feat: Adds prometheus and grafana stack for monitoring

apps/appsets/argocd-operators-project.yaml

@@ -20,6 +20,11 @@ spec:
     server: '*'
   - namespace: 'rook-ceph'
     server: '*'
+  - namespace: 'monitoring'
+    server: '*'
+  # kube-system is used by kube-prometheus-stack
+  - namespace: 'kube-system'
+    server: '*'
   clusterResourceWhitelist:
   - group: '*'
     kind: '*'

apps/appsets/operators.yaml

@@ -69,6 +69,26 @@ spec:
                     - repoURL: '{{index .metadata.annotations "uc_repo_git_url"}}'
                       targetRevision: '{{index .metadata.annotations "uc_repo_ref"}}'
                       path: 'operators/rabbitmq-system'
+                - component: monitoring
+                  componentNamespace: monitoring
+                  skipComponent: '{{has "monitoring" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}'
+                  sources:
+                    - repoURL: '{{index .metadata.annotations "uc_repo_git_url"}}'
+                      targetRevision: '{{index .metadata.annotations "uc_repo_ref"}}'
+                      path: 'operators/monitoring'
+                      ref: understack
+                    - repoURL: '{{index .metadata.annotations "uc_deploy_git_url"}}'
+                      targetRevision: '{{index .metadata.annotations "uc_deploy_ref"}}'
+                      ref: deploy
+                    - repoURL: https://prometheus-community.github.io/helm-charts
+                      chart: kube-prometheus-stack
+                      targetRevision: 62.6.0
+                      helm:
+                        releaseName: kube-prometheus-stack
+                        valueFiles:
+                          - $understack/operators/monitoring/values.yaml
+                          - $deploy/helm-configs/{{.name}}/monitoring.yaml
+                        ignoreMissingValueFiles: true
             selector:
               # by setting the key in the elements 'skipComponent' to 'true' it will skip installing it
               # ArgoCD's templating operates with strings so it's the string "true"

components/dex/secretstore-dex.yaml

@@ -29,6 +29,7 @@ rules:
   - argocd-sso
   - nautobot-sso
   - keystone-sso
+  - grafana-sso
 - apiGroups:
   - authorization.k8s.io
   resources:

components/dex/values.yaml

@@ -54,6 +54,11 @@ config:
       name: "OpenStack Keystone"
       redirectURIs:
         - "https://keystone.$DNS_ZONE/redirect_uri"
+    - id: grafana
+      secretEnv: GRAFANA_SSO_CLIENT_SECRET
+      name: "Undercloud Grafana"
+      redirectURIs:
+        - "https://grafana.$DNS_ZONE/login/generic_oauth"
 
 envVars:
   - name: NAUTOBOT_SSO_CLIENT_SECRET
@@ -100,3 +105,8 @@ envVars:
         name: oidc-sso
         key: redirect-uri
         optional: true
+  - name: GRAFANA_SSO_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: grafana-sso
+        key: client-secret

docs/user-guide/monitoring.md

@@ -0,0 +1,7 @@
+# Monitoring Stack
+
+UnderStack uses the `kube-prometheus-stack` which is a prometheus + grafana monitoring stack
+
+<https://github.com/prometheus-operator/kube-prometheus>
+
+It uses the namespace: `monitoring`

mkdocs.yml

@@ -126,4 +126,5 @@ nav:
     - user-guide/rabbitmq-cheat-sheet.md
     - user-guide/mariadb-operator-cheat-sheet.md
     - user-guide/postgres-operator-cheat-sheet.md
+    - user-guide/monitoring.md
   - Workflows: workflows/

operators/monitoring/README.md

@@ -0,0 +1,3 @@
+# kube-prometheus-stack for monitoring
+
+Read more in the docs: <https://rackerlabs.github.io/understack/user-guide/monitoring/>

operators/monitoring/external-secret-grafana-sso.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-sso
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: dex
+  target:
+    name: grafana-sso
+    creationPolicy: Owner
+    deletionPolicy: Delete
+  dataFrom:
+    - extract:
+        key: grafana-sso
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None

operators/monitoring/values.tpl.yaml

@@ -0,0 +1,39 @@
+grafana:
+  envValueFrom:
+    GF_AUTH_GENERIC_OAUTH_CLIENT_ID:
+      secretKeyRef:
+        name: grafana-sso
+        key: client-id
+    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
+      secretKeyRef:
+        name: grafana-sso
+        key: client-secret
+    GF_AUTH_GENERIC_OAUTH_ISSUER:
+      secretKeyRef:
+        name: grafana-sso
+        key: issuer
+  grafana.ini:
+    auth.generic_oauth:
+      name: Dex
+      enabled: true
+      client_id: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_ID}
+      client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
+      scopes: openid email profile groups offline_access
+      auth_url: $__env{GF_AUTH_GENERIC_OAUTH_ISSUER}/auth
+      token_url: $__env{GF_AUTH_GENERIC_OAUTH_ISSUER}/token
+      api_url: $__env{GF_AUTH_GENERIC_OAUTH_ISSUER}/userinfo
+    server:
+      root_url: https://%(domain)s
+
+  ingress:
+    enabled: true
+    ingressClassName: "nginx"
+    hosts:
+      - grafana.${DNS_ZONE}
+    tls:
+      - hosts:
+          - grafana.${DNS_ZONE}
+        secretName: grafana-ingress-tls
+    annotations:
+      nginx.ingress.kubernetes.io/rewrite-target: /
+      cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer

scripts/gitops-secrets-gen.sh

@@ -215,7 +215,7 @@ echo "Checking dex"
 ## Dex based SSO Auth. Client Configurations
 mkdir -p "${DEST_DIR}/dex/"
 # clients generated are in the list below
-for client in nautobot argo argocd keystone; do
+for client in nautobot argo argocd keystone grafana; do
     if [ ! -f "${DEST_DIR}/dex/secret-${client}-sso-dex.yaml" ]; then
         SSO_SECRET=$("${SCRIPTS_DIR}/pwgen.sh")
         kubectl --namespace dex \