teddy/k3s
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

monitoring: expose Grafana at grafana.roysland.net (LE TLS + HTTPS redirect)

Browse source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
teddy 2026-06-09 23:51:42 +02:00
parent 0a02da49a4
commit 7ad8fd479f
1 changed files with 30 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

47
monitoring/monitoring.yaml
View file

@ -3,9 +3,20 @@ kind: Namespace
metadata: metadata:
name: monitoring name: monitoring
--- ---
# Force HTTP->HTTPS at Traefik for the Grafana ingress (same pattern as headlamp/passbolt).
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: https-redirect
namespace: monitoring
spec:
redirectScheme:
scheme: https
permanent: true
---
# kube-prometheus-stack: Prometheus + Grafana + node-exporter + kube-state-metrics. # kube-prometheus-stack: Prometheus + Grafana + node-exporter + kube-state-metrics.
# Deployed via k3s helm-controller. Grafana is internal-only (ClusterIP) for now; # Deployed via k3s helm-controller. Grafana is exposed at grafana.roysland.net
# an ingress stub is commented at the bottom for when you want grafana.roysland.net. # (Let's Encrypt TLS via cert-manager, resolved by the *.roysland.net wildcard).
apiVersion: helm.cattle.io/v1 apiVersion: helm.cattle.io/v1
kind: HelmChart kind: HelmChart
metadata: metadata:
@ -25,6 +36,23 @@ spec:
defaultDashboardsTimezone: Europe/Oslo defaultDashboardsTimezone: Europe/Oslo
service: service:
type: ClusterIP type: ClusterIP
# Reachable in the browser at grafana.roysland.net with a Let's Encrypt cert.
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.middlewares: monitoring-https-redirect@kubernetescrd
hosts:
- grafana.roysland.net
tls:
- hosts:
- grafana.roysland.net
secretName: grafana-tls
# Tell Grafana its external URL so redirects/assets work behind the proxy.
grafana.ini:
server:
root_url: https://grafana.roysland.net
# Grafana 13 first-boot migrations are slow on the local-path disk; be # Grafana 13 first-boot migrations are slow on the local-path disk; be
# tolerant so the liveness probe doesn't kill it mid-migration. # tolerant so the liveness probe doesn't kill it mid-migration.
livenessProbe: livenessProbe:
@ -114,18 +142,3 @@ spec:
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: prometheus-pve-exporter.monitoring.svc.cluster.local:9221 replacement: prometheus-pve-exporter.monitoring.svc.cluster.local:9221
# ---
# To expose Grafana later at grafana.roysland.net, set grafana.ingress in the
# values above:
# grafana:
# ingress:
# enabled: true
# ingressClassName: traefik
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt
# traefik.ingress.kubernetes.io/router.middlewares: monitoring-https-redirect@kubernetescrd
# hosts: [grafana.roysland.net]
# tls:
# - hosts: [grafana.roysland.net]
# secretName: grafana-tls
# (and add a Middleware named https-redirect in the monitoring namespace)