monitoring: expose Grafana at grafana.roysland.net (LE TLS + HTTPS redirect)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 23:51:42 +02:00 · 2026-06-09 23:51:42 +02:00 · 7ad8fd479f
commit 7ad8fd479f
parent 0a02da49a4
1 changed files with 30 additions and 17 deletions
--- a/monitoring/monitoring.yaml
+++ b/monitoring/monitoring.yaml
@ -3,9 +3,20 @@ kind: Namespace
 metadata:
  name: monitoring
 ---
+# Force HTTP->HTTPS at Traefik for the Grafana ingress (same pattern as headlamp/passbolt).
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+  namespace: monitoring
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
 # kube-prometheus-stack: Prometheus + Grafana + node-exporter + kube-state-metrics.
-# Deployed via k3s helm-controller. Grafana is internal-only (ClusterIP) for now;
-# an ingress stub is commented at the bottom for when you want grafana.roysland.net.
+# Deployed via k3s helm-controller. Grafana is exposed at grafana.roysland.net
+# (Let's Encrypt TLS via cert-manager, resolved by the *.roysland.net wildcard).
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
@ -25,6 +36,23 @@ spec:
      defaultDashboardsTimezone: Europe/Oslo
      service:
        type: ClusterIP
+      # Reachable in the browser at grafana.roysland.net with a Let's Encrypt cert.
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt
+          traefik.ingress.kubernetes.io/router.middlewares: monitoring-https-redirect@kubernetescrd
+        hosts:
+          - grafana.roysland.net
+        tls:
+          - hosts:
+              - grafana.roysland.net
+            secretName: grafana-tls
+      # Tell Grafana its external URL so redirects/assets work behind the proxy.
+      grafana.ini:
+        server:
+          root_url: https://grafana.roysland.net
      # Grafana 13 first-boot migrations are slow on the local-path disk; be
      # tolerant so the liveness probe doesn't kill it mid-migration.
      livenessProbe:
@ -114,18 +142,3 @@ spec:
                target_label: instance
              - target_label: __address__
                replacement: prometheus-pve-exporter.monitoring.svc.cluster.local:9221
-# ---
-# To expose Grafana later at grafana.roysland.net, set grafana.ingress in the
-# values above:
-#   grafana:
-#     ingress:
-#       enabled: true
-#       ingressClassName: traefik
-#       annotations:
-#         cert-manager.io/cluster-issuer: letsencrypt
-#         traefik.ingress.kubernetes.io/router.middlewares: monitoring-https-redirect@kubernetescrd
-#       hosts: [grafana.roysland.net]
-#       tls:
-#         - hosts: [grafana.roysland.net]
-#           secretName: grafana-tls
-#   (and add a Middleware named https-redirect in the monitoring namespace)