...
  View open merge request
Commits (21)
---
apiVersion: v1
name: gitlab-grafana
version: 0.1.0
description: Adapt the Grafana chart to interface to the GitLab App
keywords:
- gitlab
- grafana
home: https://about.gitlab.com/
icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg
sources:
- https://gitlab.com/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-grafana
- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-grafana
maintainers:
- name: GitLab Inc.
email: support@gitlab.com
#!/bin/sh
PW_FILE='/tmp/initial/password'
# If the password file exists, set the admin password using the contents
if [ -r "$PW_FILE" ]; then
echo "GitLab shim: Setting admin username to root"
export GF_SECURITY_ADMIN_USER="root"
read -r line < "$PW_FILE"
echo "GitLab shim: Setting admin password in environment"
export GF_SECURITY_ADMIN_PASSWORD="$line"
fi
# Start up the full grafana service
exec /run.sh
{{- if .Values.global.grafana.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fullname" . }}-datasource
namespace: {{ .Release.Namespace }}
labels:
gitlab_grafana_datasource: "true"
{{ include "gitlab.standardLabels" . | indent 4 }}
data:
gitlab.yaml: |
apiVersion: 1
deleteDatasources:
- name: GitLab installed Prometheus
orgId: 1
datasources:
- name: GitLab installed Prometheus
type: prometheus
orgId: 1
url: "http://{{ .Release.Name }}-prometheus-server"
access: proxy
isDefault: true
editable: false
{{- end }}
{{- if .Values.global.grafana.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab-grafana-import-secret
namespace: {{ .Release.Namespace }}
labels:
{{ include "gitlab.standardLabels" . | indent 4 }}
data:
import-secret.sh: |-
{{ include (print $.Template.BasePath "/_import-secret.sh") . | indent 4 }}
{{- end }}
{{- if .Values.global.grafana.enabled -}}
{{- $gitlabHostname := include "gitlab.gitlab.hostname" . -}}
{{- $tlsSecret := include "unicorn.tlsSecret" . -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .Release.Name }}-grafana
namespace: {{ $.Release.Namespace }}
labels:
{{ include "gitlab.standardLabels" . | indent 4 }}
annotations:
kubernetes.io/ingress.class: "{{ template "gitlab.ingressclass" . }}"
kubernetes.io/ingress.provider: nginx
nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.ingress.proxyBodySize | quote }}
nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.ingress.proxyReadTimeout | quote }}
nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .Values.ingress.proxyConnectTimeout | quote }}
nginx.ingress.kubernetes.io/rewrite-target: /
{{ include "gitlab.certmanager_annotations" . }}
{{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
- host: {{ $gitlabHostname }}
http:
paths:
- backend:
serviceName: {{ .Release.Name }}-grafana
servicePort: 80
path: /-/grafana
{{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }}
tls:
- hosts:
- {{ $gitlabHostname }}
secretName: {{ $tlsSecret }}
{{- else }}
tls: []
{{- end }}
{{- end -}}
\ No newline at end of file
## GitLab Grafana configuration
## If enabled, we will deploy a secured Grafana
# This chart is controlled by `global.grafana.enabled`
global: {}
# We supply an Ingress resource that locates Grafana under /-/grafana
# NOTE: these values are placeholders for template functionality.
ingress:
tls: {}
annotations: {}
......@@ -35,3 +35,4 @@ global:
gitlab-runner:
enabled: false
......@@ -123,3 +123,9 @@ generate_secret_if_needed {{ template "gitlab.workhorse.secret" . }} --from-lite
# Registry http.secret secret
generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} --from-literal={{ template "gitlab.registry.httpSecret.key" . }}=$(gen_random 'a-z0-9' 128 | base64 -w 0)
{{ if .Values.global.grafana.enabled -}}
# Grafana password
generate_secret_if_needed "gitlab-grafana-initial-password" --from-literal=password=$(gen_random 'a-zA-Z0-9' 64)
{{ end }}
# Using the gitlab-grafana chart
The `gitlab-grafana` subchart adapts the [stable/grafana][] chart to operate
correctly with the same level of configuration as the Omnibus
GitLab install. In addition, the installation of Grafana allows additional
dashboards to be installed by the end user and be incorporated with the
GitLab supplied dashboards.
[stable/grafana]: https://github.com/helm/charts/tree/master/stable/grafana
## Requirements
This chart depends on the `stable/grafana` chart which is usually installed
by the `GitLab` meta chart. In addition, Kubernetes ingress support is
needed to properly route the Grafana requests using the `/-/grafana` path.
## Design Choices
Because of Helm limitations it is not possible to configure the Grafana
chart with knowledge of a dynamic name for the initial password Secret.
As a result a statically named Secret is created to contain the initial
password. This Secret is named `gitlab-grafana-initial-password`.
The same issue exists for the ConfigMap that contains the script that
is used to inject the initial password into the Grafana container. That
ConfigMap is named `gitlab-grafana-import-secret`.
Both the initial password Secret and the import script ConfigMap are
mounted into the Grafana container (`/tmp/initial` and `/tmp/scripts`
respectively) and the container command line is augmented to use both
of these objects to securely expose the initial password to the
Grafana server. Modification of the container command line will
generally prevent the initial password from being injected into the
Grafana server environment.
## Configuration
There are no required settings, it should work out of the box if you deploy
all of the charts together. The administrator credentials are created by
the `shared-secrets` chart and the administrator username is set to `root`.
## Installation command line options
| Parameter | Default | Description |
|---------------------|---------|----------------------------------------------------------------------|
| ingress.tls | `{}` | Hash of Ingress TLS settings if GitLab cert manager is not installed |
| ingress.annotations | `{}` | Additional annotations to add to Grafana Ingress resource |
## Dashboard Support
Grafana dashboards are automatically discovered from the ConfigMaps in
the deployed namespace. If a ConfigMap has been created with the
`gitlab_grafana_dashboard` label set to `true`, then the JSON encoded
dashboard in the ConfigMap will be imported into Grafana. This mechanism
does not allow any updates to the dashboard to be written back to the
ConfigMap containing the JSON encoded dashboard.
The end user may supply their own dashboards utilizing the same mechanism
by supplying the `gitlab_grafana_dashboard` label and managing the
ConfigMap themselves.
## Datasource Support
Datasources may be created in the same manner as the dashboards by adding
the `gitlab_grafana_datasource` label. This chart will add a ConfigMap
to direct Grafana to use the embedded Prometheus metrics.
......@@ -11,6 +11,7 @@ for more information on how the global variables work.
- [GitLab Version](#gitlab-version)
- [PostgreSQL](#configure-postgresql-settings)
- [Redis](#configure-redis-settings)
- [Grafana](#configure-grafana-integration)
- [Registry](#configure-registry-settings)
- [Gitaly](#configure-gitaly-settings)
- [Minio](#configure-minio-settings)
......@@ -165,6 +166,14 @@ global:
key: redis-password
```
## Configure Grafana integration
The GitLab global grafana settings are located under `global.grafana`. At this time, the only setting available is `global.grafana.enabled`.
When set to `true`, the GitLab chart will deploy the [Grafana chart](https://github.com/helm/helm/tree/master/stable/grafana), expose it under `/-/grafana` of the GitLab Ingress, and pre-configure it with a secure random password. The generated password can be found in the Secret named `gitlab-grafana-initial-root-password`.
The GitLab chart connects to the deployed Prometheus instance.
## Configure Registry settings
The global Registry settings are located under the `global.registry` key. For more
......
......@@ -40,6 +40,7 @@ documentation.
- [Postgres password](#postgresql-password)
- [Minio secret](#minio-secret)
- [Registry HTTP secret](#registry-http-secret)
- [Grafana password](#grafana-password)
- [External Services](#external-services)
- [Unicorn Omniauth](#unicorn-omniauth)
- [LDAP Password](#ldap-password)
......@@ -191,6 +192,14 @@ the name of the release.
kubectl create secret generic <name>-postgresql-password --from-literal=postgres-password=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64)
```
### Grafana password
If configuring [Grafana integration](../charts/globals.md#configure-grafana-integration), generate a random 64 character alpha-numeric password.
```
generate_secret_if_needed "gitlab-grafana-initial-password" --from-literal=password=$(gen_random 'a-zA-Z0-9' 64)
```
### Registry HTTP secret
Generate a random 64 character alpha-numeric key shared by all registry pods.
......
......@@ -16,3 +16,7 @@ dependencies:
version: 0.7.0
repository: https://charts.gitlab.io/
condition: gitlab-runner.install
- name: grafana
version: 3.5.12
repository: https://kubernetes-charts.storage.googleapis.com/
condition: global.grafana.enabled
......@@ -96,6 +96,10 @@ global:
credentials: {}
# secret:
## doc/charts/globals.md#configure-grafana-integration
grafana:
enabled: false
## doc/charts/globals.md#configure-appconfig-settings
## Rails based portions of this chart share many settings
appConfig:
......@@ -463,6 +467,41 @@ gitlab-runner:
s3CachePath: gitlab-runner
s3CacheInsecure: false
## Installation & configuration of stable/grafana
## See requirements.yaml for current version
## Controlled by `global.grafana.enabled`
grafana:
admin.existingSecret: true
## The following settings allow Grafana to dynamically create
## dashboards and datasources from configmaps. See
## https://github.com/helm/charts/tree/master/stable/grafana#sidecar-for-dashboards
sidecar:
dashboards:
enabled: true
label: gitlab_grafana_dashboard
datasources:
enabled: true
label: gitlab_grafana_datasource
## We host Grafana as a sub-url of GitLab
grafana.ini:
server:
root_url: http://localhost/-/grafana/
## We generate and provide random passwords
## NOTE: the Secret & ConfigMap names are hard coded!
extraSecretMounts:
- name: initial-password
mountPath: /tmp/initial
readOnly: true
secretName: gitlab-grafana-initial-password
defaultMode: 400
extraConfigmapMounts:
- name: import-secret
mountPath: /tmp/scripts
configMap: gitlab-grafana-import-secret
readOnly: true
command: [ "sh", "-x", "/tmp/scripts/import-secret.sh" ]
## Settings for individual sub-charts under GitLab
## Note: Many of these settings are configurable via globals
# gitlab:
......@@ -481,3 +520,5 @@ gitlab-runner:
## doc/charts/gitlab/gitlab-shell
# gitlab-shell:
# enabled: false
## doc/charts/gitlab/gitlab-grafana
# gitlab-grafana: