rke2-single-node/09_homelab_apps/homelab-apps/templates/kube-prometheus-stack.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: kube-prometheus-stack
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: kube-prometheus-stack
    server: {{ $.Values.spec.destination.server }}
  project: homelab
  source:
    path: .
    repoURL: oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack
    targetRevision: 80.14.4
    helm:
        values: |
          kubeProxy:
            enabled: false
          grafana:
            envValueFrom:
              GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
                secretKeyRef:
                  name: kube-prometheus-secret
                  key: GENERIC_OAUTH_CLIENT_SECRET
            grafana.ini:
              server:
                root_url: https://grafana.k8s.hnrx.net
              auth.generic_oauth:
                enabled: true
                name: "authentik"
                allow_sign_up: true
                auto_login: false # Auf true setzen, wenn das Standard-Login-Formular übersprungen werden soll
                client_id: "4JtTfw2apna4ZnnXgPH6mnDfLCPoW6qy5fXiC03z"
                scopes: "openid profile email"
                auth_url: "https://auth.hnrx.net/application/o/authorize/"
                token_url: "https://auth.hnrx.net/application/o/token/"
                api_url: "https://auth.hnrx.net/application/o/userinfo/"

                role_attribute_path: "contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'"
            adminPassword: "DeinSicheresPasswort"
            dashboards:
              default: # Name des Dashboard-Providers
                traefik-dashboard:
                  gnetId: 11462 # Die ID von grafana.com
                  revision: 1   # Optional: Version des Dashboards
                  datasource: Prometheus
                traefik-2-dashboard:
                  gnetId: 17346 # Die ID von grafana.com
                  revision: 1   # Optional: Version des Dashboards
                  datasource: Prometheus
            persistence:
              enabled: true
              size: 10Gi
              storageClassName: nfs-csi
            ingress:
              enabled: false
          prometheus:
            prometheusSpec:
              additionalScrapeConfigs:
                - job_name: 'crowdsec'
                  static_configs:
                    - targets: ['192.168.200.20:6060']
                - job_name: "traefik-synology"
                  metrics_path: /metrics
                  static_configs:
                    - targets: ["192.168.200.20:8082"]
                  # Optional: Labels hinzufügen, damit Traefik-Dashboards 
                  # die Daten leichter finden
                  relabel_configs:
                    - target_label: job
                      replacement: traefik
                    - target_label: instance
                      replacement: synology-nas
              storageSpec:
                volumeClaimTemplate:
                  spec:
                    resources:
                      requests:
                        storage: 20Gi
                    storageClassName: nfs-csi
          alertmanager:
            alertmanagerSpec:
              storageSpec:
                volumeClaimTemplate:
                  spec:
                    resources:
                      requests:
                        storage: 10Gi
                    storageClassName: nfs-csi
  syncPolicy:
    automated: 
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: grafana-route
  namespace: kube-prometheus-stack
spec:
  parentRefs:
    - name: shared-gateway
      namespace: default
  hostnames:
    - "grafana.k8s.hnrx.net"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: kube-prometheus-stack-grafana
          port: 80

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: prometheus-route
  namespace: kube-prometheus-stack
spec:
  parentRefs:
    - name: shared-gateway
      namespace: default
  hostnames:
    - "prometheus.k8s.hnrx.net"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: prometheus-operated
          port: 9090

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: alertmanager-route
  namespace: kube-prometheus-stack
spec:
  parentRefs:
    - name: shared-gateway
      namespace: default
  hostnames:
    - "alertmanager.k8s.hnrx.net"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: alertmanager-operated
          port: 9093
---
apiVersion: secrets.phase.dev/v1alpha1
kind: PhaseSecret
metadata:
  name: kube-prometheus-secret
  namespace: kube-prometheus-stack
spec:
  phaseApp: 'prometheus-stack' # The name of your Phase application
  phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from
  phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from
  phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance
  authentication:
    serviceToken:
      serviceTokenSecretReference:
        secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application
        secretNamespace: 'default'
  managedSecretReferences:
    - secretName: 'kube-prometheus-secret' # Name of the Kubernetes managed secret that Phase will sync
      secretNamespace: 'kube-prometheus-stack'