apiVersion: v1 kind: ServiceAccount metadata: annotations: serviceaccounts.openshift.io/oauth-redirectreference.grafana: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana"}}' name: grafana namespace: openshift-logging --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: logging-grafana-auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: grafana namespace: openshift-logging --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: logging-grafana-logs-reader-application roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-logging-application-view subjects: - kind: ServiceAccount name: grafana namespace: openshift-logging --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: logging-grafana-logs-reader-infrastructure roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-logging-infrastructure-view subjects: - kind: ServiceAccount name: grafana namespace: openshift-logging --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: logging-grafana-logs-reader-audit roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-logging-audit-view subjects: - kind: ServiceAccount name: grafana namespace: openshift-logging --- apiVersion: v1 data: config.ini: | [analytics] check_for_updates = false reporting_enabled = false [auth] disable_login_form = true disable_signout_menu = true [auth.basic] enabled = false [auth.proxy] auto_sign_up = true enabled = true header_name = X-Forwarded-User [security] admin_user = system:does-not-exist cookie_secure = true [users] viewers_can_edit = true default_theme = light [log] mode = console kind: ConfigMap metadata: name: grafana-config namespace: openshift-logging --- apiVersion: v1 data: loki.yaml: | apiVersion: 1 datasources: - name: Loki (Application) isDefault: true type: loki access: proxy url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/ jsonData: tlsAuthWithCACert: true httpHeaderName1: Authorization secureJsonData: tlsCACert: ${GATEWAY_SERVICE_CA} httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN} - name: Loki (Infrastructure) type: loki access: proxy url: https://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/ jsonData: tlsAuthWithCACert: true httpHeaderName1: Authorization secureJsonData: tlsCACert: ${GATEWAY_SERVICE_CA} httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN} - name: Loki (Audit) type: loki access: proxy url: https://${GATEWAY_ADDRESS}/api/logs/v1/audit/ jsonData: tlsAuthWithCACert: true httpHeaderName1: Authorization secureJsonData: tlsCACert: ${GATEWAY_SERVICE_CA} httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN} kind: ConfigMap metadata: name: grafana-datasources namespace: openshift-logging --- apiVersion: v1 data: prepare-token.sh: | #!/usr/bin/env bash set -e -u -o pipefail bearer_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) sed "s/\${GATEWAY_BEARER_TOKEN}/$bearer_token/g" /input/loki.yaml > /output/loki.yaml kind: ConfigMap metadata: name: grafana-init-scripts namespace: openshift-logging --- apiVersion: v1 kind: Service metadata: annotations: service.alpha.openshift.io/serving-cert-secret-name: grafana-tls labels: app: grafana name: grafana namespace: openshift-logging spec: ports: - name: https port: 8443 protocol: TCP targetPort: https - name: http-grafana port: 3000 protocol: TCP targetPort: http-grafana selector: app: grafana sessionAffinity: None type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: grafana name: grafana namespace: openshift-logging spec: selector: matchLabels: app: grafana template: metadata: labels: app: grafana spec: containers: - args: - -config=/etc/grafana/config.ini env: - name: GATEWAY_SERVICE_CA valueFrom: configMapKeyRef: key: service-ca.crt name: openshift-service-ca.crt - name: GATEWAY_ADDRESS value: lokistack-dev-gateway-http.openshift-logging.svc:8080 - name: GF_PATHS_PROVISIONING value: /var/lib/provisioning - name: GF_SECURITY_ADMIN_USER value: kube:admin image: docker.io/grafana/grafana:8.5.27 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: port: 3000 timeoutSeconds: 1 name: grafana ports: - containerPort: 3000 name: http-grafana protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /robots.txt port: 3000 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 2 resources: requests: cpu: 250m memory: 256Mi volumeMounts: - mountPath: /etc/grafana name: grafana-config - mountPath: /var/lib/provisioning/datasources name: patched-datasources - mountPath: /var/lib/grafana name: grafana - mountPath: /etc/grafana/provisioning/datasources name: grafana-datasources - args: - -provider=openshift - -https-address=:8443 - -http-address= - -upstream=http://localhost:3000 - -tls-cert=/etc/tls/private/tls.crt - -tls-key=/etc/tls/private/tls.key - -client-id=system:serviceaccount:openshift-logging:grafana - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token - -cookie-secret=ZXhhbXBsZS1jb29raWUtc2VjcmV0enp6 - -cookie-expire=24h - -skip-provider-button - -scope=user:info user:check-access user:list-projects - -pass-access-token env: - name: HTTP_PROXY - name: HTTPS_PROXY - name: NO_PROXY image: quay.io/openshift/origin-oauth-proxy:4.10 imagePullPolicy: IfNotPresent name: grafana-proxy ports: - containerPort: 8443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /oauth/healthz port: https scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 1m memory: 20Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/tls/private name: secret-grafana-tls initContainers: - args: - /usr/bin/bash - -c - /scripts/prepare-token.sh image: docker.io/library/fedora:35 name: write-bearer-token volumeMounts: - mountPath: /scripts name: grafana-init-scripts - mountPath: /input name: grafana-datasources - mountPath: /output name: patched-datasources serviceAccountName: grafana volumes: - configMap: name: grafana-config name: grafana-config - name: secret-grafana-tls secret: defaultMode: 420 secretName: grafana-tls - configMap: defaultMode: 493 name: grafana-init-scripts name: grafana-init-scripts - emptyDir: {} name: patched-datasources - configMap: name: grafana-datasources name: grafana-datasources - emptyDir: {} name: grafana --- apiVersion: route.openshift.io/v1 kind: Route metadata: name: grafana namespace: openshift-logging spec: port: targetPort: https tls: insecureEdgeTerminationPolicy: Redirect termination: reencrypt to: kind: Service name: grafana weight: 100 wildcardPolicy: None