Merge pull request #2360 from lsst-sqre/tickets/DM-40204

tickets/DM-40204: move "monitoring" into Phalanx

applications/monitoring/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: monitoring
+version: 0.0.1
+description: Chronograf-based UI for monitoring (data stored in InfluxDBv2)
+sources:
+  - https://github.com/lsst-sqre/rubin-influx-tools
+appVersion: 0.2.0
+dependencies:
+  - name: chronograf
+    version: 1.2.5
+    repository: https://helm.influxdata.com/

applications/monitoring/README.md

@@ -0,0 +1,44 @@
+# monitoring
+
+Chronograf-based UI for monitoring (data stored in InfluxDBv2)
+
+## Source Code
+
+* <https://github.com/lsst-sqre/rubin-influx-tools>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| chronograf.env.CUSTOM_AUTO_REFRESH | string | `"1s=1000"` |  |
+| chronograf.env.GH_CLIENT_ID | string | `""` |  |
+| chronograf.env.GH_ORGS | string | `"lsst-sqre"` |  |
+| chronograf.env.HOST_PAGE_DISABLED | bool | `true` |  |
+| chronograf.env.INFLUXDB_ORG | string | `"square"` |  |
+| chronograf.env.INFLUXDB_URL | string | `"https://monitoring.lsst.codes"` |  |
+| chronograf.envFromSecret | string | `"monitoring"` |  |
+| chronograf.image.pullPolicy | string | `"IfNotPresent"` |  |
+| chronograf.image.tag | string | `"1.9.4"` |  |
+| chronograf.ingress.enabled | bool | `false` |  |
+| chronograf.oauth.enabled | bool | `false` |  |
+| chronograf.resources.limits.cpu | int | `4` |  |
+| chronograf.resources.limits.memory | string | `"30Gi"` |  |
+| chronograf.resources.requests.cpu | int | `1` |  |
+| chronograf.resources.requests.memory | string | `"1024Mi"` |  |
+| chronograf.service.replicas | int | `1` |  |
+| chronograf.service.type | string | `"ClusterIP"` |  |
+| chronograf.updateStrategy.type | string | `"Recreate"` |  |
+| cronjob.debug | bool | `false` | set to true to enable debug logging |
+| cronjob.image | object | `{"repository":"ghcr.io/lsst-sqre/rubin-influx-tools","tag":""}` | image for monitoring-related cronjobs |
+| cronjob.image.repository | string | `"ghcr.io/lsst-sqre/rubin-influx-tools"` | repository for rubin-influx-tools |
+| cronjob.image.tag | string | the appVersion of the chart | tag for rubin-influx-tools |
+| cronjob.schedule | object | `{"bucketmaker":"*/15 * * * *","bucketmapper":"3-59/15 * * * *","taskmaker":"6-59/15 * * * *"}` | schedules for jobs |
+| cronjob.schedule.bucketmaker | string | `"*/15 * * * *"` | bucketmaker schedule |
+| cronjob.schedule.bucketmapper | string | `"3-59/15 * * * *"` | bucketmapper schedule |
+| cronjob.schedule.taskmaker | string | `"6-59/15 * * * *"` | taskmaker schedule |
+| global.influxdbOrg | string | `"square"` | InfluxDBv2 organization |
+| global.influxdbUrl | string | `"https://monitoring.lsst.codes"` | URL for InfluxDBv2 instance |
+| global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets |
+| ingress.chronograf | object | `{"annotations":{},"hostname":""}` | ingress for Chronograf UI |
+| ingress.chronograf.annotations | object | `{}` | Additional annotations to add to the ingress |
+| ingress.chronograf.hostname | string | `""` | hostname for Chronograf UI @ default -- None, must be set by each individual instance |

applications/monitoring/templates/_helpers.tpl

@@ -0,0 +1,53 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "monitoring.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "monitoring.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "monitoring.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "monitoring.labels" -}}
+app.kubernetes.io/name: {{ include "monitoring.name" . }}
+helm.sh/chart: {{ include "monitoring.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "monitoring.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "monitoring.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

applications/monitoring/templates/cronjobs.yaml

@@ -0,0 +1,158 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bucketmaker
+spec:
+  schedule: {{ .Values.cronjob.schedule.bucketmaker | quote }}
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          automountServiceAccountToken: false
+          {{- with .Values.cronjob.tolerations }}
+          tolerations:
+{{ toYaml . | indent 12 }}
+          {{- end }}
+          {{- with .Values.cronjob.affinity }}
+          affinity:
+{{ toYaml . | indent 12 }}
+          {{- end }}
+          containers:
+          - name: bucketmaker
+            image: "{{ .Values.cronjob.image.repository }}:{{ .Values.cronjob.image.tag | default .Chart.AppVersion }}"
+            securityContext:
+              allowPrivilegeEscalation: false
+              runAsNonRoot: true
+              runAsUser: 405
+              runAsGroup: 100
+              capabilities:
+                drop:
+                  - all
+              readOnlyRootFilesystem: true
+            env:
+              - name: "INFLUXDB_TOKEN"
+                valueFrom:
+                  secretKeyRef:
+                    name: "monitoring"
+                    key:  "influx-alert-token"
+              - name: "INFLUXDB_ORG"
+                value: {{ .Values.global.influxdbOrg | quote }}
+              - name: "INFLUXDB_URL"
+                value: {{ .Values.global.influxdbUrl | quote }}
+              {{- with .Values.cronjob.debug }}
+              - name: "DEBUG"
+                value: "true"
+              {{- end }}
+            command: [ "bucketmaker" ]
+            volumeMounts:
+            - mountPath: /tmp
+              name: tmpdir
+          volumes:
+          # We download the phalanx repo into here to determine what our
+          # active applications are.
+          - name: tmpdir
+            emptyDir: {}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bucketmapper
+spec:
+  schedule: {{ .Values.cronjob.schedule.bucketmapper | quote }}
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          automountServiceAccountToken: false
+          {{- with .Values.cronjob.tolerations }}
+          tolerations:
+{{ toYaml . | indent 12 }}
+          {{- end }}
+          {{- with .Values.cronjob.affinity }}
+          affinity:
+{{ toYaml . | indent 12 }}
+          {{- end }}
+          containers:
+          - name: bucketmapper
+            image: "{{ .Values.cronjob.image.repository }}:{{ .Values.cronjob.image.tag | default .Chart.AppVersion }}"
+            securityContext:
+              allowPrivilegeEscalation: false
+              runAsNonRoot: true
+              runAsUser: 405
+              runAsGroup: 100
+              capabilities:
+                drop:
+                  - all
+              readOnlyRootFilesystem: true
+            env:
+              - name: "INFLUXDB_TOKEN"
+                valueFrom:
+                  secretKeyRef:
+                    name: "monitoring"
+                    # We should be able to do away with this level of
+                    # privilege as recent Influx versions automatically
+                    # create this mapping, but we would need to change
+                    # our naming conventions to adapt.
+                    key: "admin-token"
+              - name: "INFLUXDB_ORG"
+                value: {{ .Values.global.influxdbOrg | quote }}
+              - name: "INFLUXDB_URL"
+                value: {{ .Values.global.influxdbUrl | quote }}
+              {{- with .Values.cronjob.debug }}
+              - name: "DEBUG"
+                value: "true"
+              {{- end }}
+            command: [ "bucketmapper" ]
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: taskmaker
+spec:
+  successfulJobsHistoryLimit: 1
+  schedule: {{ .Values.cronjob.schedule.taskmaker | quote }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          automountServiceAccountToken: false
+          {{- with .Values.cronjob.tolerations }}
+          tolerations:
+{{ toYaml . | indent 12 }}
+          {{- end }}
+          {{- with .Values.cronjob.affinity }}
+          affinity:
+{{ toYaml . | indent 12 }}
+          {{- end }}
+          containers:
+          - name: taskmaker
+            image: "{{ .Values.cronjob.image.repository }}:{{ .Values.cronjob.image.tag | default .Chart.AppVersion }}"
+            securityContext:
+              allowPrivilegeEscalation: false
+              runAsNonRoot: true
+              runAsUser: 405
+              runAsGroup: 100
+              capabilities:
+                drop:
+                  - all
+              readOnlyRootFilesystem: true
+            env:
+              - name: "INFLUXDB_TOKEN"
+                valueFrom:
+                  secretKeyRef:
+                    name: "monitoring"
+                    key: "influx-alert-token"
+              - name: "INFLUXDB_ORG"
+                value: {{ .Values.global.influxdbOrg | quote }}
+              - name: "INFLUXDB_URL"
+                value: {{ .Values.global.influxdbUrl | quote }}
+              {{- with .Values.cronjob.debug }}
+              - name: "DEBUG"
+                value: "true"
+              {{- end }}
+            command: [ "taskmaker" ]

applications/monitoring/templates/ingress.yaml

@@ -0,0 +1,34 @@
+apiVersion: gafaelfawr.lsst.io/v1alpha1
+kind: GafaelfawrIngress
+metadata:
+  name: "chronograf"
+  labels:
+    {{- include "monitoring.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-dns"
+    {{- with .Values.ingress.chronograf.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+config:
+  baseUrl: "https://{{ .Values.ingress.chronograf.hostname }}"
+  scopes:
+    anonymous: true  # We will use Chronograf auth for now.
+template:
+  metadata:
+    name: "chronograf"
+    spec:
+      tls:
+        - hosts:
+          - {{ .Values.ingress.chronograf.hostname | quote }}
+          secretName: tls
+      rules:
+        - host: {{ .Values.ingress.chronograf.hostname | quote }}
+          http:
+            paths:
+              - path: "/"
+                pathType: "Prefix"
+                backend:
+                  service:
+                  name: monitoring-chronograf
+                  port:
+                    number: 80

applications/monitoring/templates/vault-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: {{ include "monitoring.fullname" . }}
+  labels:
+    {{- include "monitoring.labels" . | nindent 4 }}
+spec:
+  path: "{{ .Values.global.vaultSecretsPath }}/monitoring"
+  type: Opaque

applications/monitoring/values-roundtable-dev.yaml

@@ -0,0 +1,8 @@
+chronograf:
+  env:
+    GH_CLIENT_ID: "e85fe410b0021a251180"
+cronjob:
+  debug: true
+ingresses:
+  chronograf:
+    hostname: "monitoring-dev.lsst.cloud"