🔍️ Add preconfigured monitoring via Prometheus and Grafana

Author: ndebuhr

.github/workflows/build.yml

@@ -34,9 +34,9 @@ jobs:
       uses: docker/build-push-action@v2
       with:
         context: ./docker
-        file: ./docker/DockerfileKeycloakSeeding
+        file: ./docker/DockerfileInitializers
         push: false
-        tags: ndebuhr/cloud-native-workstation-keycloak-seeding:latest
+        tags: ndebuhr/cloud-native-workstation-initializers:latest
 
     - name: build novnc image
       uses: docker/build-push-action@v2

.github/workflows/publish.yml

@@ -41,19 +41,19 @@ jobs:
         push: true
         tags: ${{ steps.meta-code-server.outputs.tags }}
 
-    - name: meta for keycloak seeding image
-      id: meta-keycloak-seeding
+    - name: meta for initializers image
+      id: meta-initializers
       uses: docker/metadata-action@v3
       with:
-        images: ndebuhr/cloud-native-workstation-keycloak-seeding
+        images: ndebuhr/cloud-native-workstation-initializers
 
-    - name: build and push keycloak seeding image
+    - name: build and push initializers image
       uses: docker/build-push-action@v2
       with:
         context: ./docker
-        file: ./docker/DockerfileKeycloakSeeding
+        file: ./docker/DockerfileInitializers
         push: true
-        tags: ${{ steps.meta-keycloak-seeding.outputs.tags }}
+        tags: ${{ steps.meta-initializers.outputs.tags }}
 
     - name: meta for novnc image
       id: meta-novnc

README.md

@@ -178,10 +178,10 @@ REPO=us.gcr.io/my-project/my-repo  # for example
 # Build and push images
 cd docker
 docker build --file DockerfileCodeServer --tag $REPO/cloud-native-workstation-code-server:latest .
-docker build --file DockerfileKeycloakSeeding --tag $REPO/cloud-native-workstation-keycloak-seeding:latest .
+docker build --file DockerfileInitializers --tag $REPO/cloud-native-workstation-initializers:latest .
 docker build --file DockerfileNovnc --tag $REPO/cloud-native-workstation-novnc:latest .
 docker push $REPO/cloud-native-workstation-code-server:latest
-docker push $REPO/cloud-native-workstation-keycloak-seeding:latest
+docker push $REPO/cloud-native-workstation-initializers:latest
 docker push $REPO/cloud-native-workstation-novnc:latest
 cd ..
 ```

docker/DockerfileKeycloakSeeding docker/DockerfileInitializersdocker/DockerfileKeycloakSeeding renamed to docker/DockerfileInitializers

@@ -0,0 +1,124 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: grafana-init
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: grafana-init
+spec:
+  template:
+    metadata:
+      labels:
+        app: grafana-init
+    spec:
+      {{ toYaml .Values.podDefaults | nindent 6 }}
+      containers:
+      - name: seed
+        image: {{ .Values.docker.registry }}/cloud-native-workstation-initializers:{{ .Values.docker.tag }}
+        imagePullPolicy: Always
+        command: ["/bin/bash", "-c"]
+        args:
+        - |
+          /opt/seed.sh || exit $?
+        env:
+        - name: USERNAME
+          value: {{ .Values.authentication.username }}
+        - name: PASSWORD
+          value: {{ .Values.authentication.password }}
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        resources: {{- toYaml .Values.components.initializers.resources | nindent 10 }}
+        volumeMounts:
+        - name: grafana-seed-sh
+          mountPath: /opt/seed.sh
+          subPath: seed.sh
+      volumes:
+      - name: grafana-seed-sh
+        configMap:
+          name: grafana-seed-sh
+          defaultMode: 0555
+      restartPolicy: Never
+  backoffLimit: 32
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-seed-sh
+  namespace: {{ .Values.namespace }}
+data:
+  seed.sh: |
+    #!/bin/bash
+    # https://community.grafana.com/t/is-there-an-equivalent-http-api-to-import-a-dashboard-from-grafana-com/9581/2
+    grafana_host="http://grafana:3030"
+    grafana_cred="$USERNAME:$PASSWORD"
+    grafana_datasource="Prometheus"
+
+    paths=(dashboards/prometheus_stats.json dashboards/prometheus_2_stats.json dashboards/grafana_stats.json )
+    for path in "${paths[@]}"; do
+      echo "Processing $path: "
+      curl -s -k -u "$grafana_cred" -XPOST -H "Accept: application/json" \
+        -H "Content-Type: application/json" \
+        -d "{
+          \"overwrite\":true, \
+          \"pluginId\":\"prometheus\", \
+          \"path\":\"$path\",
+          \"inputs\":[{ \
+            \"name\":\"*\", \
+            \"type\":\"datasource\", \
+            \"pluginId\":\"prometheus\", \
+            \"value\":\"$grafana_datasource\" \
+          }] \
+          }" \
+        $grafana_host/api/dashboards/import || exit $?
+      echo ""
+    done
+
+    ds=(13332 )
+    for d in "${ds[@]}"; do
+      echo "Processing $d: "
+      j=$(curl -s -k -u "$grafana_cred" $grafana_host/api/gnet/dashboards/$d | jq .json)
+      curl -s -k -u "$grafana_cred" -XPOST -H "Accept: application/json" \
+        -H "Content-Type: application/json" \
+        -d "{ \
+          \"dashboard\":$j, \
+          \"overwrite\":true, \
+          \"inputs\":[ \
+            { \
+              \"name\":\"DS_PROMETHEUS\", \
+              \"type\":\"datasource\", \
+              \"pluginId\":\"prometheus\", \
+              \"value\":\"$grafana_datasource\" \
+            }, \
+            { \
+              \"name\":\"VAR_DATASOURCE\", \
+              \"type\":\"constant\", \
+              \"value\":\"$grafana_datasource\" \
+            } \
+          ] \
+        }" \
+        $grafana_host/api/dashboards/import; echo ""
+    done
+{{- if eq .Values.policies.enabled true }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: grafana-init
+  namespace: cloud-native-workstation
+spec:
+  podSelector:
+    matchLabels:
+      app: grafana-init
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - {}
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: grafana
+{{- end }}

helm/templates/grafana-seeding.yaml

@@ -0,0 +1,134 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: grafana
+  name: grafana
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grafana
+  template:
+    metadata:
+      labels:
+        app: grafana
+    spec:
+      {{ toYaml .Values.podDefaults | nindent 6 }}
+      initContainers:
+      - name: take-data-dir-ownership
+        image: alpine:3.6
+        # Give `grafana` user (id 472) permissions a mounted volume
+        # https://github.com/grafana/grafana-docker/blob/master/Dockerfile
+        command:
+        - chown
+        - -R
+        - 472:472
+        - /var/lib/grafana
+        resources: {{- toYaml .Values.components.grafana.resources | nindent 10 }}
+        volumeMounts:
+        - name: grafana-storage
+          mountPath: /var/lib/grafana
+      containers:
+      - name: grafana
+        image: grafana/grafana:8.1.1
+        ports:
+        - containerPort: 3000
+        env:
+        - name: GF_SERVER_HTTP_PORT
+          value: "3000"
+        - name: GF_SECURITY_ADMIN_USER
+          value: {{ .Values.authentication.username }}
+        - name: GF_SECURITY_ADMIN_PASSWORD
+          value: {{ .Values.authentication.password }}
+        - name: GF_INSTALL_PLUGINS
+          value: "grafana-kubernetes-app"
+        resources: {{- toYaml .Values.components.grafana.resources | nindent 10 }}
+        volumeMounts:
+        - name: grafana-storage
+          mountPath: /var/lib/grafana
+        - name: prometheus-data-source
+          mountPath: /etc/grafana/provisioning/datasources/prometheus.yml
+          subPath: prometheus.yml
+      volumes:
+      - name: grafana-storage
+        persistentVolumeClaim:
+          claimName: grafana-storage-pvc
+      - name: prometheus-data-source
+        configMap:
+          name: prometheus-data-source-v1
+          defaultMode: 0444
+status: {}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grafana-storage-pvc
+  labels:
+    app: grafana
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 16Gi
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: prometheus-data-source-v1
+data:
+  prometheus.yml: |
+    apiVersion: 1
+    datasources:
+    - name: Prometheus
+      type: prometheus
+      access: proxy
+      url: http://prometheus:9090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana
+spec:
+  type: ClusterIP
+  ports:
+  - port: 3030
+    targetPort: 3000
+  selector:
+    app: grafana
+{{- if eq .Values.policies.enabled true }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: grafana
+  namespace: cloud-native-workstation
+spec:
+  podSelector:
+    matchLabels:
+      app: grafana
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak-gatekeeper
+    - podSelector:
+        matchLabels:
+          app: grafana-init
+    - podSelector:
+        matchLabels:
+          app: prometheus
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: prometheus
+    - ipBlock:
+        # grafana.com
+        cidr: 34.120.177.193/0
+{{- end }}

helm/templates/grafana.yaml

@@ -15,7 +15,7 @@ spec:
       {{ toYaml .Values.podDefaults | nindent 6 }}
       initContainers:
       - name: master-keycloak-init
-        image: {{ .Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ .Values.docker.tag }}
+        image: {{ .Values.docker.registry }}/cloud-native-workstation-initializers:{{ .Values.docker.tag }}
         imagePullPolicy: Always
         command: ["/bin/bash", "-c"]
         args:
@@ -29,7 +29,7 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-        resources: {{- toYaml .Values.components.keycloak.init.resources | nindent 10 }}
+        resources: {{- toYaml .Values.components.initializers.resources | nindent 10 }}
         volumeMounts:
         - name: master-sh
           mountPath: /opt/master.sh
@@ -38,7 +38,7 @@ spec:
           mountPath: /etc/master.json
           subPath: master.json
       - name: client-scopes-keycloak-init
-        image: {{ .Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ .Values.docker.tag }}
+        image: {{ .Values.docker.registry }}/cloud-native-workstation-initializers:{{ .Values.docker.tag }}
         imagePullPolicy: Always
         command: ["/bin/bash", "-c"]
         args:
@@ -52,7 +52,7 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-        resources: {{- toYaml .Values.components.keycloak.init.resources | nindent 10 }}
+        resources: {{- toYaml .Values.components.initializers.resources | nindent 10 }}
         volumeMounts:
         - name: client-scopes-sh
           mountPath: /opt/client-scopes.sh
@@ -63,7 +63,7 @@ spec:
 {{- $root := . }}
 {{- range .Values.access }}
       - name: {{ .name }}-keycloak-init
-        image: {{ $root.Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ $root.Values.docker.tag }}
+        image: {{ $root.Values.docker.registry }}/cloud-native-workstation-initializers:{{ $root.Values.docker.tag }}
         imagePullPolicy: Always
         command: ["/bin/bash", "-c"]
         args:
@@ -76,7 +76,7 @@ spec:
           value: {{ $root.Values.authentication.username }}
         - name: PASSWORD
           value: {{ $root.Values.authentication.password }}
-        resources: {{- toYaml $root.Values.components.keycloak.init.resources | nindent 10 }}
+        resources: {{- toYaml $root.Values.components.initializers.resources | nindent 10 }}
         securityContext:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
@@ -99,12 +99,12 @@ spec:
 {{- end }}
       containers:
       - name: verify
-        image: {{ $root.Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ $root.Values.docker.tag }}
+        image: {{ $root.Values.docker.registry }}/cloud-native-workstation-initializers:{{ $root.Values.docker.tag }}
         command: ["/bin/bash", "-c"]
         args:
         - |
           curl http://keycloak:8080
-        resources: {{- toYaml .Values.components.keycloak.init.resources | nindent 10 }}
+        resources: {{- toYaml .Values.components.initializers.resources | nindent 10 }}
       volumes:
       - name: master-sh
         configMap: