monitoring: move grafana smtp to vault
This commit is contained in:
parent
37302664c2
commit
b8e50bb0a6
@ -1727,7 +1727,7 @@ def build_storage_dashboard():
|
||||
stat_panel(
|
||||
31,
|
||||
"Maintenance Cron Freshness (s)",
|
||||
'time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob=~"image-sweeper|grafana-smtp-sync"})',
|
||||
'time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob="image-sweeper"})',
|
||||
{"h": 4, "w": 12, "x": 12, "y": 44},
|
||||
unit="s",
|
||||
thresholds={
|
||||
|
||||
@ -494,7 +494,7 @@
|
||||
},
|
||||
"targets": [
|
||||
{
|
||||
"expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=~\"image-sweeper|grafana-smtp-sync\"})",
|
||||
"expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=\"image-sweeper\"})",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
|
||||
@ -244,7 +244,7 @@ data:
|
||||
to: 0
|
||||
datasourceUid: atlas-vm
|
||||
model:
|
||||
expr: time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob=~"image-sweeper|grafana-smtp-sync"})
|
||||
expr: time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob="image-sweeper"})
|
||||
intervalMs: 60000
|
||||
maxDataPoints: 43200
|
||||
legendFormat: '{{cronjob}}'
|
||||
|
||||
@ -503,7 +503,7 @@ data:
|
||||
},
|
||||
"targets": [
|
||||
{
|
||||
"expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=~\"image-sweeper|grafana-smtp-sync\"})",
|
||||
"expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=\"image-sweeper\"})",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
# services/monitoring/grafana-smtp-sync-cronjob.yaml
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: grafana-smtp-sync
|
||||
namespace: monitoring
|
||||
spec:
|
||||
schedule: "15 3 * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: grafana-smtp-sync
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: sync
|
||||
image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
set -euo pipefail
|
||||
if ! command -v jq >/dev/null 2>&1; then
|
||||
apt-get update >/dev/null && apt-get install -y jq >/dev/null
|
||||
fi
|
||||
exec /scripts/sync.sh
|
||||
env:
|
||||
- name: SOURCE_NS
|
||||
value: mailu-mailserver
|
||||
- name: SOURCE_SECRET
|
||||
value: mailu-postmark-relay
|
||||
- name: TARGET_NS
|
||||
value: monitoring
|
||||
- name: TARGET_SECRET
|
||||
value: grafana-smtp
|
||||
volumeMounts:
|
||||
- name: script
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: script
|
||||
configMap:
|
||||
name: grafana-smtp-sync-script
|
||||
defaultMode: 0555
|
||||
@ -1,49 +0,0 @@
|
||||
# services/monitoring/grafana-smtp-sync-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: grafana-smtp-sync
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get"]
|
||||
resourceNames:
|
||||
- mailu-postmark-relay
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: grafana-smtp-sync
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: grafana-smtp-sync
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: grafana-smtp-sync
|
||||
namespace: monitoring
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: grafana-smtp-sync
|
||||
namespace: monitoring
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: grafana-smtp-sync
|
||||
namespace: monitoring
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: grafana-smtp-sync
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: grafana-smtp-sync
|
||||
namespace: monitoring
|
||||
@ -1,6 +0,0 @@
|
||||
# services/monitoring/grafana-smtp-sync-serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: grafana-smtp-sync
|
||||
namespace: monitoring
|
||||
@ -20,9 +20,6 @@ resources:
|
||||
- postmark-exporter-deployment.yaml
|
||||
- vault-sync-deployment.yaml
|
||||
- grafana-alerting-config.yaml
|
||||
- grafana-smtp-sync-serviceaccount.yaml
|
||||
- grafana-smtp-sync-rbac.yaml
|
||||
- grafana-smtp-sync-cronjob.yaml
|
||||
- grafana-folders.yaml
|
||||
- helmrelease.yaml
|
||||
- grafana-org-bootstrap.yaml
|
||||
@ -34,12 +31,6 @@ configMapGenerator:
|
||||
- monitoring_postmark_exporter.py=scripts/postmark_exporter.py
|
||||
options:
|
||||
disableNameSuffixHash: true
|
||||
- name: grafana-smtp-sync-script
|
||||
namespace: monitoring
|
||||
files:
|
||||
- sync.sh=scripts/grafana_smtp_sync.sh
|
||||
options:
|
||||
disableNameSuffixHash: true
|
||||
- name: jetson-tegrastats-exporter-script
|
||||
namespace: monitoring
|
||||
files:
|
||||
|
||||
@ -1,31 +0,0 @@
|
||||
#!/bin/sh
|
||||
set -euo pipefail
|
||||
|
||||
SOURCE_NS=${SOURCE_NS:-mailu-mailserver}
|
||||
SOURCE_SECRET=${SOURCE_SECRET:-mailu-postmark-relay}
|
||||
TARGET_NS=${TARGET_NS:-monitoring}
|
||||
TARGET_SECRET=${TARGET_SECRET:-grafana-smtp}
|
||||
|
||||
tmp=$(mktemp)
|
||||
cleanup() { rm -f "$tmp"; }
|
||||
trap cleanup EXIT
|
||||
|
||||
kubectl -n "$SOURCE_NS" get secret "$SOURCE_SECRET" -o json > "$tmp"
|
||||
|
||||
pass=$(jq -r '.data["relay-password"]' "$tmp")
|
||||
user=$pass
|
||||
|
||||
if [ -z "$user" ] || [ -z "$pass" ] || [ "$user" = "null" ] || [ "$pass" = "null" ]; then
|
||||
echo "missing credentials from $SOURCE_NS/$SOURCE_SECRET" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cat <<SECRET | kubectl -n "$TARGET_NS" apply -f -
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: $TARGET_SECRET
|
||||
stringData:
|
||||
username: $(echo "$user" | base64 -d)
|
||||
password: $(echo "$pass" | base64 -d)
|
||||
SECRET
|
||||
@ -25,6 +25,12 @@ spec:
|
||||
- objectName: "postmark-exporter__sending-limit"
|
||||
secretPath: "kv/data/atlas/monitoring/postmark-exporter"
|
||||
secretKey: "sending-limit"
|
||||
- objectName: "postmark-relay__relay-username"
|
||||
secretPath: "kv/data/atlas/shared/postmark-relay"
|
||||
secretKey: "relay-username"
|
||||
- objectName: "postmark-relay__relay-password"
|
||||
secretPath: "kv/data/atlas/shared/postmark-relay"
|
||||
secretKey: "relay-password"
|
||||
secretObjects:
|
||||
- secretName: grafana-admin
|
||||
type: Opaque
|
||||
@ -42,3 +48,10 @@ spec:
|
||||
key: server-token-fallback
|
||||
- objectName: postmark-exporter__sending-limit
|
||||
key: sending-limit
|
||||
- secretName: grafana-smtp
|
||||
type: Opaque
|
||||
data:
|
||||
- objectName: postmark-relay__relay-username
|
||||
key: username
|
||||
- objectName: postmark-relay__relay-password
|
||||
key: password
|
||||
|
||||
@ -98,7 +98,7 @@ write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
|
||||
write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \
|
||||
"jenkins/*" ""
|
||||
write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
|
||||
"monitoring/*" ""
|
||||
"monitoring/* shared/postmark-relay" ""
|
||||
write_policy_and_role "logging" "logging" "logging-vault-sync" \
|
||||
"logging/*" ""
|
||||
write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user