grafana oauth configuration

kustomize/bases/gitea/gitea-deployment.yaml

@@ -36,6 +36,8 @@ spec:
               value: repo.wiki
             - name: GITEA__REPOSITORY__DEFAULT_REPO_UNITS
               value: repo.code,repo.releases
+            - name: GITEA__WEBHOOK_ALLOWED_HOST_LIST
+              value: ${DRONE_EXTERNAL_HOST}
           ports:
             - name: http
               containerPort: 3000

kustomize/bases/grafana-agent/grafana-agent-volume.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: grafana-agent-wal-pvc
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

kustomize/bases/grafana-agent/kustomization.yaml

@@ -1,6 +1,5 @@
 resources:
   - https://raw.githubusercontent.com/grafana/agent/v0.24.2/production/kubernetes/agent-bare.yaml
-  - grafana-agent-volume.yaml
 
 secretGenerator:
   - name: grafana-agent

kustomize/bases/grafana/grafana-deployment.yaml

@@ -29,12 +29,13 @@ spec:
           env:
             - name: GF_SERVER_DOMAIN
               value: ${GRAFANA_EXTERNAL_HOST}
+            - name: GF_SERVER_ROOT_URL
+              value: https://${GRAFANA_EXTERNAL_HOST}/
             # - name: GF_AUTH_ANONYMOUS_ENABLED
             #   value: "true"
             - name: GF_INSTALL_PLUGINS
               value: marcusolsson-json-datasource,marcusolsson-treemap-panel
-            - name: GF_FEATURE_TOGGLES_ENABLE
-              value: ngalert
+          args: ['--config', '/etc/grafana/provisioning/config/custom.ini']
           readinessProbe:
             failureThreshold: 3
             httpGet:
@@ -66,12 +67,17 @@ spec:
           volumeMounts:
             - name: grafana-datasources
               mountPath: /etc/grafana/provisioning/datasources
+            - name: grafana-config
+              mountPath: /etc/grafana/provisioning/config
             - mountPath: /var/lib/grafana
               name: grafana-pv
       volumes:
         - name: grafana-datasources
           configMap:
             name: grafana-datasources
+        - name: grafana-config
+          secret:
+            secretName: grafana-config
         - name: grafana-pv
           persistentVolumeClaim:
             claimName: grafana-pvc

kustomize/bases/grafana/kustomization.yaml

@@ -7,6 +7,12 @@ configMapGenerator:
     files:
       - datasources.yaml=provision/datasources.yaml
 
+secretGenerator:
+  - name: grafana-config
+    type: Opaque
+    literals:
+      - custom.ini=
+
 # secretGenerator:
 #   - name: postgres-credentials
 #     type: Opaque

kustomize/bases/longhorn/longhorn-helmchart.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   repo: https://charts.longhorn.io
   chart: longhorn
-  version: 1.2.4
+  version: 1.3.0
   targetNamespace: longhorn-system
   set:
     backupTargetCredentialSecret: s3-backupstore-credentials
@@ -15,7 +15,7 @@ spec:
       backupTarget: s3://longhorn-backups@home/
       defaultReplicaCount: 2
       defaultDataLocality: best-effort
-      replicaAutoBalance: best-effort
+      replicaAutoBalance: least-effort
       taintToleration: "kubernetes.io/arch:"
     longhornManager:
       tolerations:

kustomize/bases/longhorn/longhorn-recurringjob.yaml

@@ -7,6 +7,6 @@ spec:
   cron: "0 8 * * 2"
   task: "backup"
   groups:
-    - default
+    - backup
   retain: 2
   concurrency: 1

kustomize/bases/nextcloud/nextcloud-deployment.yaml

@@ -30,6 +30,10 @@ spec:
                     operator: In
                     values: 
                       - amd64
+      tolerations:
+        - key: kubernetes.io/arch
+          operator: Equal
+          value: amd64
       containers:
         - name: nextcloud
           image: nextcloud

kustomize/overlays/prod/configurations/grafana/custom.ini

@@ -0,0 +1,9 @@
+[auth.generic_oauth]
+enabled = true
+allow_sign_up = false
+client_id = 5yCpX9YovdrEuBpy69438S8GzCUJZLxqFl4rOcIpjBHICRpJzjv56VMxslKj7iqm
+client_secret = ${ssm:/k3s/prod/nextcloud/oidc/grafana/client_secret}
+scopes = openid profile email
+auth_url = https://cloud.badjware.dev/apps/oidc/authorize
+token_url = https://cloud.badjware.dev/apps/oidc/token
+api_url = https://cloud.badjware.dev/apps/oidc/userinfo

kustomize/overlays/prod/kustomization.yaml

@@ -5,33 +5,31 @@ bases:
   - ../../namespaces/monitoring
   - ../../namespaces/nextcloud
 
-resources:
-  - probes/external-services-bobcat-miner.yaml
+# resources:
+#   - probes/external-services-bobcat-miner.yaml
 
 images:
   - name: gitea/gitea
-    newTag: 1.15.7
+    newTag: 1.16.9
   - name: grafana/grafana
-    newTag: 8.5.3
-  - name: prom/node-exporter
-    newTag: v0.18.1
+    newTag: 9.0.4
+  # - name: prom/node-exporter
+  #   newTag: v0.18.1
   - name: prom/blackbox-exporter
     newName: badjware/blackbox-exporter-tweak
-    newTag: 0.19.0-1
+    newTag: 0.21.1 
   - name: drone/drone
     newTag: 2.7.0
   - name: drone/drone-runner-kube
     newTag: 1.0.0-rc.2
   - name: nextcloud
     newName: badjware/nextcloud-tweak
-    newTag: 22.2.3-3
+    newTag: 24.0.3
   - name: postgres
     newTag: 9.6.23
   - name: redis
     newTag: 6.2.5
 
-configMapGenerator: []
-
 secretGenerator:
   - name: drone-secret
     type: Opaque
@@ -67,6 +65,12 @@ secretGenerator:
     behavior: replace
     files:
       - agent.yaml=configurations/grafana-agent/agent.yaml
+  - name: grafana-config
+    type: Opaque
+    namespace: grafana
+    behavior: replace
+    files:
+      - custom.ini=configurations/grafana/custom.ini
   # - name: grafana-cloud-credentials
   #   type: Opaque
   #   namespace: monitoring