Create a working custom-grafana-dashboard for ArgoCD metrics

This will allow cluster-admins, nerc-org-admins, and nerc-ops teams to
develop new dashboards using the existing multi-cluster observability
metrics.

rh-pre-commit.version: 2.0.3
rh-pre-commit.check-secrets: ENABLED

cluster-scope/base/core/namespaces/grafana/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - namespace.yaml

cluster-scope/base/core/namespaces/grafana/namespace.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: grafana
+spec: {}

cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml

@@ -16,6 +16,7 @@ resources:
 - ../../bundles/multicluster-engine-operator
 - ../../base/core/namespaces/dex
 - ../../base/core/namespaces/nerc-ocp-prod
+- ../../base/core/namespaces/grafana
 - ../../base/operators.coreos.com/subscriptions/openshift-pipelines-operator
 - ../../base/operators.coreos.com/subscriptions/loki-operator
 - configmaps/admin-acks.yaml

grafana/base/configmaps/grafana-config-overrides.yaml

@@ -0,0 +1,6 @@
+kind: ConfigMap
+metadata:
+  name: grafana-config-overrides
+  namespace: grafana
+apiVersion: v1
+data:

grafana/base/configmaps/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - grafana-config-overrides.yaml

grafana/base/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - operatorgroups
+  - subscriptions
+  - configmaps
+  - routes
+  - serviceaccounts
+commonLabels:
+  app.kubernetes.io/name: grafana
+  app.kubernetes.io/component: grafana
+  app.kubernetes.io/part-of: observability

grafana/base/operatorgroups/grafana.yaml

@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: grafana
+  namespace: grafana
+spec:
+  targetNamespaces:
+    - grafana

grafana/base/operatorgroups/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - grafana.yaml

grafana/base/routes/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- route.yaml

grafana/base/routes/route.yaml

@@ -0,0 +1,17 @@
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: grafana
+  namespace: grafana
+spec:
+  host: grafana.apps.nerc-ocp-infra.rc.fas.harvard.edu
+  to:
+    kind: Service
+    name: grafana-service
+    weight: 100
+  port:
+    targetPort: grafana
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+  wildcardPolicy: None

grafana/base/serviceaccounts/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - serviceaccount.yaml

grafana/base/serviceaccounts/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: patch-operator
+  namespace: grafana

grafana/base/subscriptions/grafana-operator.yaml

@@ -0,0 +1,11 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: grafana-operator
+  namespace: grafana
+spec:
+  channel: v4
+  installPlanApproval: Automatic
+  name: grafana-operator
+  source: community-operators
+  sourceNamespace: openshift-marketplace

grafana/base/subscriptions/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - grafana-operator.yaml

grafana/overlays/nerc-ocp-infra/externalsecrets/grafana-serviceaccount-token.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-serviceaccount-token
+  namespace: grafana
+spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
+  target:
+    name: grafana-serviceaccount-token
+  data:
+  - secretKey: token
+    remoteRef:
+      key: nerc/nerc-ocp-infra/grafana
+      property: token

grafana/overlays/nerc-ocp-infra/externalsecrets/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- oauth-client-secret.yaml
+- grafana-serviceaccount-token.yaml

grafana/overlays/nerc-ocp-infra/externalsecrets/oauth-client-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: oauth-client-secret
+  namespace: grafana
+spec:
+  secretStoreRef:
+    name: nerc-cluster-secrets
+    kind: ClusterSecretStore
+  target:
+    name: oauth-client-secret
+  data:
+  - secretKey: GRAFANA_SECRET
+    remoteRef:
+      key: nerc/nerc-ocp-infra/dex/dex-clients
+      property: GRAFANA_SECRET

grafana/overlays/nerc-ocp-infra/grafanadatasources/grafanadatasource.yaml

@@ -0,0 +1,23 @@
+apiVersion: integreatly.org/v1alpha1
+kind: GrafanaDataSource
+metadata:
+  name: observability-metrics
+  namespace: grafana
+spec:
+  name: observability-metrics
+  datasources:
+    - name: observability-metrics
+      access: proxy
+      editable: false
+      isDefault: true
+      jsonData:
+        httpHeaderName1: Authorization
+        timeInterval: 5s
+        tlsAuthWithCACert: true
+      secureJsonData:
+        httpHeaderValue1: |-
+          Bearer REPLACE_IN_OVERLAY
+        tlsCACert: >-
+          REPLACE_IN_OVERLAY
+      type: prometheus
+      url: 'https://thanos-querier.openshift-monitoring.svc.cluster.local:9091/'

grafana/overlays/nerc-ocp-infra/grafanadatasources/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - grafanadatasource.yaml

grafana/overlays/nerc-ocp-infra/grafanas/grafana.yaml

@@ -0,0 +1,26 @@
+apiVersion: integreatly.org/v1alpha1
+kind: Grafana
+metadata:
+  name: grafana
+  namespace: grafana
+spec:
+  deployment:
+    envFrom:
+      - configMapRef:
+          name: grafana-config-overrides
+  config:
+    server:
+      root_url: REPLACE_IN_OVERLAY
+    auth.generic_oauth:
+      enabled: true
+      scopes: openid email groups profile
+      email_attribute_path: name
+      api_url: https://dex-dex.apps.nerc-ocp-infra.rc.fas.harvard.edu/userinfo
+      auth_url: https://dex-dex.apps.nerc-ocp-infra.rc.fas.harvard.edu/auth
+      token_url: https://dex-dex.apps.nerc-ocp-infra.rc.fas.harvard.edu/token
+      role_attribute_path: >-
+        contains(groups[*], 'cluster-admins') && 'Admin' ||
+        contains(groups[*], 'nerc-org-admins')  && 'Admin' ||
+        contains(groups[*], 'nerc-ops')   && 'Editor' ||
+        'Deny'
+      role_attribute_strict: true

grafana/overlays/nerc-ocp-infra/grafanas/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - grafana.yaml

grafana/overlays/nerc-ocp-infra/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base/
+  - externalsecrets/
+  - grafanas/grafana.yaml
+  - grafanadatasources/grafanadatasource.yaml
+  - patches/grafana-oauth.yaml
+  - patches/grafanadatasource-observability-metrics.yaml
+
+patches:
+  - path: grafanas/grafana.yaml
+  - path: grafanadatasources/grafanadatasource.yaml

grafana/overlays/nerc-ocp-infra/patches/grafana-oauth.yaml

@@ -0,0 +1,29 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
+metadata:
+  name: grafana-oauth
+  namespace: grafana
+spec:
+  serviceAccountRef:
+    name: patcher
+  patches:
+    logging-grafana-patch:
+      targetObjectRef:
+        apiVersion: integreatly.org/v1alpha1
+        kind: Grafana
+        name: grafana
+        namespace: grafana
+      patchTemplate: |
+        spec:
+          config:
+            server:
+              root_url: https://grafana.apps.nerc-ocp-infra.rc.fas.harvard.edu
+            auth.generic_oauth:
+              client_id: grafana
+              client_secret: {{ (index . 1).data.GRAFANA_SECRET | b64dec }}
+      patchType: application/merge-patch+json
+      sourceObjectRefs:
+      - apiVersion: v1
+        kind: Secret
+        name: oauth-client-secret
+        namespace: grafana

grafana/overlays/nerc-ocp-infra/patches/grafanadatasource-observability-metrics.yaml

@@ -0,0 +1,31 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
+metadata:
+  name: grafanadatasource-observability-metrics
+  namespace: grafana
+spec:
+  serviceAccountRef:
+    name: patcher
+  patches:
+    logging-grafana-patch:
+      targetObjectRef:
+        apiVersion: integreatly.org/v1alpha1
+        kind: GrafanaDataSource
+        name: observability-metrics
+        namespace: grafana
+      patchTemplate: |
+        spec:
+          datasources:
+            secureJsonData:
+              httpHeaderValue1: Bearer {{ (index . 1).data.token | b64dec }}
+              tlsCACert: {{ (index . 2).data "service-ca.crt" | b64dec }}
+      patchType: application/merge-patch+json
+      sourceObjectRefs:
+      - apiVersion: v1
+        kind: Secret
+        name: grafana-serviceaccount-token
+        namespace: grafana
+      - apiVersion: v1
+        kind: ConfigMap
+        name: openshift-service-ca.crt
+        namespace: grafana