HGKeeper

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-monitoring.imfreedom.org.yaml Sun May 03 05:42:07 2020 -0500

@@ -0,0 +1,169 @@

+# this manifest sets up an ingress using hub to the kube-prometheus stack which

+# was applied directly from the manifests in github.com/coreos/kube-prometheus.

+# It uses https://github.com/thomseddon/traefik-forward-auth to do OIDC based

+# logins against our JetBrains Hub instance.

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: common-headers

+ namespace: monitoring

+spec:

+ headers:

+ customResponseHeaders:

+ X-Frame-Options: SAMEORIGIN

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: strip-prefixes

+ namespace: monitoring

+spec:

+ stripPrefix:

+ forceSlash: false

+ prefixes:

+ - "/alertmanager"

+ - "/grafana"

+ - "/prometheus"

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: hub-forward-auth

+ namespace: monitoring

+spec:

+ forwardAuth:

+ address: http://traefik-forward-auth.monitoring:4181

+ trustForwardHeader: true

+ authResponseHeaders:

+ - X-Forwarded-User

+ - Authorization

+ - Set-Cookie

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: Middleware

+metadata:

+ name: common

+ namespace: monitoring

+spec:

+ chain:

+ middlewares:

+ - name: hub-forward-auth

+ - name: strip-prefixes

+ - name: common-headers

+---

+apiVersion: traefik.containo.us/v1alpha1

+kind: IngressRoute

+metadata:

+ name: monitoring

+ namespace: monitoring

+spec:

+ entryPoints:

+ - https

+ routes:

+ - match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/alertmanager`)

+ kind: Rule

+ services:

+ - name: alertmanager-main

+ port: 9093

+ middlewares:

+ - name: common

+ - match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/grafana`)

+ kind: Rule

+ services:

+ - name: grafana

+ port: 3000

+ middlewares:

+ - name: common

+ - match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/prometheus`)

+ kind: Rule

+ services:

+ - name: prometheus-k8s

+ port: 9090

+ middlewares:

+ - name: common

+ - match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/_oauth`)

+ kind: Rule

+ services:

+ - name: traefik-forward-auth

+ port: 4181

+ middlewares:

+ - name: common

+ tls:

+ secretName: monitoring-tls

+---

+apiVersion: cert-manager.io/v1alpha2

+kind: Certificate

+metadata:

+ namespace: imfreedom

+ name: monitoring-tls

+spec:

+ secretName: monitoring-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: monitoring.imfreedom.org

+ dnsNames:

+ - monitoring.imfreedom.org

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: monitoring

+ name: traefik-forward-auth

+ labels:

+ app: traefik-forward-auth

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: traefik-forward-auth

+ template:

+ metadata:

+ labels:

+ app: traefik-forward-auth

+ spec:

+ containers:

+ - args:

+ - --default-provider=oidc

+ env:

+ - name: PROVIDERS_OIDC_ISSUER_URL

+ value: https://hub.imfreedom.org/hub

+ - name: PROVIDERS_OIDC_CLIENT_ID

+ valueFrom:

+ secretKeyRef:

+ name: monitoring

+ key: client_id

+ - name: PROVIDERS_OIDC_CLIENT_SECRET

+ valueFrom:

+ secretKeyRef:

+ name: monitoring

+ key: client_secret

+ - name: SECRET

+ valueFrom:

+ secretKeyRef:

+ name: monitoring

+ key: cookie_secret

+ image: thomseddon/traefik-forward-auth:2

+ imagePullPolicy: Always

+ name: traefik-forward-auth

+ ports:

+ - containerPort: 4181

+ protocol: TCP

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: monitoring

+ name: traefik-forward-auth

+ labels:

+ app: traefik-forward-auth

+spec:

+ ports:

+ - name: http

+ port: 4181

+ protocol: TCP

+ targetPort: 4181

+ selector:

+ app: traefik-forward-auth

+---

imfreedom/k8s-cluster