diff --git a/grafana-operator/base/instance/grafana-proxy-rbac.yaml b/grafana-operator/base/instance/grafana-proxy-rbac.yaml index 02735edd..223393be 100644 --- a/grafana-operator/base/instance/grafana-proxy-rbac.yaml +++ b/grafana-operator/base/instance/grafana-proxy-rbac.yaml @@ -4,18 +4,18 @@ kind: ClusterRole metadata: name: grafana-proxy rules: - - apiGroups: + - verbs: + - create + apiGroups: - authentication.k8s.io resources: - tokenreviews - verbs: + - verbs: - create - - apiGroups: + apiGroups: - authorization.k8s.io resources: - subjectaccessreviews - verbs: - - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -27,4 +27,4 @@ roleRef: name: grafana-proxy subjects: - kind: ServiceAccount - name: grafana-serviceaccount + name: grafana-sa diff --git a/grafana-operator/base/instance/grafana.yaml b/grafana-operator/base/instance/grafana.yaml index dbcb2e47..7aafc4ba 100644 --- a/grafana-operator/base/instance/grafana.yaml +++ b/grafana-operator/base/instance/grafana.yaml @@ -1,74 +1,101 @@ -apiVersion: integreatly.org/v1alpha1 +apiVersion: grafana.integreatly.org/v1beta1 kind: Grafana metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "1" name: grafana + labels: + instance: "grafana" spec: + serviceAccount: + metadata: + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana-route"}}' + route: + spec: + port: + targetPort: https + tls: + termination: reencrypt + to: + kind: Service + name: grafana-service + weight: 100 + wildcardPolicy: None + deployment: + spec: + template: + spec: + volumes: + - name: grafana-tls + secret: + secretName: grafana-tls + - name: grafana-proxy + secret: + secretName: grafana-proxy + - name: ocp-injected-certs + configMap: + name: ocp-injected-certs + containers: + - args: + - '-provider=openshift' + - '-pass-basic-auth=false' + - '-https-address=:9091' + - '-http-address=' + - '-email-domain=*' + - '-upstream=http://localhost:3000' + - '-openshift-sar={"resource": "namespaces", "verb": "get"}' + - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get"}}' + - '-tls-cert=/etc/tls/private/tls.crt' + - '-tls-key=/etc/tls/private/tls.key' + - '-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token' + - '-cookie-secret-file=/etc/proxy/secrets/session_secret' + - '-openshift-service-account=grafana-sa' + - '-openshift-ca=/etc/pki/tls/cert.pem' + - '-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' + - '-openshift-ca=/etc/proxy/certs/ca-bundle.crt' + - '-skip-auth-regex=^/metrics' + image: 'quay.io/openshift/origin-oauth-proxy' + name: grafana-proxy + ports: + - containerPort: 9091 + name: https + resources: { } + volumeMounts: + - mountPath: /etc/tls/private + name: grafana-tls + readOnly: false + - mountPath: /etc/proxy/secrets + name: grafana-proxy + readOnly: false + - mountPath: /etc/proxy/certs + name: ocp-injected-certs + readOnly: false + service: + metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: grafana-tls + spec: + ports: + - name: https + port: 9091 + protocol: TCP + targetPort: https + client: + preferIngress: false config: log: mode: "console" - level: "warn" + auth.anonymous: + enabled: "True" auth: - disable_login_form: false - disable_signout_menu: true + disable_login_form: "False" + disable_signout_menu: "True" auth.basic: - enabled: true - auth.anonymous: - enabled: true - containers: - - env: - - name: SAR - value: '-openshift-sar={"resource": "namespaces", "verb": "get"}' - args: - - '-provider=openshift' - - '-pass-basic-auth=false' - - '-https-address=:9091' - - '-http-address=' - - '-email-domain=*' - - '-upstream=http://localhost:3000' - - "$(SAR)" - - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get"}}' - - '-tls-cert=/etc/tls/private/tls.crt' - - '-tls-key=/etc/tls/private/tls.key' - - '-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token' - - '-cookie-secret-file=/etc/proxy/secrets/session_secret' - - '-openshift-service-account=grafana-serviceaccount' - - '-openshift-ca=/etc/pki/tls/cert.pem' - - '-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' - - '-skip-auth-regex=^/metrics' - image: 'registry.redhat.io/openshift4/ose-oauth-proxy:v4.6' - imagePullPolicy: Always - name: grafana-proxy - ports: - - containerPort: 9091 - name: grafana-proxy - resources: {} - volumeMounts: - - mountPath: /etc/tls/private - name: secret-grafana-k8s-tls - readOnly: false - - mountPath: /etc/proxy/secrets - name: secret-grafana-k8s-proxy - readOnly: false - secrets: - - grafana-k8s-tls - - grafana-k8s-proxy - service: - ports: - - name: grafana-proxy - port: 9091 - protocol: TCP - targetPort: grafana-proxy - annotations: - service.alpha.openshift.io/serving-cert-secret-name: grafana-k8s-tls - ingress: - enabled: true - targetPort: grafana-proxy - termination: reencrypt - client: - preferService: true - serviceAccount: - annotations: - serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana-route"}}' - dashboardLabelSelector: - - matchExpressions: - - { key: "app", operator: In, values: ['grafana'] } + enabled: "True" + auth.proxy: + enabled: "True" + enable_login_token: "True" + header_property: "username" + header_name: "X-Forwarded-User" diff --git a/grafana-operator/base/instance/injected-certs-cm.yaml b/grafana-operator/base/instance/injected-certs-cm.yaml new file mode 100644 index 00000000..8a1bf5f7 --- /dev/null +++ b/grafana-operator/base/instance/injected-certs-cm.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + config.openshift.io/inject-trusted-cabundle: "true" + name: ocp-injected-certs diff --git a/grafana-operator/base/instance/kustomization.yaml b/grafana-operator/base/instance/kustomization.yaml index 061dc458..4364c3f3 100644 --- a/grafana-operator/base/instance/kustomization.yaml +++ b/grafana-operator/base/instance/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization resources: - session-secret.yaml + - injected-certs-cm.yaml - grafana-proxy-rbac.yaml - grafana.yaml diff --git a/grafana-operator/base/instance/session-secret.yaml b/grafana-operator/base/instance/session-secret.yaml index 7616e63b..c197afe6 100644 --- a/grafana-operator/base/instance/session-secret.yaml +++ b/grafana-operator/base/instance/session-secret.yaml @@ -3,5 +3,5 @@ data: session_secret: Y2hhbmdlIG1lCg== kind: Secret metadata: - name: grafana-k8s-proxy + name: grafana-proxy type: Opaque diff --git a/grafana-operator/base/operator/subscription.yaml b/grafana-operator/base/operator/subscription.yaml index 6ff95af9..8841f62f 100644 --- a/grafana-operator/base/operator/subscription.yaml +++ b/grafana-operator/base/operator/subscription.yaml @@ -3,7 +3,7 @@ kind: Subscription metadata: name: grafana spec: - channel: v4 + channel: v5 installPlanApproval: Automatic name: grafana-operator source: community-operators diff --git a/grafana-operator/overlays/user-app-example/kustomization.yaml b/grafana-operator/overlays/user-app-example/kustomization.yaml index ce36efdb..6ee9f5ad 100644 --- a/grafana-operator/overlays/user-app-example/kustomization.yaml +++ b/grafana-operator/overlays/user-app-example/kustomization.yaml @@ -4,24 +4,28 @@ kind: Kustomization namespace: user-grafana -commonAnnotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - resources: - ../user-app - namespace.yaml - operator-group.yaml patches: - - path: patch-grafana-sar.yaml - target: - group: integreatly.org - kind: Grafana - name: grafana - version: v1alpha1 - - path: patch-cluster-monitoring-view.yaml - target: - group: rbac.authorization.k8s.io - kind: ClusterRoleBinding - name: cluster-monitoring-view - version: v1 +- patch: |- + - op: add + path: /subjects/0/namespace + value: user-grafana + - op: replace + path: /metadata/name + value: cluster-monitoring-view-user-grafana + target: + group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + name: cluster-monitoring-view +- patch: |- + - op: add + path: /subjects/0/namespace + value: user-grafana + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: grafana-proxy diff --git a/grafana-operator/overlays/user-app-example/patch-cluster-monitoring-view.yaml b/grafana-operator/overlays/user-app-example/patch-cluster-monitoring-view.yaml deleted file mode 100644 index 9c196253..00000000 --- a/grafana-operator/overlays/user-app-example/patch-cluster-monitoring-view.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- op: replace - path: /subjects/0/namespace - value: user-grafana -- op: replace - path: /metadata/name - value: cluster-monitoring-view-user-grafana diff --git a/grafana-operator/overlays/user-app-example/patch-grafana-sar.yaml b/grafana-operator/overlays/user-app-example/patch-grafana-sar.yaml deleted file mode 100644 index 2fe4c412..00000000 --- a/grafana-operator/overlays/user-app-example/patch-grafana-sar.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: /spec/containers/0/env/0/value - value: '-openshift-sar={"namespace":"user-grafana","resource":"routes","name":"grafana-route","verb":"get"}' diff --git a/grafana-operator/overlays/user-app/cluster-monitor-view-rb.yaml b/grafana-operator/overlays/user-app/cluster-monitor-view-rb.yaml index 6b44ceab..983a778c 100644 --- a/grafana-operator/overlays/user-app/cluster-monitor-view-rb.yaml +++ b/grafana-operator/overlays/user-app/cluster-monitor-view-rb.yaml @@ -8,5 +8,5 @@ roleRef: name: cluster-monitoring-view subjects: - kind: ServiceAccount - name: grafana-serviceaccount + name: grafana-sa namespace: patch-me diff --git a/grafana-operator/overlays/user-app/grafana-auth-secret.yaml b/grafana-operator/overlays/user-app/grafana-auth-secret.yaml index c50281ad..06615004 100644 --- a/grafana-operator/overlays/user-app/grafana-auth-secret.yaml +++ b/grafana-operator/overlays/user-app/grafana-auth-secret.yaml @@ -3,5 +3,6 @@ kind: Secret metadata: name: grafana-auth-secret annotations: - kubernetes.io/service-account.name: grafana-serviceaccount + kubernetes.io/service-account.name: grafana-sa + argocd.argoproj.io/sync-wave: "2" type: kubernetes.io/service-account-token diff --git a/grafana-operator/overlays/user-app/grafana-ds.yaml b/grafana-operator/overlays/user-app/grafana-ds.yaml index 1e24cc60..ea02ba6d 100644 --- a/grafana-operator/overlays/user-app/grafana-ds.yaml +++ b/grafana-operator/overlays/user-app/grafana-ds.yaml @@ -1,19 +1,24 @@ -apiVersion: integreatly.org/v1alpha1 -kind: GrafanaDataSource +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "1" name: prometheus spec: - datasources: - - access: proxy - editable: true - isDefault: true - jsonData: - httpHeaderName1: 'Authorization' - timeInterval: 5s - tlsSkipVerify: true - name: Prometheus - secureJsonData: - httpHeaderValue1: 'Bearer ${GRAFANA_TOKEN}' - type: prometheus - url: 'https://thanos-querier.openshift-monitoring.svc.cluster.local:9091' - name: prometheus.yaml + datasource: + access: proxy + editable: true + isDefault: true + jsonData: + httpHeaderName1: 'Authorization' + timeInterval: 5s + tlsSkipVerify: true + name: Prometheus + secureJsonData: + httpHeaderValue1: 'Bearer ${GRAFANA_TOKEN}' + type: prometheus + url: 'https://thanos-querier.openshift-monitoring.svc.cluster.local:9091' + instanceSelector: + matchLabels: + instance: "grafana" diff --git a/grafana-operator/overlays/user-app/kustomization.yaml b/grafana-operator/overlays/user-app/kustomization.yaml index 2f0c1289..1135145a 100644 --- a/grafana-operator/overlays/user-app/kustomization.yaml +++ b/grafana-operator/overlays/user-app/kustomization.yaml @@ -15,9 +15,8 @@ resources: patches: - patch: |- - op: add - path: /spec/deployment + path: /spec/deployment/spec/template/spec/containers/0/env value: - env: - name: GRAFANA_TOKEN valueFrom: secretKeyRef: