--- kind: Template apiVersion: v1 metadata: name: grafana-ocp annotations: "openshift.io/display-name": Grafana ocp description: | Grafana server with patched Prometheus datasource. iconClass: icon-cogs tags: "metrics,monitoring,grafana,prometheus" parameters: - description: The location of the proxy image name: IMAGE_GF value: mrsiano/grafana-ocp:latest - description: The location of the proxy image name: IMAGE_PROXY value: openshift/oauth-proxy:v1.0.0 - description: External URL for the grafana route name: ROUTE_URL value: "" - description: The namespace to instantiate heapster under. Defaults to 'grafana'. name: NAMESPACE value: grafana - description: The session secret for the proxy name: SESSION_SECRET generate: expression from: "[a-zA-Z0-9]{43}" objects: - apiVersion: v1 kind: ServiceAccount metadata: name: grafana-ocp namespace: "${NAMESPACE}" annotations: serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana-ocp"}}' - apiVersion: authorization.openshift.io/v1 kind: ClusterRoleBinding metadata: name: gf-cluster-reader roleRef: name: cluster-reader subjects: - kind: ServiceAccount name: grafana-ocp namespace: "${NAMESPACE}" - apiVersion: route.openshift.io/v1 kind: Route metadata: name: grafana-ocp namespace: "${NAMESPACE}" spec: host: "${ROUTE_URL}" to: name: grafana-ocp tls: termination: Reencrypt - apiVersion: v1 kind: Service metadata: name: grafana-ocp annotations: prometheus.io/scrape: "true" prometheus.io/scheme: https service.alpha.openshift.io/serving-cert-secret-name: gf-tls namespace: "${NAMESPACE}" labels: metrics-infra: grafana-ocp name: grafana-ocp spec: ports: - name: grafana-ocp port: 443 protocol: TCP targetPort: 8443 selector: app: grafana-ocp - apiVersion: v1 kind: Secret metadata: name: gf-proxy namespace: "${NAMESPACE}" stringData: session_secret: "${SESSION_SECRET}=" # Deploy Prometheus behind an oauth proxy - apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: grafana-ocp name: grafana-ocp namespace: "${NAMESPACE}" spec: replicas: 1 selector: matchLabels: app: grafana-ocp template: metadata: labels: app: grafana-ocp name: grafana-ocp-app spec: serviceAccountName: grafana-ocp containers: - name: oauth-proxy image: ${IMAGE_PROXY} imagePullPolicy: IfNotPresent ports: - containerPort: 8443 name: web args: - -https-address=:8443 - -http-address= - -email-domain=* - -client-id=system:serviceaccount:${NAMESPACE}:grafana-ocp - -upstream=http://localhost:3000 - -provider=openshift # - '-openshift-delegate-urls={"/api/datasources": {"resource": "namespace", "verb": "get", "resourceName": "grafana-ocp", "namespace": "${NAMESPACE}"}}' - '-openshift-sar={"namespace": "${NAMESPACE}", "verb": "list", "resource": "services"}' - -tls-cert=/etc/tls/private/tls.crt - -tls-key=/etc/tls/private/tls.key - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret-file=/etc/proxy/secrets/session_secret - -skip-auth-regex=^/metrics,/api/datasources,/api/dashboards volumeMounts: - mountPath: /etc/tls/private name: gf-tls - mountPath: /etc/proxy/secrets name: secrets - name: grafana-ocp image: ${IMAGE_GF} ports: - name: grafana-http containerPort: 3000 volumeMounts: - mountPath: "/root/go/src/github.com/grafana/grafana/data" name: gf-data - mountPath: "/root/go/src/github.com/grafana/grafana/conf" name: gfconfig - mountPath: /etc/tls/private name: gf-tls - mountPath: /etc/proxy/secrets name: secrets command: - "./bin/grafana-server" volumes: - name: gfconfig configMap: name: gf-config - name: secrets secret: secretName: gf-proxy - name: gf-tls secret: secretName: gf-tls - emptyDir: {} name: gf-data - apiVersion: v1 kind: ConfigMap metadata: name: gf-config namespace: "${NAMESPACE}" data: defaults.ini: |- ##################### Grafana Configuration Defaults ##################### # # Do not modify this file in grafana installs # # possible values : production, development app_mode = production # instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty instance_name = ${HOSTNAME} #################################### Paths ############################### [paths] # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) # data = data # # Directory where grafana can store logs # logs = data/log # # Directory where grafana will automatically scan and look for plugins # plugins = data/plugins #################################### Server ############################## [server] # Protocol (http, https, socket) protocol = http # The ip address to bind to, empty will bind to all interfaces http_addr = # The http port to use http_port = 3000 # The public facing domain name used to access grafana from a browser domain = localhost # Redirect to correct domain if host header does not match domain # Prevents DNS rebinding attacks enforce_domain = false # The full public facing url root_url = %(protocol)s://%(domain)s:%(http_port)s/ # Log web requests router_logging = false # the path relative working path static_root_path = public # enable gzip enable_gzip = false # https certs & key file cert_file = /etc/tls/private/tls.crt cert_key = /etc/tls/private/tls.key # Unix socket path socket = /tmp/grafana.sock #################################### Database ############################ [database] # You can configure the database connection by specifying type, host, name, user and password # as separate properties or as on string using the url property. # Either "mysql", "postgres" or "sqlite3", it's your choice type = sqlite3 host = 127.0.0.1:3306 name = grafana user = root # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" password = # Use either URL or the previous fields to configure the database # Example: mysql://user:secret@host:port/database url = # Max idle conn setting default is 2 max_idle_conn = 2 # Max conn setting default is 0 (mean not set) max_open_conn = # For "postgres", use either "disable", "require" or "verify-full" # For "mysql", use either "true", "false", or "skip-verify". ssl_mode = disable ca_cert_path = client_key_path = client_cert_path = server_cert_name = # For "sqlite3" only, path relative to data_path setting path = grafana.db #################################### Session ############################# [session] # Either "memory", "file", "redis", "mysql", "postgres", "memcache", default is "file" provider = file # Provider config options # memory: not have any config yet # file: session dir path, is relative to grafana data_path # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana` # postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable # mysql: go-sql-driver/mysql dsn config string, examples: # `user:password@tcp(127.0.0.1:3306)/database_name` # `user:password@unix(/var/run/mysqld/mysqld.sock)/database_name` # memcache: 127.0.0.1:11211 provider_config = sessions # Session cookie name cookie_name = grafana_sess # If you use session in https only, default is false cookie_secure = false # Session life time, default is 86400 session_life_time = 86400 gc_interval_time = 86400 #################################### Data proxy ########################### [dataproxy] # This enables data proxy logging, default is false logging = false #################################### Analytics ########################### [analytics] # Server reporting, sends usage counters to stats.grafana.org every 24 hours. # No ip addresses are being tracked, only simple counters to track # running instances, dashboard and error counts. It is very helpful to us. # Change this option to false to disable reporting. reporting_enabled = true # Set to false to disable all checks to https://grafana.com # for new versions (grafana itself and plugins), check is used # in some UI views to notify that grafana or plugin update exists # This option does not cause any auto updates, nor send any information # only a GET request to https://grafana.com to get latest versions check_for_updates = true # Google Analytics universal tracking code, only enabled if you specify an id here google_analytics_ua_id = # Google Tag Manager ID, only enabled if you specify an id here google_tag_manager_id = #################################### Security ############################ [security] # default admin user, created on startup admin_user = admin # default admin password, can be changed before first start of grafana, or in profile settings admin_password = admin # used for signing secret_key = SW2YcwTIb9zpOOhoPsMm # Auto-login remember days login_remember_days = 7 cookie_username = grafana_user cookie_remember_name = grafana_remember # disable gravatar profile images disable_gravatar = false # data source proxy whitelist (ip_or_domain:port separated by spaces) data_source_proxy_whitelist = [snapshots] # snapshot sharing options external_enabled = true external_snapshot_url = https://snapshots-origin.raintank.io external_snapshot_name = Publish to snapshot.raintank.io # remove expired snapshot snapshot_remove_expired = true # remove snapshots after 90 days snapshot_TTL_days = 90 #################################### Users #################################### [users] # disable user signup / registration allow_sign_up = true # Allow non admin users to create organizations allow_org_create = true # Set to true to automatically assign new users to the default organization (id 1) auto_assign_org = true # Default role new users will be automatically assigned (if auto_assign_org above is set to true) auto_assign_org_role = Admin # Require email validation before sign up completes verify_email_enabled = false # Background text for the user field on the login page login_hint = email or username # Default UI theme ("dark" or "light") default_theme = dark # External user management external_manage_link_url = external_manage_link_name = external_manage_info = [auth] # Set to true to disable (hide) the login form, useful if you use OAuth disable_login_form = true # Set to true to disable the signout link in the side menu. useful if you use auth.proxy disable_signout_menu = true #################################### Anonymous Auth ###################### [auth.anonymous] # enable anonymous access enabled = true # specify organization name that should be used for unauthenticated users org_name = Main Org. # specify role for unauthenticated users org_role = Admin #################################### Github Auth ######################### [auth.github] enabled = false allow_sign_up = true client_id = some_id client_secret = some_secret scopes = user:email auth_url = https://github.com/login/oauth/authorize token_url = https://github.com/login/oauth/access_token api_url = https://api.github.com/user team_ids = allowed_organizations = #################################### Google Auth ######################### [auth.google] enabled = false allow_sign_up = true client_id = some_client_id client_secret = some_client_secret scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email auth_url = https://accounts.google.com/o/oauth2/auth token_url = https://accounts.google.com/o/oauth2/token api_url = https://www.googleapis.com/oauth2/v1/userinfo allowed_domains = hosted_domain = #################################### Grafana.com Auth #################### # legacy key names (so they work in env variables) [auth.grafananet] enabled = false allow_sign_up = true client_id = some_id client_secret = some_secret scopes = user:email allowed_organizations = [auth.grafana_com] enabled = false allow_sign_up = true client_id = some_id client_secret = some_secret scopes = user:email allowed_organizations = #################################### Generic OAuth ####################### [auth.generic_oauth] name = OAuth enabled = false allow_sign_up = true client_id = some_id client_secret = some_secret scopes = user:email auth_url = token_url = api_url = team_ids = allowed_organizations = #################################### Basic Auth ########################## [auth.basic] enabled = false #################################### Auth Proxy ########################## [auth.proxy] enabled = true header_name = X-WEBAUTH-USER header_property = username auto_sign_up = true ldap_sync_ttl = 60 whitelist = #################################### Auth LDAP ########################### [auth.ldap] enabled = false config_file = /etc/grafana/ldap.toml allow_sign_up = true #################################### SMTP / Emailing ##################### [smtp] enabled = false host = localhost:25 user = # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;""" password = cert_file = key_file = skip_verify = false from_address = admin@grafana.localhost from_name = Grafana ehlo_identity = [emails] welcome_email_on_sign_up = false templates_pattern = emails/*.html #################################### Logging ########################## [log] # Either "console", "file", "syslog". Default is console and file # Use space to separate multiple modes, e.g. "console file" mode = console file # Either "debug", "info", "warn", "error", "critical", default is "info" level = error # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug filters = # For "console" mode only [log.console] level = # log line format, valid options are text, console and json format = console # For "file" mode only [log.file] level = # log line format, valid options are text, console and json format = text # This enables automated log rotate(switch of following options), default is true log_rotate = true # Max line number of single file, default is 1000000 max_lines = 1000000 # Max size shift of single file, default is 28 means 1 << 28, 256MB max_size_shift = 28 # Segment log daily, default is true daily_rotate = true # Expired days of log file(delete after max days), default is 7 max_days = 7 [log.syslog] level = # log line format, valid options are text, console and json format = text # Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used. network = address = # Syslog facility. user, daemon and local0 through local7 are valid. facility = # Syslog tag. By default, the process' argv[0] is used. tag = #################################### AMQP Event Publisher ################ [event_publisher] enabled = false rabbitmq_url = amqp://localhost/ exchange = grafana_events #################################### Dashboard JSON files ################ [dashboards.json] enabled = false path = /var/lib/grafana/dashboards #################################### Usage Quotas ######################## [quota] enabled = false #### set quotas to -1 to make unlimited. #### # limit number of users per Org. org_user = 10 # limit number of dashboards per Org. org_dashboard = 100 # limit number of data_sources per Org. org_data_source = 10 # limit number of api_keys per Org. org_api_key = 10 # limit number of orgs a user can create. user_org = 10 # Global limit of users. global_user = -1 # global limit of orgs. global_org = -1 # global limit of dashboards global_dashboard = -1 # global limit of api_keys global_api_key = -1 # global limit on number of logged in users. global_session = -1 #################################### Alerting ############################ [alerting] # Disable alerting engine & UI features enabled = true # Makes it possible to turn off alert rule execution but alerting UI is visible execute_alerts = true #################################### Internal Grafana Metrics ############ # Metrics available at HTTP API Url /api/metrics [metrics] enabled = true interval_seconds = 10 # Send internal Grafana metrics to graphite [metrics.graphite] # Enable by setting the address setting (ex localhost:2003) address = prefix = prod.grafana.%(instance_name)s. [grafana_net] url = https://grafana.com [grafana_com] url = https://grafana.com #################################### Distributed tracing ############ [tracing.jaeger] # jaeger destination (ex localhost:6831) address = # tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2) always_included_tag = # Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote sampler_type = const # jaeger samplerconfig param # for "const" sampler, 0 or 1 for always false/true respectively # for "probabilistic" sampler, a probability between 0 and 1 # for "rateLimiting" sampler, the number of spans per second # for "remote" sampler, param is the same as for "probabilistic" # and indicates the initial sampling rate before the actual one # is received from the mothership sampler_param = 1 #################################### External Image Storage ############## [external_image_storage] # You can choose between (s3, webdav, gcs) provider = [external_image_storage.s3] bucket_url = bucket = region = path = access_key = secret_key = [external_image_storage.webdav] url = username = password = public_url = [external_image_storage.gcs] key_file = bucket =