Skip to content

Grafana

Grafana is deployed into the monitoring namespace with the upstream Grafana Helm chart.

Paths

  • Base Helm values: /opt/genestack/base-helm-configs/grafana/
  • Service overrides: /etc/genestack/helm-configs/grafana/
  • Kustomize overlay: /etc/genestack/kustomize/grafana/overlay/

Secrets

The supported way to prepare Grafana secrets is:

/opt/genestack/bin/create-secrets.sh

That workflow generates the grafana-db secret in /etc/genestack/kubesecrets.yaml. The Grafana installer applies it to the monitoring namespace automatically if it is not already present.

Manual secret creation is only needed if you are not using create-secrets.sh:

kubectl -n monitoring create secret generic grafana-db \
  --type Opaque \
  --from-literal=password="$(tr -dc _A-Za-z0-9 </dev/urandom | head -c32)" \
  --from-literal=root-password="$(tr -dc _A-Za-z0-9 </dev/urandom | head -c32)" \
  --from-literal=username=grafana

Custom Values

Set custom_host in /etc/genestack/helm-configs/grafana/grafana-helm-overrides.yaml if you want Grafana exposed by a gateway or ingress:

custom_host: grafana.api.example.tld

Azure AD Integration

If you are integrating with Azure AD, apply the client secret in the monitoring namespace:

apiversion: v1
data:
  client_id: base64_encoded_client_id
  client_secret: base64_encoded_client_secret
kind: secret
metadata:
  name: azure-client
  namespace: monitoring
type: opaque

Then add your Azure overrides in:

tenant_id: 122333 # TODO: update this value.  Can be set in CLI.

extraSecretMounts:
  - name: azure-client-secret-mount
    secretName: azure-client
    defaultMode: 0440
    mountPath: /etc/secrets/azure-client
    readOnly: true
  - name: grafana-db-secret-mount
    secretName: grafana-db
    defaultMode: 0440
    mountPath: /etc/secrets/grafana-db
    readOnly: true

grafana.ini:
  auth.azuread:
    name: Azure AD
    enabled: true
    allow_sign_up: true
    auto_login: false
    client_id: $__file{/etc/secrets/azure-client/client_id}
    client_secret: $__file{/etc/secrets/azure-client/client_secret}
    scopes: openid email profile
    auth_url: "https://login.microsoftonline.com/{{ .Values.tenant_id }}/oauth2/v2.0/authorize"
    token_url: "https://login.microsoftonline.com/{{ .Values.tenant_id }}/oauth2/v2.0/token"
    allowed_organizations: "{{ .Values.tenant_id }}"
    role_attribute_strict: false
    allow_assign_grafana_admin: false
    skip_org_role_sync: false
    use_pkce: true

Install

/opt/genestack/bin/install-grafana.sh

Verify

kubectl -n monitoring get pods -l app.kubernetes.io/instance=grafana
kubectl -n monitoring port-forward svc/grafana 3000:80
kubectl -n monitoring get secret grafana -o jsonpath='{.data.admin-password}' | base64 -d

Talos-only

The monitoring namespace may need privileged Pod Security labels on Talos. Skip this on Kubespray unless your cluster enforces the same restriction.