts/base-cluster/templates/global/reflector.yaml index 3a8e379aa..345330118 100644 --- a/charts/base-cluster/templates/global/reflector.yaml +++ b/charts/base-cluster/templates/global/reflector.yaml @@ -1,4 +1,4 @@ -{{- if eq (include "base-cluster.reflector.enabled" (dict "context" .)) "true" -}} +{{- if include "base-cluster.reflector.enabled" (dict "context" .) -}} apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml index f6e35b45a..73a657801 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_alertmanager-config.yaml @@ -2,18 +2,16 @@ enabled: false # TODO dependent on routes/receivers # TODO routes # TODO receivers - {{- if false }} +{{- if false }} podDisruptionBudget: enabled: true - {{- if false }} # TODO ingress -{{/* {{- if not (empty .Values.monitoring.prometheus.authentication.enabled | ternary .Values.global.authentication.enabled .Values.monitoring.prometheus.authentication.enabled) }}*/}} +{{- if include "base-cluster.monitoring.unauthenticated-ingress.enabled" (dict "name" "alertmanager" "context" .) }} {{- include "base-cluster.monitoring.ingress" (dict "name" "alertmanager" "context" $) | nindent 0 }} - {{- end }} +{{- end }} alertmanagerSpec: replicas: {{ .Values.monitoring.prometheus.alertmanager.replicas }} podAntiAffinity: soft - {{- if false }} # TODO ingress -{{/* {{- if empty .Values.monitoring.prometheus.authentication.enabled | ternary .Values.global.authentication.enabled .Values.monitoring.prometheus.authentication.enabled }}*/}} + {{- if include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .) }} externalUrl: https://{{ include "base-cluster.alertmanager.host" $ }} {{- end }} retention: {{ .Values.monitoring.prometheus.alertmanager.retentionDuration }} @@ -28,5 +26,5 @@ alertmanagerSpec: storage: {{ .Values.monitoring.prometheus.alertmanager.persistence.size }} alertmanagerConfigSelector: matchLabels: {{- .Values.monitoring.labels | toYaml | nindent 6 }} - {{- end }} +{{- end }} {{- end -}} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml index bdad94488..fd4a54219 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml @@ -132,19 +132,34 @@ dashboards: {{- with .Values.monitoring.grafana.additionalDashboards }} {{ . | toYaml | nindent 4 }} {{- end }} - {{- include "base-cluster.monitoring.ingress" (dict "name" "grafana" "context" $) | nindent 0 }} -grafana.ini: {{- .Values.monitoring.grafana.config | mergeOverwrite (include "base-cluster.prometheus-stack.grafana.config-ini" . | fromYaml) | toYaml | nindent 2 }} +{{- include "base-cluster.monitoring.ingress" (dict "name" "grafana" "context" $) | nindent 0 }} +{{- if and .Values.ingress.enabled .Values.monitoring.grafana.ingress.enabled .Values.certManager.email (or .Values.global.baseDomain .Values.monitoring.grafana.ingress.customDomain) }} +grafana.ini: + auth: + signout_redirect_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }} + {{- with .Values.global.authentication }} + {{- if .config.clientId }} + {{- $issuerUrl := printf "https://%s%s" .config.issuerHost .config.issuerPath}} + oauth_auto_login: true + disable_login_form: true + auth.generic_oauth: + enabled: true + allow_sign_up: true + api_url: {{ printf "%s%s" $issuerUrl .grafana.apiPath }} + auth_url: {{ printf "%s%s" $issuerUrl .grafana.authenticationPath }} + token_url: {{ printf "%s%s" $issuerUrl .grafana.tokenPath }} + client_id: {{ .config.clientId }} + client_secret: {{ .config.clientSecret }} + name: OAuth + role_attribute_path: {{ .grafana.roleAttributePath }} + scopes: openid profile email + {{- end }} + {{- end }} + server: + root_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }} +{{- end }} downloadDashboards: securityContext: {{- include "base-cluster.prometheus-stack.containerSecurityContext" (dict) | nindent 4 }} initChownData: enabled: false {{- end -}} - -{{- define "base-cluster.prometheus-stack.grafana.config-ini" -}} - {{- if and .Values.certManager.email .Values.global.baseDomain -}} -auth: - signout_redirect_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }} -server: - root_url: {{ printf "https://%s" (include "base-cluster.grafana.host" .) }} - {{- end -}} -{{- end -}} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml index 0ee5c8366..480a269ef 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml @@ -1,10 +1,14 @@ {{- define "base-cluster.monitoring.ingress" -}} - {{- $ingress := dig .name "ingress" nil .context.Values.monitoring | required (printf "You need to set the `ingress` for %s" .name) -}} - {{- if and .context.Values.certManager.email $ingress.enabled .context.Values.ingress.enabled (or .context.Values.global.baseDomain $ingress.customDomain) -}} + {{- $_ := set . "Values" .context.Values -}} + {{- $ingress := dig .name "ingress" nil .Values.monitoring -}} + {{- if not $ingress -}} + {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}} + {{- end -}} + {{- if and .Values.certManager.email $ingress.enabled .Values.ingress.enabled (or .Values.global.baseDomain $ingress.customDomain) -}} {{- $host := include (printf "base-cluster.%s.host" .name) .context -}} ingress: enabled: true - {{- if or (not .context.Values.dns.provider) $ingress.customDomain }} + {{- if or (not .Values.dns.provider) $ingress.customDomain }} annotations: kubernetes.io/tls-acme: "true" {{- end }} @@ -24,3 +28,30 @@ capabilities: allowPrivilegeEscalation: false privileged: false {{- end -}} + +{{- define "base-cluster.alertmanager.ingress" -}} + {{- .Values.monitoring.prometheus.alertmanager.ingress | toYaml -}} +{{- end -}} + +{{- define "base-cluster.monitoring.ingress.enabled" -}} + {{- $_ := set . "Values" .context.Values -}} + {{- or (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" .name "context" .context)) (include "base-cluster.monitoring.unauthenticated-ingress.enabled" (dict "name" .name "context" .context)) -}} +{{- end -}} + +{{- define "base-cluster.monitoring.unauthenticated-ingress.enabled" -}} + {{- $_ := set . "Values" .context.Values -}} + {{- $ingress := dig .name "ingress" nil .Values.monitoring -}} + {{- if not $ingress -}} + {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}} + {{- end -}} + {{- and (empty .Values.global.authentication.config.clientId) (dig "enabled" false $ingress) | ternary true "" -}} +{{- end -}} + +{{- define "base-cluster.monitoring.authenticated-ingress.enabled" -}} + {{- $_ := set . "Values" .context.Values -}} + {{- $ingress := dig .name "ingress" nil .Values.monitoring -}} + {{- if not $ingress -}} + {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}} + {{- end -}} + {{- and (not (empty .Values.global.authentication.config.clientId)) (dig "enabled" true $ingress) | ternary true "" -}} +{{- end -}} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml index fb80a65c4..7fc8372ec 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml @@ -3,7 +3,6 @@ global: imageRegistry: {{ .Values.global.imageRegistry }} {{- end }} -grafana: {{- include "base-cluster.prometheus-stack.grafana.config" . | nindent 2 }} prometheusOperator: secretFieldSelector: 'type!=helm.sh/release.v1' resources: {{- .Values.monitoring.prometheus.operator.resources | toYaml | nindent 4 }} @@ -22,6 +21,7 @@ kubelet: serviceMonitor: resource: false commonLabels: {{- .Values.monitoring.labels | toYaml | nindent 2 }} +grafana: {{- include "base-cluster.prometheus-stack.grafana.config" . | nindent 2 }} kube-state-metrics: {{- include "base-cluster.prometheus-stack.kube-state-metrics.config" . | nindent 2 }} prometheus-node-exporter: {{- include "base-cluster.prometheus-stack.node-exporter.config" . | nindent 2 }} alertmanager: {{- include "base-cluster.prometheus-stack.alertmanager.config" . | nindent 2 }} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml index b664d123f..5d244c7e6 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus_config.yaml @@ -1,17 +1,15 @@ {{- define "base-cluster.prometheus-stack.prometheus.config" -}} enabled: true - {{- if false }} # TODO ingress -{{/* {{- if not (empty .Values.monitoring.prometheus.authentication.enabled | ternary .Values.global.authentication.enabled .Values.monitoring.prometheus.authentication.enabled) }}*/}} +{{- if include "base-cluster.monitoring.unauthenticated-ingress.enabled" (dict "name" "prometheus" "context" .) }} {{- include "base-cluster.monitoring.ingress" (dict "name" "prometheus" "context" $) | nindent 0 }} - {{- end }} +{{- end }} prometheusSpec: {{- if (lookup "v1" "Secret" "monitoring" "additional-alertmanager-configs") }} additionalAlertManagerConfigsSecret: name: additional-alertmanager-configs key: prometheus-additional-alertmanager-configs.yaml {{- end }} - {{- if false }} # TODO ingress -{{/* {{- if empty .Values.monitoring.prometheus.authentication.enabled | ternary .Values.global.authentication.enabled .Values.monitoring.prometheus.authentication.enabled }}*/}} + {{- if include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .) }} externalUrl: {{ printf "https://%s" (include "base-cluster.prometheus.host" $) }} {{- end }} resources: {{- .Values.monitoring.prometheus.resources | toYaml | nindent 4 }} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/grafana-secret.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/grafana-secret.yaml index ce7a0bf2a..3d92555a5 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/grafana-secret.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/grafana-secret.yaml @@ -13,4 +13,4 @@ data: username: {{ "admin" | b64enc }} # This might change on every `template` call, this can be ignored password: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "password" "providedValues" (list "monitoring.grafana.adminPassword") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml new file mode 100644 index 000000000..247a38254 --- /dev/null +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.global.authentication.config.clientId .Values.monitoring.prometheus.enabled (or (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .)) (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .))) }} +{{- $name := include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name }} + namespace: monitoring + labels: {{- include "common.labels.stable" $ | nindent 4 }} + app.kubernetes.io/component: oauth-proxy + app.kubernetes.io/part-of: monitoring +type: Opaque +data: + # This might change on every `template` call, this can be ignored + cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookie-secret" "length" 32 "strong" true "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }} + client-id: {{ $.Values.global.authentication.config.clientId | b64enc | quote }} + client-secret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }} +{{- end }} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml new file mode 100644 index 000000000..2dca7d36f --- /dev/null +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml @@ -0,0 +1,113 @@ +{{- if and .Values.global.authentication.config.clientId .Values.monitoring.prometheus.enabled }} +{{- $backends := list -}} +{{- if include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "prometheus" "context" .) -}} + {{- $backends = append $backends (dict "host" "prometheus" "port" 9090) -}} +{{- end -}} +{{- if and (include "base-cluster.monitoring.authenticated-ingress.enabled" (dict "name" "alertmanager" "context" .)) false -}} + {{- $backends = append $backends (dict "host" "alertmanager" "port" 9093) -}} +{{- end -}} +{{- range $backend := $backends }} + {{- $host := $backend.host -}} + {{- $port := $backend.port -}} + {{- $targetServiceName := printf "%s-%s" (include "common.names.dependency.fullname" (dict "chartName" "kube-prometheus-stack" "chartValues" (dict) "context" (dict "Release" (dict "Name" "kube-prometheus-stack")))) $host -}} +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cluster-{{ $host }}-oauth-proxy + namespace: monitoring + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: oauth-proxy + app.kubernetes.io/part-of: prometheus +spec: + chart: + spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "bitnami" "chart" "oauth2-proxy" "context" $) | nindent 6 }} + interval: 1h + values: + redis: + enabled: false + {{- if $.Values.global.imageRegistry }} + global: + imageRegistry: {{ $.Values.global.imageRegistry }} + {{- end }} + ingress: + enabled: true + hostname: {{ include (printf "base-cluster.%s.host" $host) $ }} + extraTls: |- + - hosts: + - {{ "{{ .Values.ingress.hostname }}" }} + secretName: cluster-wildcard-certificate + replicaCount: 2 + pdb: + create: true + minAvailable: 1 + maxUnavailable: "" + podSecurityContext: + enabled: true + containerSecurityContext: + enabled: true + resources: {{- toYaml $.Values.global.authentication.oauthProxy.resources | nindent 6 }} + configuration: + existingSecret: {{ include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) }} + content: |- + provider = "oidc" + reverse_proxy = true + oidc_issuer_url = {{ printf "https://%s%s" $.Values.global.authentication.config.issuerHost $.Values.global.authentication.config.issuerPath | quote }} + skip_provider_button = true + {{- if $.Values.global.authentication.oauthProxy.emailDomains }} + email_domains = [ "{{ $.Values.global.authentication.oauthProxy.emailDomains | join "\", \"" }}" ] + {{- else }} + email_domains = "*" + {{- end }} + upstreams = [ {{ printf "http://%s:%d" $targetServiceName $port | quote }} ] + podAnnotations: + # This might change on every `template` call, this can be ignored + checksum/secret: {{ include "common.utils.checksumTemplate" (dict "path" "/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml" "context" $) }} +{{- if eq (include "common.networkPolicy.type" $) "cilium" }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: cluster-{{ $host }}-oauth-proxy + namespace: monitoring + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: oauth + app.kubernetes.io/part-of: prometheus +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: monitoring-cluster-{{ $host }}-oauth-proxy + ingress: + - fromRequires: + - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.ingressLabels "context" $) | nindent 12 }} + toPorts: + - ports: + - port: "4180" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + app.kubernetes.io/name: {{ $host | quote }} + io.kubernetes.pod.namespace: monitoring + toPorts: + - ports: + - port: {{ $port | quote }} + protocol: TCP + - toFQDNs: + - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }} + toPorts: + - ports: + - port: "443" + protocol: TCP + - toEndpoints: + - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.dnsLabels "context" $) | nindent 12 }} + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/prometheus-operator.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/prometheus-operator.yaml index b9a2d490e..5477db26e 100644 --- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/prometheus-operator.yaml +++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/prometheus-operator.yaml @@ -30,111 +30,4 @@ spec: spec: automountServiceAccountToken: false values: {{- include "base-cluster.prometheus.config" . | nindent 4 }} - {{- if false }} # TODO ingress -{{/* {{- if empty .Values.monitoring.prometheus.authentication.enabled | ternary .Values.global.authentication.enabled .Values.monitoring.prometheus.authentication.enabled }}*/}} ---- - {{- $backends := list (dict "host" "prometheus" "port" 9090) (dict "host" "alertmanager" "port" 9093) -}} - {{- range $backend := $backends }} - {{- $host := $backend.host -}} - {{- $port := $backend.port -}} - {{- $targetServiceName := printf "%s-%s" (include "common.names.dependency.fullname" (dict "chartName" "kube-prometheus-stack" "chartValues" .Values.monitoring.prometheus.overrides "context" (dict "Release" (dict "Name" "kube-prometheus-stack")))) $host -}} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: cluster-{{ $host }}-oauth-proxy - namespace: monitoring - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: oauth - app.kubernetes.io/part-of: prometheus -spec: - chart: - spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "bitnami" "chart" "oauth2-proxy" "context" $) | nindent 6 }} - interval: 1h - values: - redis: - enabled: false - {{- if $.Values.global.imageRegistry }} - global: - imageRegistry: {{ $.Values.global.imageRegistry }} - {{- end }} - ingress: - enabled: true - hostname: {{ include (printf "base-cluster.%s.host" $host) $ }} - extraTls: |- - - hosts: - - {{ "{{ .Values.ingress.hostname }}" }} - secretName: cluster-wildcard-certificate - replicaCount: 2 - pdb: - create: true - minAvailable: 1 - maxUnavailable: "" - podSecurityContext: - enabled: true - containerSecurityContext: - enabled: true - resources: {{- toYaml $.Values.global.authentication.oauth.resources | nindent 6 }} - configuration: - clientID: {{ $.Values.global.authentication.config.clientId | quote }} - clientSecret: {{ $.Values.global.authentication.config.clientSecret | quote }} - cookieSecret: {{ $.Values.global.authentication.config.cookieSecret | quote }} - content: |- - provider = "oidc" - reverse_proxy = true - oidc_issuer_url = {{ printf "https://%s%s" $.Values.global.authentication.config.issuerHost $.Values.global.authentication.config.issuerPath | quote }} - skip_provider_button = true - email_domains = [ {{ $.Values.global.authentication.config.emailDomains | join "\", \"" | quote }} ] - upstreams = [ {{ printf "http://%s:%d" $targetServiceName $port | quote }} ] -{{- if eq (include "common.networkPolicy.type" $) "cilium" }} ---- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: cluster-{{ $host }}-oauth-proxy - namespace: monitoring - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: oauth - app.kubernetes.io/part-of: prometheus -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/instance: monitoring-cluster-{{ $host }}-oauth-proxy - ingress: - - fromRequires: - - matchLabels: - app.kubernetes.io/instance: ingress-traefik - app.kubernetes.io/name: traefik - io.kubernetes.pod.namespace: ingress - toPorts: - - ports: - - port: "4180" - protocol: TCP - egress: - - toEndpoints: - - matchLabels: - app.kubernetes.io/name: {{ $host | quote }} - io.kubernetes.pod.namespace: monitoring - toPorts: - - ports: - - port: {{ $port | quote }} - protocol: TCP - - toFQDNs: - - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }} - toPorts: - - ports: - - port: "443" - protocol: TCP - - toEndpoints: - - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.dnsLabels "context" $) | nindent 12 }} - toPorts: - - ports: - - port: "53" - protocol: UDP - rules: - dns: - - matchPattern: "*" -{{- end }} ---- -{{- end }} -{{- end }} {{- end }} diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json index 13b9871ee..88b64461f 100644 --- a/charts/base-cluster/values.schema.json +++ b/charts/base-cluster/values.schema.json @@ -135,6 +135,14 @@ "type": "string" }, "minProperties": 1 + }, + "ingressLabels": { + "type": "object", + "description": "The labels used to allow egress to the DNS service", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 } }, "additionalProperties": false @@ -259,6 +267,66 @@ "propertyNames": { "maxLength": 63 } + }, + "authentication": { + "type": "object", + "properties": { + "config": { + "type": "object", + "properties": { + "clientId": { + "type": "string" + }, + "clientSecret": { + "type": "string" + }, + "issuerHost": { + "type": "string" + }, + "issuerPath": { + "type": "string" + } + }, + "additionalProperties": false + }, + "grafana": { + "type": "object", + "properties": { + "roleAttributePath": { + "type": "string" + }, + "authenticationPath": { + "type": "string" + }, + "apiPath": { + "type": "string" + }, + "tokenPath": { + "type": "string" + } + }, + "description": "See https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configuration-options", + "additionalProperties": false + }, + "oauthProxy": { + "type": "object", + "properties": { + "emailDomains": { + "type": "array", + "additionalItems": { + "type": "string", + "$ref": "#/$defs/email" + } + }, + "resources": { + "type": "object", + "$ref": "#/$defs/resourceRequirements" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false } }, "required": [ @@ -415,15 +483,6 @@ } }, "additionalProperties": false - }, - "authentication": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - }, - "additionalProperties": false } }, "additionalProperties": false @@ -693,10 +752,7 @@ "$ref": "#/$defs/resourceRequirements" }, "email": { - "type": [ - "string", - "null" - ], + "type": "string", "description": "Setting an email enables cert-manager's IngressShim and will be used for Let's Encrypt", "$ref": "#/$defs/email" }, @@ -930,10 +986,7 @@ "description": "Please don't do it if not absolutely necessary, it goes against all best practices. Ref.: https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-enable-snippets" }, "IP": { - "type": [ - "string", - "null" - ], + "type": "string", "pattern": "^((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}$", "description": "Try to use specified IP as loadbalancer IP" } @@ -1252,7 +1305,7 @@ }, "host": { "type": "string", - "description": "The subdomain to use under `.global.customerName`.`.global.baseDomain`" + "description": "The subdomain to use under `.global.clusterName`.`.global.baseDomain`" }, "customDomain": { "type": "string", diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml index 9cd42cad2..c75f38d48 100644 --- a/charts/base-cluster/values.yaml +++ b/charts/base-cluster/values.yaml @@ -77,6 +77,9 @@ global: metricsLabels: io.kubernetes.pod.namespace: monitoring app.kubernetes.io/name: prometheus + ingressLabels: + io.kubernetes.pod.namespace: ingress-nginx + app.kubernetes.io/name: ingress-nginx # it's important that the `url` is the first key and `charts` is right below, otherwise renovate won't detect it helmRepositories: prometheus: @@ -137,7 +140,7 @@ global: url: https://emberstack.github.io/helm-charts charts: reflector: 7.x - condition: '{{ eq (include "base-cluster.reflector.enabled" (dict "context" .)) "true" }}' + condition: '{{ include "base-cluster.reflector.enabled" (dict "context" .) }}' vmware: url: https://vmware-tanzu.github.io/helm-charts charts: @@ -148,6 +151,26 @@ global: charts: opentelemetry-collector: 0.x.x condition: "{{ and .Values.monitoring.tracing.enabled .Values.monitoring.prometheus.enabled }}" + authentication: + config: + clientId: "" + clientSecret: "" + issuerHost: "" + issuerPath: "" + grafana: + authenticationPath: /protocol/openid-connect/auth + apiPath: /protocol/openid-connect/userinfo + tokenPath: /protocol/openid-connect/token + roleAttributePath: Viewer + oauthProxy: + emailDomains: [] + resources: + limits: + cpu: 100m + memory: 32Mi + requests: + cpu: 10m + memory: 16Mi kyverno: enabled: false @@ -167,7 +190,6 @@ monitoring: customDomain: "" additionalDashboards: {} additionalPlugins: [] - config: {} notifiers: [] resources: requests: @@ -244,12 +266,10 @@ monitoring: cpu: "2" memory: 128Mi ingress: - enabled: false host: prometheus customDomain: "" alertmanager: ingress: - enabled: false host: alertmanager customDomain: "" replicas: 1 @@ -326,7 +346,6 @@ dns: provider: null certManager: - email: null resources: limits: cpu: 250m @@ -376,7 +395,6 @@ ingress: limits: cpu: 1 memory: 256Mi - IP: null storage: readWriteMany: