apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: kube-prometheus-stack namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io spec: destination: namespace: kube-prometheus-stack server: {{ $.Values.spec.destination.server }} project: homelab source: path: . repoURL: oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack targetRevision: 83.4.0 helm: values: | kubeProxy: enabled: false grafana: envValueFrom: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: secretKeyRef: name: kube-prometheus-secret key: GENERIC_OAUTH_CLIENT_SECRET grafana.ini: server: root_url: https://grafana.k8s.hnrx.net auth.generic_oauth: enabled: true name: "authentik" allow_sign_up: true auto_login: false # Auf true setzen, wenn das Standard-Login-Formular übersprungen werden soll client_id: "4JtTfw2apna4ZnnXgPH6mnDfLCPoW6qy5fXiC03z" scopes: "openid profile email" auth_url: "https://auth.hnrx.net/application/o/authorize/" token_url: "https://auth.hnrx.net/application/o/token/" api_url: "https://auth.hnrx.net/application/o/userinfo/" role_attribute_path: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'" adminPassword: "DeinSicheresPasswort" sidecar: datasources: enabled: true additionalDataSources: - name: Loki type: loki access: proxy # Da Grafana und Loki im gleichen Namespace sind, reicht der Service-Name url: http://loki.kube-prometheus-stack.svc.cluster.local:3100 version: 1 editable: true jsonData: # Erhöht die Zeilenanzahl im Explorer (nützlich für Traefik-Logs) maxLines: 1000 dashboards: default: # Name des Dashboard-Providers traefik-dashboard: gnetId: 11462 # Die ID von grafana.com revision: 1 # Optional: Version des Dashboards datasource: Prometheus traefik-2-dashboard: gnetId: 17346 # Die ID von grafana.com revision: 1 # Optional: Version des Dashboards datasource: Prometheus persistence: enabled: true size: 10Gi storageClassName: nfs-csi ingress: enabled: false prometheus: prometheusSpec: additionalScrapeConfigs: - job_name: 'crowdsec' static_configs: - targets: ['192.168.200.21:6060'] - job_name: "traefik-synology" metrics_path: /metrics static_configs: - targets: ["192.168.200.20:8082"] # Optional: Labels hinzufügen, damit Traefik-Dashboards # die Daten leichter finden relabel_configs: - target_label: job replacement: traefik - target_label: instance replacement: synology-nas storageSpec: volumeClaimTemplate: spec: resources: requests: storage: 20Gi storageClassName: nfs-csi alertmanager: alertmanagerSpec: storageSpec: volumeClaimTemplate: spec: resources: requests: storage: 10Gi storageClassName: nfs-csi syncPolicy: automated: selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: grafana-route namespace: kube-prometheus-stack spec: parentRefs: - name: shared-gateway namespace: default hostnames: - "grafana.k8s.hnrx.net" rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: kube-prometheus-stack-grafana port: 80 --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: prometheus-route namespace: kube-prometheus-stack spec: parentRefs: - name: shared-gateway namespace: default hostnames: - "prometheus.k8s.hnrx.net" rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: prometheus-operated port: 9090 --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: alertmanager-route namespace: kube-prometheus-stack spec: parentRefs: - name: shared-gateway namespace: default hostnames: - "alertmanager.k8s.hnrx.net" rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: alertmanager-operated port: 9093 --- apiVersion: secrets.phase.dev/v1alpha1 kind: PhaseSecret metadata: name: kube-prometheus-secret namespace: kube-prometheus-stack spec: phaseApp: 'prometheus-stack' # The name of your Phase application phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance authentication: serviceToken: serviceTokenSecretReference: secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application secretNamespace: 'default' managedSecretReferences: - secretName: 'kube-prometheus-secret' # Name of the Kubernetes managed secret that Phase will sync secretNamespace: 'kube-prometheus-stack'