feat: expose grafana and generate admin password (#237)

Tiltfile

@@ -102,6 +102,12 @@ if os.getenv('INITIUM_DEPLOY_MINIMAL', 'false') == 'false':
 
     # ===== Tilt local resources =====
 
+    local_resource(
+        'grafana-password',
+        cmd='kubectl get secret -n grafana grafana-initial-admin-secret -o jsonpath="{.data.admin-password}" | base64 -d; echo',
+        auto_init=False
+    )
+
     ## ArgoCD admin password
     local_resource(
         'argocd-password',

addons/dex/templates/virtual-service.yaml

@@ -1,3 +1,4 @@
+{{ if .Values.virtualService.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -14,3 +15,4 @@ spec:
         host: {{ .Values.virtualService.serviceName }}
         port:
           number: {{ .Values.virtualService.port }}
+{{ end }}

addons/dex/values.yaml

@@ -54,6 +54,7 @@ dex-source:
 #         key: client-secret
 
 virtualService:
+  enabled: false
   name: dex
   namespace: dex
   gateway: istio-ingress/kube-gateway

addons/grafana/templates/grafana-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-initial-admin-secret
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+data:
+  admin-user: {{ b64enc "admin" }}
+  admin-password: {{ randAlphaNum 20 | b64enc }}

addons/grafana/templates/virtual-service.yaml

@@ -1,3 +1,5 @@
+{{- $name := .Values.externalDomain | required ".Values.externalDomain is required." -}}
+---
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -7,7 +9,8 @@ spec:
   gateways:
   - {{ .Values.virtualService.gateway }}
   hosts:
-  - {{ .Values.virtualService.host }}
+  - {{ .Values.virtualService.internalHost  | quote }}
+  - {{ .Values.virtualService.name}}.{{ .Values.externalDomain }}
   http:
   - route:
     - destination:

addons/grafana/values.yaml

@@ -2,8 +2,15 @@ grafana-source:
   fullnameOverride: grafana
   rbac:
     pspEnabled: false
-  adminUser: admin
-  adminPassword: strongpassword
+  # adminUser: admin
+  # adminPassword: strongpassword
+  # Use an existing secret for the admin user.
+  admin:
+    ## Name of the secret. Can be templated.
+    existingSecret: grafana-initial-admin-secret
+    userKey: admin-user
+    passwordKey: admin-password
+
   plugins:
   - grafana-piechart-panel
 
@@ -38,6 +45,6 @@ virtualService:
   name: grafana
   namespace: grafana
   gateway: istio-ingress/kube-gateway
-  host: grafana.kube.local
+  internalHost: grafana.kube.local
   port: 80
   serviceName: grafana

addons/istio/ingressgateway/templates/gateway.yaml

@@ -7,6 +7,12 @@ spec:
   selector:
     istio: ingressgateway
   servers:
+  - hosts:
+    - "*.{{ .Values.externalDomain }}"
+    port:
+      name: http
+      number: 80
+      protocol: HTTP
   - hosts:
     - {{ .Values.gateway.host | quote }}
     port:

addons/istio/ingressgateway/values.yaml

@@ -1,3 +1,4 @@
 gateway:
+  externalHost: "*.example.com"
   host: "*.kube.local"
   tlsCertName: wildcard.kube.local-tls

addons/knative/templates/serving.yaml

@@ -18,4 +18,4 @@ metadata:
   namespace: knative-serving
 data:
   # Use this base domain for knative apps
-  example.com: ""
+  {{ .Values.externalDomain }}: ""

addons/knative/values.yaml

@@ -1 +1,2 @@
 requestLogTemplate: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}'
+externalDomain: example.com

addons/kube-prometheus-stack/templates/virtual-service.yaml

@@ -0,0 +1,19 @@
+{{ if .Values.virtualService.enabled }}
+{{- $name := .Values.externalDomain | required ".Values.externalDomain is required." -}}
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: {{ .Values.virtualService.name }}
+  namespace: {{ .Values.virtualService.namespace }}
+spec:
+  gateways:
+  - {{ .Values.virtualService.gateway }}
+  hosts:
+  - "{{ .Values.virtualService.name }}.{{ .Values.externalDomain }}"
+  http:
+  - route:
+    - destination:
+        host: {{ .Values.virtualService.serviceName }}
+        port:
+          number: {{ .Values.virtualService.port }}
+{{ end }}

addons/kube-prometheus-stack/values.yaml

@@ -1,3 +1,11 @@
+virtualService:
+  enabled: false
+  name: prometheus
+  namespace: prometheus
+  gateway: istio-ingress/kube-gateway
+  port: 9090
+  serviceName: kube-prometheus-stack-kube-prometheus
+
 kube-prometheus-stack-source:
   prometheus-node-exporter:
     hostRootFsMount:
@@ -7,46 +15,16 @@ kube-prometheus-stack-source:
   grafana:
     # external grafana app is used by default
     enabled: false
-    namespaceOverride: "grafana"
 
-    ## ForceDeployDatasources Create datasource configmap even if grafana deployment has been disabled
+    namespaceOverride: "grafana"
+    # ForceDeployDatasources Create datasource configmap even if grafana deployment has been disabled
     forceDeployDatasources: true
-
-    ## ForceDeployDashboard Create dashboard configmap even if grafana deployment has been disabled
+    # ForceDeployDashboard Create dashboard configmap even if grafana deployment has been disabled
     forceDeployDashboards: true
 
-    # Administrator credentials when not using an existing secret (see below)
-    adminUser: admin
-    # adminPassword: data-nest-pass-word
-
-    # Use an existing secret for the admin user.
-    # admin:
-    #   ## Name of the secret. Can be templated.
-    #   existingSecret: ""
-    #   userKey: admin-user
-    #   passwordKey: admin-password
-  #   rbac:
-  #     pspEnabled: false
-  # global:
-  #   rbac:
-  #     pspEnabled: false
-  # kube-state-metrics:
-  #   podSecurityPolicy:
-  #     enabled: false
   prometheus:
-    ingress:
-      enabled: false
-      ingressClassName: nginx
-      annotations:
-        # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-        # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-      hosts:
-        - "prometheus.local"
-      paths:
-        - "/"
-  prometheusSpec:
-    externalUrl: "prometheus.local/"
-    rotuePrefix: "/"
+    prometheusSpec:
+      enableRemoteWriteReceiver: true
   # Required to fix the out-of-sync issues on the this apps suite
   kubelet:
     serviceMonitor:

app-of-apps/templates/apps.yaml

@@ -1,5 +1,6 @@
 {{- range $name, $props := .Values.apps }}
 {{- with $props }}
+{{- $defaultPath := print "addons/" .name "/" -}}
 {{- if not $props.excluded }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -16,11 +17,14 @@ spec:
     namespace: {{ .targetNamespace | default "default" | quote }}
   project: default
   source:
-    path: {{ .path }}
+    path: {{ or .path $defaultPath }}
     repoURL: {{ $.Values.repoURL }}
     targetRevision: {{ coalesce .targetRevision $.Values.subChartsRevision "HEAD" | quote }}
-    {{- if .helmValues }}
     helm:
+      parameters:
+        - name: externalDomain
+          value: {{ $.Values.externalDomain }}
+    {{- if .helmValues }}
       values: |-
         {{- .helmValues | toYaml | nindent 8 }}
     {{- end}}

app-of-apps/values.yaml

@@ -4,32 +4,29 @@ spec:
     server: https://kubernetes.default.svc
 subChartsRevision: HEAD
 repoURL: https://github.com/nearform/initium-platform.git
+externalDomain: example.com
 apps:
   # ArgoCD - https://github.com/argoproj/argo-cd/
   argocd:
     name: argocd
-    path: addons/argocd/
     targetNamespace: argocd
     excluded: true
 
   # Cert-manager - https://cert-manager.io/
   cert-manager:
     name: cert-manager
-    path: addons/cert-manager/
     targetNamespace: cert-manager
     excluded: false
 
   # Dex - https://dexidp.io/
   dex:
     name: dex
-    path: addons/dex/
     targetNamespace: dex
 
   # Prometheus + Operator - https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
   # External grafana app needs to be deployed together with this stack
   kube-prometheus-stack:
     name: kube-prometheus-stack
-    path: addons/kube-prometheus-stack/
     targetNamespace: prometheus
     serverSideApply: true
 
@@ -54,19 +51,16 @@ apps:
   # Knative - https://knative.dev/
   knative:
     name: knative
-    path: addons/knative/
     targetNamespace: knative
 
   # OpenTelemetry - https://opentelemetry.io/
   opentelemetry-collector:
     name: opentelemetry-collector
-    path: addons/opentelemetry-collector/
     targetNamespace: opentelemetry
 
   # Grafana Loki - https://grafana.com/oss/loki/
   loki:
     name: loki
-    path: addons/loki/
     targetNamespace: loki
     ignoreDifferences:
       - group: apps
@@ -77,11 +71,14 @@ apps:
   # Grafana - https://grafana.com/oss/
   grafana:
     name: grafana
-    path: addons/grafana/
     targetNamespace: grafana
+    ignoreDifferences:
+      - group: v1
+        kind: Secret
+        jsonPointers:
+          - /data/admin-password
 
   # Kubernetes Replicator
   kubernetes-replicator-source:
     name: kubernetes-replicator
-    path: addons/kubernetes-replicator/
     targetNamespace: kubernetes-replicator

manifests/bootstrap/templates/app-of-apps.yaml

@@ -20,6 +20,8 @@ spec:
           value: {{ .Values.repoURL }}
         - name: subChartsRevision
           value: {{ .Values.revision }}
+        - name: externalDomain
+          value: {{ .Values.externalDomain }}
       {{- if .Values.apps }}
       values: |-
         apps:

manifests/bootstrap/values.yaml

@@ -1,2 +1,3 @@
 revision: HEAD
 repoURL: "https://github.com/nearform/initium-platform.git"
+externalDomain: example.com