Commit 3d1631dc authored by Dmytro Bogatov's avatar Dmytro Bogatov 💕

Implement grafana ingress and config.

parent 4a2cae90
......@@ -2,7 +2,7 @@
* Follow [this](https://typhoon.psdn.io/digital-ocean/) to create a working Kubernetes cluster.
* [Create docker pull secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
* Use [this](https://typhoon.psdn.io/addons/prometheus/) to set up Prometheus-Graphana.
* Use [this](https://typhoon.psdn.io/addons/prometheus/) to set up Prometheus-Grafana.
* Use [this](https://github.com/kubernetes/dashboard/wiki/Creating-sample-user) to get dashboard token.
* Either supply production SSL certificate (key and cert files), or [generate](https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs#generating-ssl-certificates) self signed files.
Make sure all domains are covered ([required](https://github.com/kubernetes/ingress-nginx/issues/616#issuecomment-359498659) by NGINX).
......
......@@ -80,7 +80,11 @@ sleep 30
cd $CWD
kubectl apply -f sources/namespace.yaml
echo "Creating namespaces"
kubectl create namespace websites
kubectl create namespace monitoring
kubectl create namespace ingress
echo "Deploying the registry secret"
......@@ -92,9 +96,9 @@ echo "Saving SSL certs"
# for websites
kubectl create --namespace=websites secret tls lets-encrypt --key $CERTDIRPATH/certificate.key --cert $CERTDIRPATH/certificate.crt
# for dashboard
kubectl create --namespace=kube-system secret tls lets-encrypt --key $CERTDIRPATH/certificate.key --cert $CERTDIRPATH/certificate.crt
kubectl create --namespace=monitoring secret tls lets-encrypt --key $CERTDIRPATH/certificate.key --cert $CERTDIRPATH/certificate.crt
kubectl create secret generic kubernetes-dashboard-certs --from-file=$CERTDIRPATH -n kube-system
# Deploy addons
......@@ -113,7 +117,6 @@ kubectl apply -R -f addons/cluo/
echo "Deploying prometheus"
kubectl apply -R -f addons/prometheus/ || true
kubectl apply -R -f addons/prometheus/
echo "Deploying graphana"
......@@ -126,7 +129,6 @@ kubectl apply -R -f addons/heapster/
echo "Deploying NGINX Ingress"
kubectl apply -R -f addons/nginx-ingress/digital-ocean/ || true
kubectl apply -R -f addons/nginx-ingress/digital-ocean/
echo "Deploying the websites"
......
This diff is collapsed.
......@@ -30,7 +30,7 @@ spec:
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
value: Viewer
ports:
- name: http
containerPort: 8080
......@@ -41,6 +41,22 @@ spec:
limits:
memory: 200Mi
cpu: 200m
- name: grafana-watcher
image: quay.io/coreos/grafana-watcher:v0.0.8
args:
- '--watch-dir=/etc/grafana/dashboards'
- '--grafana-url=http://localhost:8080'
resources:
requests:
memory: "16Mi"
cpu: "50m"
limits:
memory: "32Mi"
cpu: "100m"
volumeMounts:
- name: dashboards
mountPath: /etc/grafana/dashboards
volumes:
- name: grafana-storage
emptyDir: {}
- name: dashboards
configMap:
name: grafana-dashboards
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana-dbogatov-org
namespace: monitoring
annotations:
kubernetes.io/ingress.class: "public"
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- grafana.dbogatov.org
secretName: lets-encrypt
rules:
- host: "grafana.dbogatov.org"
http:
paths:
- path: /
backend:
serviceName: grafana
servicePort: 80
......@@ -39,7 +39,7 @@ data:
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Using endpoints to discover kube-apiserver targets finds the pod IP
# (host IP since apiserver is uses host network) which is not used in
# (host IP since apiserver uses host network) which is not used in
# the server certificate.
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
......@@ -51,6 +51,9 @@ data:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: default;kubernetes;https
- replacement: apiserver
action: replace
target_label: job
# Scrape config for node (i.e. kubelet) /metrics (e.g. 'kubelet_'). Explore
# metrics from a node by scraping kubelet (127.0.0.1:10255/metrics).
......@@ -59,7 +62,7 @@ data:
# Kubernetes apiserver. This means it will work if Prometheus is running out of
# cluster, or can't connect to nodes for some other reason (e.g. because of
# firewalling).
- job_name: 'kubernetes-nodes'
- job_name: 'kubelet'
kubernetes_sd_configs:
- role: node
......@@ -149,7 +152,7 @@ data:
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
target_label: job
# Example scrape config for probing services via the Blackbox Exporter.
#
......@@ -181,7 +184,7 @@ data:
- source_labels: [__meta_kubernetes_namespace]
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
target_label: kubernetes_name
target_label: job
# Example scrape config for pods
#
......
......@@ -14,9 +14,10 @@ spec:
name: prometheus
phase: prod
spec:
serviceAccountName: prometheus
containers:
- name: prometheus
image: quay.io/prometheus/prometheus:v2.0.0
image: quay.io/prometheus/prometheus:v2.1.0
args:
- '--config.file=/etc/prometheus/prometheus.yaml'
ports:
......
......@@ -35,4 +35,3 @@ rules:
resources:
- horizontalpodautoscalers
verbs: ["list", "watch"]
......@@ -54,8 +54,8 @@ spec:
- /pod_nanny
- --container=kube-state-metrics
- --cpu=100m
- --extra-cpu=1m
- --memory=100Mi
- --extra-memory=2Mi
- --extra-cpu=2m
- --memory=150Mi
- --extra-memory=30Mi
- --threshold=5
- --deployment=kube-state-metrics
......@@ -18,11 +18,15 @@ spec:
name: node-exporter
phase: prod
spec:
serviceAccountName: node-exporter
securityContext:
runAsNonRoot: true
runAsUser: 65534
hostNetwork: true
hostPID: true
containers:
- name: node-exporter
image: quay.io/prometheus/node-exporter:v0.15.0
image: quay.io/prometheus/node-exporter:v0.15.2
args:
- "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys"
......@@ -45,9 +49,8 @@ spec:
mountPath: /host/sys
readOnly: true
tolerations:
- key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: Exists
effect: NoSchedule
volumes:
- name: proc
hostPath:
......
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-exporter
namespace: monitoring
......@@ -8,5 +8,5 @@ roleRef:
name: prometheus
subjects:
- kind: ServiceAccount
name: default
name: prometheus
namespace: monitoring
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
namespace: monitoring
......@@ -11,5 +11,3 @@ CWD=$(pwd)
source ./.secret.sh
curl -s -X PUT -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://box.dbogatov.org/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/TXT
sleep 1
......@@ -14,6 +14,14 @@ DOMAINS["vpn.dbogatov.org"]=false
DOMAINS["apt.dbogatov.org"]=false
DOMAINS["dashboard.dbogatov.org"]=false
DOMAINS["cluster.dbogatov.org"]=false
DOMAINS["grafana.dbogatov.org"]=false
DOMAINS["git.dbogatov.org"]=false
DOMAINS["pages.dbogatov.org"]=false
DOMAINS["mattermost.dbogatov.org"]=false
DOMAINS["minecraft.dbogatov.org"]=false
DOMAINS["ci.dbogatov.org"]=false
DOMAINS["registry.dbogatov.org"]=false
DOMAINS["bogatov.kiev.ua"]=true
DOMAINS["blog.bogatov.kiev.ua"]=false
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment