ingress for monitoring

.github/workflows/deploy.yml

@@ -35,13 +35,14 @@ jobs:
           helm repo add apache-airflow https://airflow.apache.org
           helm repo add codecentric https://codecentric.github.io/helm-charts
           helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+          helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
           helm repo update
           
       - name: Deploy Nginx
         if: ${{ inputs.service == 'all' || inputs.service == 'nginx' }}
         run: |
-          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-          helm repo update
           helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
             --namespace ingress-nginx \
             --create-namespace \
@@ -53,7 +54,7 @@ jobs:
           helm upgrade --install airflow apache-airflow/airflow \
             --namespace airflow \
             --create-namespace \
-            --values helm/airflow/values.yaml \
+            --values helm/airflow/values.yaml
 
       - name: Deploy Keycloak PostgreSQL
         if: ${{ inputs.service == 'all' || inputs.service == 'keycloak' || inputs.service == 'keycloak-db' }}
@@ -74,14 +75,51 @@ jobs:
             --create-namespace \
             --values helm/keycloak/values.yaml \
             --wait
+      - name: Create monitoring namespace
+        if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
+        run: |
+          kubectl create namespace monitoring --dry-run=client -o yaml | kubectl apply -f -
+      - name: Create oauth2-proxy secrets
+        if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
+        run: |
+
+          kubectl create secret generic oauth2-proxy-prometheus \
+            -n monitoring \
+            --from-literal=client-id=prometheus \
+            --from-literal=client-secret="${{ secrets.PROMETHEUS_CLIENT_SECRET }}" \
+            --from-literal=cookie-secret="${{ secrets.OAUTH2_PROXY_COOKIE_SECRET }}" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+          kubectl create secret generic oauth2-proxy-alertmanager \
+            -n monitoring \
+            --from-literal=client-id=alertmanager \
+            --from-literal=client-secret="${{ secrets.ALERTMANAGER_CLIENT_SECRET }}" \
+            --from-literal=cookie-secret="${{ secrets.OAUTH2_PROXY_COOKIE_SECRET }}" \
+            --dry-run=client -o yaml | kubectl apply -f -
 
       - name: Deploy Monitoring
         if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
         run: |
-          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
-          helm repo update
           helm upgrade --install monitoring prometheus-community/kube-prometheus-stack \
             --namespace monitoring \
             --create-namespace \
             --values helm/monitoring/values.yaml \
             --wait
+
+      - name: Deploy oauth2-proxy Prometheus
+        if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
+        run: |
+          helm upgrade --install oauth2-proxy-prometheus \
+            oauth2-proxy/oauth2-proxy \
+            --namespace monitoring \
+            -f helm/monitoring/oauth2-proxy-prometheus.yaml \
+            --wait
+
+      - name: Deploy oauth2-proxy Alertmanager
+        if: ${{ inputs.service == 'all' || inputs.service == 'monitoring' }}
+        run: |
+          helm upgrade --install oauth2-proxy-alertmanager \
+            oauth2-proxy/oauth2-proxy \
+            --namespace monitoring \
+            -f helm/monitoring/oauth2-proxy-alertmanager.yaml \
+            --wait

helm/monitoring/oauth2-proxy-alertmanager.yaml

@@ -0,0 +1,19 @@
+config:
+  existingSecret: oauth2-proxy-alertmanager
+
+extraArgs:
+  provider: oidc
+  oidc-issuer-url: "http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm"
+  email-domain: "*"
+  insecure-oidc-allow-unverified-email: "true"
+  upstream: "http://monitoring-kube-prometheus-alertmanager.monitoring.svc.cluster.local:9093"
+
+ingress:
+  enabled: true
+  className: nginx
+
+  hosts:
+    - alertmanager.13.140.150.2.nip.io
+
+  path: /
+  pathType: Prefix

helm/monitoring/oauth2-proxy-prometheus.yaml

@@ -0,0 +1,19 @@
+config:
+  existingSecret: oauth2-proxy-prometheus
+
+extraArgs:
+  provider: oidc
+  oidc-issuer-url: "http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm"
+  email-domain: "*"
+  insecure-oidc-allow-unverified-email: "true"
+  upstream: "http://monitoring-kube-prometheus-prometheus.monitoring.svc.cluster.local:9090"
+
+ingress:
+  enabled: true
+  className: nginx
+
+  hosts:
+    - prometheus.13.140.150.2.nip.io
+
+  path: /
+  pathType: Prefix

helm/monitoring/values.yaml

@@ -1,5 +1,28 @@
 grafana:
   enabled: true
+
+  grafana.ini:
+    server:
+      root_url: http://grafana.13.140.150.2.nip.io
+
+    auth:
+      disable_login_form: false
+      oauth_auto_login: false
+
+    auth.generic_oauth:
+      enabled: true
+      name: Keycloak
+      allow_sign_up: true
+      client_id: grafana
+      client_secret: kvULFcvaeWLYzivg1eJFYT9s0Nj674Qr
+      scopes: openid email profile
+      auth_url: http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm/protocol/openid-connect/auth
+      token_url: http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm/protocol/openid-connect/token
+      api_url: http://keycloak.13.140.150.2.nip.io/auth/realms/airflow-realm/protocol/openid-connect/userinfo
+      email_attribute_path: email
+      login_attribute_path: preferred_username
+      name_attribute_path: full_name
+
   ingress:
     enabled: true
     ingressClassName: nginx
@@ -8,19 +31,10 @@ grafana:
 
 prometheus:
   enabled: true
-  ingress:
+
-    enabled: true
-    ingressClassName: nginx
-    hosts:
-      - prometheus.13.140.150.2.nip.io
   prometheusSpec:
     serviceMonitorSelectorNilUsesHelmValues: false
     podMonitorSelectorNilUsesHelmValues: false
 
 alertmanager:
   enabled: true
-  ingress:
-    enabled: true
-    ingressClassName: nginx
-    hosts:
-      - alertmanager.13.140.150.2.nip.io