feat(grafana): install grafana using grafana-operator

Decommission kube-prometheus-stack installed Grafana and use
grafana-operator instead.

Signed-off-by: Vegard Hagen <vegard@stonegarden.dev>

k8s/infra/auth/authelia/dashboard.yaml

@@ -0,0 +1,13 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: authelia
+  namespace: authelia
+spec:
+  allowCrossNamespaceImport: true
+  folder: Authelia
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  url: https://raw.githubusercontent.com/authelia/authelia/refs/heads/master/examples/grafana-dashboards/simple.json

k8s/infra/auth/authelia/kustomization.yaml

@@ -6,12 +6,6 @@ configMapGenerator:
   - name: consent
     namespace: authelia
     files: [ ./locales/en/consent.json ]
-  - name: grafana-dashboard
-    namespace: authelia
-    files: [ ./dashboards/simple.json ]
-    options:
-      annotations: { grafana_folder: "Authelia" }
-      labels: { grafana_dashboard: "1" }
 
 resources:
   - ns.yaml
@@ -26,6 +20,7 @@ resources:
   - clients/audiobookshelf.yaml
   - clients/grafana.yaml
   - clients/netbird.yaml
+  - dashboard.yaml
 
 helmCharts:
   - name: authelia

k8s/infra/controllers/argocd/dashboard.yaml

@@ -0,0 +1,13 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  allowCrossNamespaceImport: true
+  folder: Argo CD
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  url: https://raw.githubusercontent.com/argoproj/argo-cd/refs/heads/master/examples/dashboard.json

k8s/infra/controllers/argocd/kustomization.yaml

@@ -15,15 +15,7 @@ resources:
   - service-monitors/argocd-redis.yaml
   - service-monitors/argocd-repo-server.yaml
   - service-monitors/argocd-server.yaml
-
-configMapGenerator:
-  - name: argocd-dashboard
-    namespace: argocd
-    # From https://github.com/argoproj/argo-cd/blob/master/examples/dashboard.json
-    files: [ argocd-dashboard.json ]
-    options:
-      annotations: { grafana_folder: "Argo CD" }
-      labels: { grafana_dashboard: "1" }
+  - dashboard.yaml
 
 helmCharts:
   - name: argo-cd

k8s/infra/monitoring/grafana/admin-credentials.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: admin-credentials
+  namespace: grafana
+spec:
+  encryptedData:
+    password: AgAmS+p26Jr9am+MkHeI6m+A8IbH/Pb87adjMvvdE/GRgjuEOIuVmBtFTxURUn5ddjOYdWfkXK34k/ObfRGNFjCd/w042jeq/mdwicnrrw4VSoJaiYxP/Qx1Iz6qRp1cZiYC3W5dlNk51fDGXVtyqxTCoMnDIvZ4fIVvKsEmizan64+JWG0X6uPn1g2xDV2O6wleygxI+JHdeYGueKGZ1rHnzcmkiv2jYoM3tj3wqpRmuVikLoaenNqh/4hV7bNKp6pMjZEZ+P2LBxiGVvBFDD2ztwzP8JImbWtXEldA6VmU9vEEMNvmchDBBsr/4gbTiLaHUP3P4XojRIghtvMxAqJqji3AOqOE4K7tHK5o6L7MvQDxYUfav/mKcLCfuLFEyNuTG3D/KLImnSSTD/tU1GZIAs66TlaID9lTJFG464YlmvvL7E/MOBRUPGkBXVdluzCuyHPRT1ljmayte+H0U+FuGFsB+lcVfxNLcWlIo4pAHjyGX2L2ghkP2oLb4V54ISPvJKv2pAKnRHYRGzwCI9zLpb2rXWOcSbDyhyORxSKWFxOX3x/Sk3xVk2tDIa9yFcA5VVHXePzFsknD2DtbUMdpUu0Mbt96v+F9AE9W0H7KF6YnYHhVeCZCvGEtBD8oUTPY5jx+O1VuNraO/D9MlDumanYz8lYfGKlR/LBEmjZyarK7YTwrMpLOA8cFuJdB62SlrDVlt2w6dJq4lq/5I1juZP7Ukvxihip/xc2JD6hRs4jRAkk=
+    username: AgCj6mPWTMz3QrIirfadIjgxywgM8j3KYwV+8Q0k9dQke7jnaxVdGHaLFRhapxIM77exdT4TfGN2TwSEOLvsk3wsE/B2J1AftT1VMC8Cj15tJrJZPPyJQFua/x45CTIQS0WISW/hz2sNI5RFTC/xJAK9ITUW8TgjEIoPh9tVltdylrVnFC2DR78STAnGMrA470pmPqMadzpDlQSNqs8jo7noWDvSpDhxWVemPrQTVzYnH2cPbIwYdZaXD1I799xvXWHKXDBu6o1P69LhCqBNsV9IKKsvey3Sb5v1fu5PtJpWxhITQ3PJDLvO9msC/a5ORWMmpeqVQYFrIw6HjY+jB3bsbYXVGESz1j60Pa8v0jgDSuviGy6daLXYjBJ9QUoUdvgce0C4wP+uTbd5mczO4xczBc16D0zFY3g4VecnVJSoMH7tQz617UiHEIOMDuAAwQqTkPIWcx1rYh00OogS8B+pG/JErgimackYvcT3ZiYIzXxrW81QGasvPky0yzEvc9KOB9iblEWtgkcf9YqL1b/Oe5UuVgHtkH+NpgVk3YwYLwJqw4P74I9EpaQYf/wDJz/EtbXvRwany6XW3YebzoH8QRR/JTPRX4HRgmS3Nbbp1nsBP+NDE+90He1Oq8EbvJaY0/Q+E51mEexd2cHS2NJro0G1EF/pkoznP1FqnLAWvd03dhM+2fIJv0qrPBYQGHHk07O0cA==
+  template:
+    metadata:
+      name: admin-credentials
+      namespace: grafana
+    type: Opaque

k8s/infra/monitoring/grafana/datasources/alertmanager-operated.yaml

@@ -0,0 +1,19 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: alertmanager
+  namespace: grafana
+spec:
+  allowCrossNamespaceImport: true
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  datasource:
+    name: Alertmanager
+    type: alertmanager
+    access: proxy
+    url: http://alertmanager-operated.monitoring.svc.cluster.local:9093
+    isDefault: false
+    jsonData:
+      handleGrafanaManagedAlerts: false
+      implementation: prometheus

k8s/infra/monitoring/grafana/datasources/prometheus-operated.yaml

@@ -0,0 +1,18 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: prometheus
+  namespace: grafana
+spec:
+  allowCrossNamespaceImport: true
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  datasource:
+    name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://prometheus-operated.monitoring.svc.cluster.local:9090
+    isDefault: true
+    jsonData:
+      timeInterval: 30s

k8s/infra/monitoring/grafana/grafana-operator-dashboard.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: grafana-operator
+  namespace: grafana
+spec:
+  allowCrossNamespaceImport: true
+  folder: Grafana
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: grafana-operator-dashboard
+    key: grafana-operator.json

k8s/infra/monitoring/grafana/grafana.yaml

@@ -0,0 +1,51 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: Grafana
+metadata:
+  name: grafana
+  namespace: grafana
+  labels:
+    app: grafana
+spec:
+  disableDefaultAdminSecret: true
+  config:
+    log:
+      mode: console
+    auth:
+      disable_login_form: "true"
+    server:
+      root_url: https://grafana.stonegarden.dev
+    auth.generic_oauth:
+      enabled: "true"
+      name: Authelia
+      client_id: $__env{OIDC_CLIENT_ID}
+      client_secret: $__env{OIDC_CLIENT_SECRET}
+      auth_style: InHeader
+      scopes: openid email profile offline_access grafana
+      empty_scopes: "false"
+      use_pkce: "true"
+      use_refresh_token: "true"
+      auth_url: https://authelia.stonegarden.dev/api/oidc/authorization
+      token_url: https://authelia.stonegarden.dev/api/oidc/token
+      api_url: https://authelia.stonegarden.dev/api/oidc/userinfo
+      signout_redirect_url: https://authelia.stonegarden.dev/logout
+      login_attribute_path: preferred_username
+      name_attribute_path: name
+      allow_assign_grafana_admin: "true"
+      role_attribute_path: contains(grafana[*], 'grafana_admin') && 'GrafanaAdmin' || contains(grafana[*], 'admin') && 'Admin' || contains(grafana[*], 'editor') && 'Editor' || 'Viewer'
+      auto_login: "true"
+  version: 12.1.0 # renovate: docker=docker.io/grafana/grafana
+  deployment:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: grafana
+              env:
+                - name: GF_SECURITY_ADMIN_USER
+                  valueFrom:
+                    secretKeyRef: { key: username, name: admin-credentials }
+                - name: GF_SECURITY_ADMIN_PASSWORD
+                  valueFrom:
+                    secretKeyRef: { key: password, name: admin-credentials }
+              envFrom:
+                - secretRef: { name: oidc-credentials }

k8s/infra/monitoring/grafana/http-route.yaml

@@ -2,7 +2,7 @@ apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: grafana
-  namespace: monitoring
+  namespace: grafana
 spec:
   parentRefs:
     - name: internal
@@ -15,5 +15,5 @@ spec:
             type: PathPrefix
             value: /
       backendRefs:
-        - name: kube-prometheus-stack-grafana
-          port: 80
+        - name: grafana-service
+          port: 3000

k8s/infra/monitoring/grafana/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ns.yaml
+  - grafana.yaml
+  - grafana-operator-dashboard.yaml
+  - http-route.yaml
+  - admin-credentials.yaml
+  - oidc-credentials.yaml
+  - datasources/alertmanager-operated.yaml
+  - datasources/prometheus-operated.yaml
+
+helmCharts:
+  - name: grafana-operator
+    repo: oci://ghcr.io/grafana/helm-charts
+    includeCRDs: true
+    namespace: grafana
+    version: v5.19.1 # renovate: github-releases=grafana/grafana-operator
+    releaseName: grafana-operator
+    valuesFile: ./values.yaml

k8s/infra/monitoring/grafana/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: grafana

k8s/infra/monitoring/grafana/oidc-credentials.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: oidc-credentials
+  namespace: grafana
+spec:
+  encryptedData:
+    OIDC_CLIENT_ID: AgBJlYOf+aFOMewSQTaThwh4zzZDuUFU7Kch8OyDbmqK4tRdSsFZdcOFJxeMLx1P3oupw3d6NDl5fNaCnx6GJ8kL9D+nVASxQ8aO2ld/TrZSZ1PaDUOmahTZSj2K7Naa0O7LSfuVnjmMZG5cifWiITrqgBSoY7odbokYft9SxL0puWcUW1w5VxqfFyY2ZFs/aqAjNAD656zB2iDihCE28L5ROp5WGdxpiyTU5zcR+dOxZ1mmevH38RMa4vA2Y121MOdKco2e93gSFMWw6fZ1cjXfDLwYPgJdrrGjnsjnBXtWqdNnnYT/wjIlQ08xhZi/jbnGXAo1FkCHL5FgbEPmxgSKJolPLLpEFZPhfwaviCT6ft/Mza1wWTnlSYjVCRox5T8tehU7vniAc0Emd8XcEbF4LwKDYfVjYKdZncsbwdn/XB5XOPDeozme5cy4+EBGLz6+QgPHef08XN/kW16+FNTU5mUyM73NXeN5WDkrn6yF1ZyZUYSJ39g70kMLPUU0i9Or8lRY3cI6Q706/KaOBpFiLq/dtb3OxPJQ4eADJYVyJIS8v4TF2vJ7jcIeJd5dadpinKyN7Lc9PHOU5Oa3oyDJlajXrQH7Q0/bIKzETcDCN5ovqwnpOj9RsGzNSPJnV+EQbLl2mnLS6NfE7WfbVD08B0EmXbA4tuQOj3+KBe5XaOFK3rvDoSKe0EmqjtOjYNTJRhQQP8Po
+    OIDC_CLIENT_SECRET: AgCn9ELnh4t+a3pzSXbrGmjfJNO00eXu4vdM4vLOlquIGjSWFVOykVPS3f6+HVNhGklhzR1omnPOGl2AeDxK5UqoH1azrPtvoKsLQg7S11TP92gp/jZLmE2rKvUxvdHuxT9j2230bMzpU+S8D2YqHc9cqUywBhSV9ojKl+zQKvMlBE1SFUq3X6Gu/edscL7dJGZrUtpxpB7atwVRque9ZYcxdO48Ms/Uf5j/6oSZt1Pd7dr1+Y3WyLOXCoMixGcCGc+XJSWG7DFet9s5NSjFtI6MMFwitBE2oxWZtxJOE+lxDDZw2XFdKACZIoFy4rU8RXTBg+pdRhc0eFvZykBwY77YxmTe/xHaWUiP02Zfkw7X9nncvDBb2SW9CBthMi4Zl2t3gMJ8Pxk/5CPM/RexU4HsCuAG1LQgUD1rYziRoyxBs6sCPoAC4q1NV+x4xon9FoNQySfgbXtEfNVTknExF/aVnxU1yJL9dwjAmijEVkUlO6PKSgR93KOLmyS/aAphkLLInyvXeriD5hPlSRcEs7p6R0MeqeH0JJJ9C0KjwWYNCe5UWmTHHUXmeYuKQLo2BSXpwsw9ys7kbYihiRa+37EqK35s5cKtIYtTXpWiYsVyeYn7DmdkUbxrC1QmDpgjPaQM15FspS3H7JbxFUouKfVkUwo7Jv/tVsxjnOmm9np05GHUUTxIqvmd7/45rx8NsFESDFJtsY32qYGYfAvlUIXpLbCdpW/W/9Yuh98lvjeVeW3cPWAZXDn6nHnvSt8xhW/sHVcF0EUkadKJinVHqGQZ8a2wwHAo+AU=
+  template:
+    metadata:
+      name: oidc-credentials
+      namespace: grafana
+    type: Opaque

k8s/infra/monitoring/grafana/values.yaml

@@ -0,0 +1,7 @@
+# https://github.com/grafana/grafana-operator/blob/master/deploy/helm/grafana-operator/values.yaml
+
+serviceMonitor:
+  enabled: true
+
+dashboard:
+  enabled: true

k8s/infra/monitoring/hubble/dashboards/hubble-dns-namespace.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: hubble-dns-namespace
+  namespace: kube-system
+spec:
+  allowCrossNamespaceImport: true
+  folder: Hubble
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: hubble-dns-namespace
+    key: hubble-dns-namespace.json

k8s/infra/monitoring/hubble/dashboards/hubble-l7-http-metrics.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: hubble-l7-http-metrics
+  namespace: kube-system
+spec:
+  allowCrossNamespaceImport: true
+  folder: Hubble
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: hubble-l7-http-metrics-by-workload
+    key: hubble-l7-http-metrics-by-workload.json

k8s/infra/monitoring/hubble/dashboards/hubble-network-overview.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: hubble-network-overview
+  namespace: kube-system
+spec:
+  allowCrossNamespaceImport: true
+  folder: Hubble
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: hubble-network-overview-namespace
+    key: hubble-network-overview-namespace.json

k8s/infra/monitoring/hubble/dashboards/hubble.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: hubble
+  namespace: kube-system
+spec:
+  allowCrossNamespaceImport: true
+  folder: Hubble
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: hubble-dashboard
+    key: hubble-dashboard.json

k8s/infra/monitoring/hubble/kustomization.yaml

@@ -3,3 +3,7 @@ kind: Kustomization
 
 resources:
   - http-route.yaml
+  - dashboards/hubble.yaml
+  - dashboards/hubble-dns-namespace.yaml
+  - dashboards/hubble-l7-http-metrics.yaml
+  - dashboards/hubble-network-overview.yaml

k8s/infra/monitoring/kube-prometheus-stack/grafana-admin-credentials.yaml

@@ -1,14 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: grafana-admin-credentials
-  namespace: monitoring
-spec:
-  encryptedData:
-    password: AgANbqUu0Et5sui+wnqfDRUeoraff5YQPN3SVTJIe2FUEvAnDemFwr5LJXns8BWaU0ePwTOl4kefrcstoCFkOv0T0kDtOA10iaFsGXlGFg2mfB9jhfevcYaFL1v0lJNp6nKDRPE+7p8xYKQ2g98TPh1wouZL+CUD74Xu5prP8H0996t+rN4GQwaCiKB6A0RgWcl6dHB7kJG2Ai7it3iggw1njwzJi+j0BOdOG+hsZSndXxj4DXti4HUYT098n2HKa+zJsFlYMZdlRiB3MrcijJqJ0zCSZI+chxFqifHRI/fq1Tul4PIzl5PwkfjouGAiUarHUkaFgQwF0iYwT+T/aLKPt81JXCP6t5vfrV267gKXIV9e/5wt76psTg4/rziaXpk7qQSElPsXYKwh13CgjHZlFnRix3wML/fujCrKxFuDLpfDEcBLvupYMfTjPz/UeZsYHZhilzKG6pXKp0S7S6jy8R4mezQ6pbLnM3jiKCSB62TR86OCNotoU709Iyhvydm16N3bkXv/omXEwAfrnrTY6bLGrW2gGQUewp9b32ICfinO5+tmEXRc1fc3Gg+Q2UGTZ/TxJ6GpIjOprpZw713wupR4gwrXgUWIIWA+RlwAVSbRov2c8P6kz5Xv5RSbEI8NfjMkDMu4P62vUqR1qSIEbE2ZOSgGCVyiz+wiOTWJjqStuAluGBA5f71iGVTAMeWvRpwbxjyuse2XvjhbTCHdMJoBc4502gxm5DRxIY53IeP8Xlk=
-    username: AgCU0NGesHrF8lhshT1YgyxW4K4DioTHfDqyUzIWbAFRjMb4tj8xRASQfd2JnGTdUY933IFDu8OutILYErLN/TT1oyhFtMFxnIWXp+WP6YzO3WxxLYYkxP692SCZfc8l4eccdUPmmH1EYkpKyQU1TSZtFBWBJpYt/l8Pn5+VG960S3Fx1Ldp5l9kEF4UtUYpPcFUHTzORxW5vpI7wg2SK9I+PqTGLywZfv5Rz0oY9lhQnBGkr/Tg/Wpnn4/o3+kg2b5RaA+kzXymaeM8JOEvDwwJWhVXDqA8xYwLGQAOgatRDNeVs8q6Ck4iQ5ZATN3IeDHjeVw1098y7HK5ew5hbjr9Bbfm2y0I03Ft3pCzrPH1A5ZLpAVwF11aT/M5f7bowgCKPrCJMQ95JU7SEJ/1KHiNOpdtGwArSaAc7DKHTpdGGSo+JXg27FJJsxTPLp6zZWR6SuSdBxQOlSx59rAkydacnk0b0qY2HQ8+FzdIUojjepSW0V/iNAgSwF6wZY+dYowPOxohWc/MqmqK7n0YhnMmHKkN2Ii7QDRsQ2GbH/rl8b0l7Fd3D1vy38864N9t2RKNLWy0yStC+YgnJNcRrX0ULRjAnOJerYv5F7qoVK7yETTr+oLzyJZ6XLfec69FVyOrBYycs4+iIHQyo8xrNdnSzumh85w9WfUcxOTyMCSHasePUujy4Wa9HguLPfGH87ZNooZV7g==
-  template:
-    metadata:
-      name: grafana-admin-credentials
-      namespace: monitoring
-    type: Opaque

k8s/infra/monitoring/kube-prometheus-stack/grafana-oidc-credentials.yaml

@@ -1,14 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: grafana-oidc-credentials
-  namespace: monitoring
-spec:
-  encryptedData:
-    OIDC_CLIENT_ID: AgBwGjdwv90PrLAO4MmMbNUgrXwe+BHWkkIsYQFsjAk0+VhhVOTwMm7bChwJxv8MY73RUisO2mHOvpUm0l08t9MaRmFKdMmFJ7LT600VrTVag+3s3gRrW0mgwuOBR2KQrQ+G4c59jJMgOwJQEHLXG8+rsXUWJAjE2+l9oSuBwe54C7ozniwJXzuO+rgkI9Ha+dVXiuFuCkkKI3SgFgVb4G/mZduJrWoWAhIPG2lj0KmIUB5Bqqu47nuDMOQtQb3JKXJyXEsxHDuC35J+IKztXp28tb/JL7XaxlWF0TumAX74ZKOd3S+L8hcuXq3g0lC5962bNRyLMbheq+zYzle7sXdkLXikrD0TTXKfTOlF1uAGykJgkJ12HJvqwrUO/ErTOpb5nUwGVmBbq9d0gC0SLJkowe27smmtWtN/RJuaxg3xwBAN3r4DOADVWtzeR8Eb1oLDPPeV/xO6ZyAo2r1rEQ/a+q2H7nCeVIszAJaZVrLlWZH8UcZbMxxfjuOmZoACaDOHmqjAIysJhrQQySFIrL45DuQ+unw44M2Bzz/hl+YDQz843UAbqSJeLg/+u6o/jOgc3DVMeCIFNkvUVScdh3Ro/IRY840kTu8fI0xlhQdGFwIWQ7Htak5PhlzViaoqfMQyhq8znbqubmBaGEgyrrYp0y7v2b3DdZqzyCRAOBJj5HQaXPaSFSIsnQXI/tEfmmEIgNY9ylZQ
-    OIDC_CLIENT_SECRET: AgBaZdbost10rZ+IQ3ANklom15k8N+5xj2gVZW/cYPF0tgh71OUgLiDBPpMxgM7yB2UMdVeLryr53rs2dvL/aJ8d9wScZNYAOKgSQczEe8XsK1N0BhEAgcaOsoXJ7O5aIub/J3kH67i2l6O+75U1CB4ELFWBzZDbiObn7aVTeCj5W1/Q0xavRTxPwz93ZppubsyNothISYf0O4C/tYS6GuugZpUgvYHsIuWlB09maQy3MXXcVTdvq5uFLFs/QmmOFyOOKXatTywSFBVdxTW9DfZaKeUn6Q+YoglXHrei00Yw31k7rirwGfUsWj8luRbb18eLgkDcBH6VonXufvI5q2YY7M3nEnyc0G9s7D9O6wDVRJRD2yeHZJCAG843wSbNP87OYf9UtQBzXmC4/xtseHMN7bMIC1wf0sBvanjvJz47OduTCfTkPPFKGzDJyD3lWBA/XKzk3sBPc3V8De9frt4tDsfRbi8YQp0ftx3U5sPJHD9EOwDmyz7xOOBnn8So0Hsavwc+9WXPDWURcfxETmoHiLM0zaHosHkDQmMCe5rLuJWQiHePTNNbNd7jBFLZZOfBds9nvmSrskd+AMXq86MiT8kae7nT82ntLxeWUN+Fmo/nK0Aq2Hhwu3D7iNdTZCrzvJospDaVEBOZeCZGyu5nlrFG9HXYksdggPMG/Gsqswn9z3T5hnp4KESbZkfl09eHWNk/gicl8zQwR12wZ2slaDPNdqD8n8DFUfXX5Pfv1nlnr2R8Lt/DGytmyFSebowen5itK3p8eAudpXbdQf2Gfh1MvXSuVN0=
-  template:
-    metadata:
-      name: grafana-oidc-credentials
-      namespace: monitoring
-    type: Opaque

k8s/infra/monitoring/kube-prometheus-stack/kustomization.yaml

@@ -4,10 +4,7 @@ kind: Kustomization
 resources:
   - ns.yaml
   - alertmanager-http-route.yaml
-  - grafana-http-route.yaml
   - prometheus-http-route.yaml
-  - grafana-admin-credentials.yaml
-  - grafana-oidc-credentials.yaml
 
 helmCharts:
   - name: kube-prometheus-stack
@@ -17,8 +14,3 @@ helmCharts:
     version: 75.12.0
     releaseName: kube-prometheus-stack
     valuesFile: ./values.yaml
-
-patches:
-  - path: patches/grafana-admin-user-credentials.yaml
-  - path: patches/grafana-sc-dashboard-admin-user-credentials.yaml
-  - path: patches/grafana-sc-datasources-admin-user-credentials.yaml

k8s/infra/monitoring/kube-prometheus-stack/patches/grafana-admin-user-credentials.yaml

@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kube-prometheus-stack-grafana
-  namespace: monitoring
-spec:
-  template:
-    spec:
-      containers:
-        - name: grafana
-          env:
-            - name: GF_SECURITY_ADMIN_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: grafana-admin-credentials
-                  $patch: replace
-            - name: GF_SECURITY_ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: grafana-admin-credentials
-                  $patch: replace

k8s/infra/monitoring/kube-prometheus-stack/patches/grafana-sc-dashboard-admin-user-credentials.yaml

@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kube-prometheus-stack-grafana
-  namespace: monitoring
-spec:
-  template:
-    spec:
-      containers:
-        - name: grafana-sc-dashboard
-          env:
-            - name: REQ_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: grafana-admin-credentials
-                  $patch: replace
-            - name: REQ_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: grafana-admin-credentials
-                  $patch: replace

k8s/infra/monitoring/kube-prometheus-stack/patches/grafana-sc-datasources-admin-user-credentials.yaml

@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kube-prometheus-stack-grafana
-  namespace: monitoring
-spec:
-  template:
-    spec:
-      containers:
-        - name: grafana-sc-datasources
-          env:
-            - name: REQ_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: grafana-admin-credentials
-                  $patch: replace
-            - name: REQ_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: grafana-admin-credentials
-                  $patch: replace

k8s/infra/monitoring/kube-prometheus-stack/values.yaml

@@ -61,7 +61,6 @@ kubeProxy:
   # Cilium replaces Kube Proxy
   enabled: false
 
-
 kubeScheduler:
   enabled: true
   serviceMonitor:
@@ -80,59 +79,13 @@ nodeExporter:
   enabled: true
 
 grafana:
-  enabled: true
-  envFromSecrets: [ { name: grafana-oidc-credentials } ]
-  grafana.ini:
-    security:
-      disable_initial_admin_creation: false
-      admin_user: $__env{GF_SECURITY_ADMIN_USER}
-      admin_password: $__env{GF_SECURITY_ADMIN_PASSWORD}
-    paths:
-      data: "/var/lib/grafana/"
-      logs: "/var/log/grafana"
-      plugins: "/var/lib/grafana/plugins"
-      provisioning: "/etc/grafana/provisioning"
-    analytics:
-      check_for_updates: false
-    log:
-      mode: console
-    server:
-      root_url: https://grafana.stonegarden.dev
-    auth.basic:
-      enabled: true
-    auth.generic_oauth:
-      enabled: true
-      name: Authelia
-      client_id: $__env{OIDC_CLIENT_ID}
-      client_secret: $__env{OIDC_CLIENT_SECRET}
-      auth_style: InHeader
-      scopes: openid email profile offline_access grafana
-      empty_scopes: false
-      use_pkce: true
-      use_refresh_token: true
-      auth_url: https://authelia.stonegarden.dev/api/oidc/authorization
-      token_url: https://authelia.stonegarden.dev/api/oidc/token
-      api_url: https://authelia.stonegarden.dev/api/oidc/userinfo
-      signout_redirect_url: https://authelia.stonegarden.dev/logout
-      login_attribute_path: preferred_username
-      name_attribute_path: name
-      allow_assign_grafana_admin: true
-      role_attribute_path: contains(grafana[*], 'grafana_admin') && 'GrafanaAdmin' || contains(grafana[*], 'admin') && 'Admin' || contains(grafana[*], 'editor') && 'Editor' || 'Viewer'
-      auto_login: true
+  enabled: false
+  forceDeployDatasources: false
+  forceDeployDashboards: true
   defaultDashboardsEnabled: true
   defaultDashboardsTimezone: Europe/Oslo
-  # https://github.com/grafana/helm-charts/issues/527#issuecomment-982319638
-  sidecar:
-    dashboards:
-      enabled: true
-      searchNamespace: ALL
-      folder: /tmp/dashboards
-      folderAnnotation: grafana_folder
-      annotations:
-        grafana_folder: "Kubernetes"
-      provider:
-        allowUiUpdates: false
-        foldersFromFilesStructure: true
-
-    datasources:
-      enabled: true
+  operator:
+    dashboardsConfigMapRefEnabled: true
+    matchLabels:
+      app: grafana
+    folder: Kubernetes

k8s/infra/monitoring/project.yaml

@@ -10,6 +10,8 @@ spec:
   destinations:
     - namespace: 'argocd'
       server: '*'
+    - namespace: 'grafana'
+      server: '*'
     - namespace: 'kube-system'
       server: '*'
     - namespace: 'monitoring'

k8s/infra/network/cilium/dashboards/cilium-operator.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: operator
+  namespace: kube-system
+spec:
+  allowCrossNamespaceImport: true
+  folder: Cilium
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: cilium-operator-dashboard
+    key: cilium-operator-dashboard.json

k8s/infra/network/cilium/dashboards/cilium.yaml

@@ -0,0 +1,15 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: cilium
+  namespace: kube-system
+spec:
+  allowCrossNamespaceImport: true
+  folder: Cilium
+  resyncPeriod: 10m
+  instanceSelector:
+    matchLabels:
+      app: grafana
+  configMapRef:
+    name: cilium-dashboard
+    key: cilium-dashboard.json

k8s/infra/network/cilium/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
   - announce.yaml
   - ip-pool.yaml
+  - dashboards/cilium.yaml
+  - dashboards/cilium-operator.yaml
 
 helmCharts:
   - name: cilium

k8s/infra/network/cilium/values.yaml

@@ -38,8 +38,6 @@ operator:
       enabled: true
   dashboards:
     enabled: true
-    annotations:
-      grafana_folder: "Cilium"
   resources:
     limits:
       cpu: 500m
@@ -111,8 +109,6 @@ hubble:
       enabled: true
     dashboards:
       enabled: true
-      annotations:
-        grafana_folder: "Hubble"
   relay:
     enabled: true
     rollOutPods: true
@@ -156,5 +152,3 @@ prometheus:
 
 dashboards:
   enabled: true
-  annotations:
-    grafana_folder: "Cilium"