From 7ad8fd479f43412aac7842e79df494adfd3b1e19 Mon Sep 17 00:00:00 2001 From: teddy Date: Tue, 9 Jun 2026 23:51:42 +0200 Subject: [PATCH] monitoring: expose Grafana at grafana.roysland.net (LE TLS + HTTPS redirect) Co-Authored-By: Claude Opus 4.8 (1M context) --- monitoring/monitoring.yaml | 47 ++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/monitoring/monitoring.yaml b/monitoring/monitoring.yaml index 79c3ea6..4568b2d 100644 --- a/monitoring/monitoring.yaml +++ b/monitoring/monitoring.yaml @@ -3,9 +3,20 @@ kind: Namespace metadata: name: monitoring --- +# Force HTTP->HTTPS at Traefik for the Grafana ingress (same pattern as headlamp/passbolt). +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: https-redirect + namespace: monitoring +spec: + redirectScheme: + scheme: https + permanent: true +--- # kube-prometheus-stack: Prometheus + Grafana + node-exporter + kube-state-metrics. -# Deployed via k3s helm-controller. Grafana is internal-only (ClusterIP) for now; -# an ingress stub is commented at the bottom for when you want grafana.roysland.net. +# Deployed via k3s helm-controller. Grafana is exposed at grafana.roysland.net +# (Let's Encrypt TLS via cert-manager, resolved by the *.roysland.net wildcard). apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -25,6 +36,23 @@ spec: defaultDashboardsTimezone: Europe/Oslo service: type: ClusterIP + # Reachable in the browser at grafana.roysland.net with a Let's Encrypt cert. + ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: monitoring-https-redirect@kubernetescrd + hosts: + - grafana.roysland.net + tls: + - hosts: + - grafana.roysland.net + secretName: grafana-tls + # Tell Grafana its external URL so redirects/assets work behind the proxy. + grafana.ini: + server: + root_url: https://grafana.roysland.net # Grafana 13 first-boot migrations are slow on the local-path disk; be # tolerant so the liveness probe doesn't kill it mid-migration. livenessProbe: @@ -114,18 +142,3 @@ spec: target_label: instance - target_label: __address__ replacement: prometheus-pve-exporter.monitoring.svc.cluster.local:9221 -# --- -# To expose Grafana later at grafana.roysland.net, set grafana.ingress in the -# values above: -# grafana: -# ingress: -# enabled: true -# ingressClassName: traefik -# annotations: -# cert-manager.io/cluster-issuer: letsencrypt -# traefik.ingress.kubernetes.io/router.middlewares: monitoring-https-redirect@kubernetescrd -# hosts: [grafana.roysland.net] -# tls: -# - hosts: [grafana.roysland.net] -# secretName: grafana-tls -# (and add a Middleware named https-redirect in the monitoring namespace)