infra/k8s/infrastructure/observability/kube-prometheus-stack.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: kube-prometheus-stack
  namespace: observability
spec:
  interval: 10m
  chart:
    spec:
      chart: kube-prometheus-stack
      version: "65.*"
      sourceRef:
        kind: HelmRepository
        name: prometheus-community
        namespace: flux-system
  values:
    nodeExporter:
      enabled: false
    prometheus:
      prometheusSpec:
        retention: 15d
        storageSpec:
          volumeClaimTemplate:
            spec:
              storageClassName: longhorn
              accessModes: ["ReadWriteOnce"]
              resources:
                requests:
                  storage: 20Gi
        additionalScrapeConfigs:
          - job_name: "vm-node-exporter"
            static_configs:
              - targets:
                  - "192.168.51.200:9100"
                  - "192.168.100.200:9100"
                  - "192.168.52.200:9100"
                  - "192.168.51.201:9100"
                  - "192.168.100.201:9100"
                  - "192.168.52.201:9100"
                  - "192.168.51.203:9100"
                  - "192.168.51.202:9100"
    grafana:
      admin:
        existingSecret: grafana-admin-secret
        userKey: admin-user
        passwordKey: admin-password
      envFromSecret: grafana-oidc-secret
      grafana.ini:
        server:
          root_url: https://grafana.n0ball.tw
        auth:
          disable_login_form: true
        auth.generic_oauth:
          enabled: true
          name: Keycloak
          allow_sign_up: true
          scopes: openid email profile
          auth_url: https://keycloak.n0ball.tw/realms/homelab/protocol/openid-connect/auth
          token_url: https://keycloak.n0ball.tw/realms/homelab/protocol/openid-connect/token
          api_url: https://keycloak.n0ball.tw/realms/homelab/protocol/openid-connect/userinfo
          role_attribute_path: "contains(realm_access.roles[*], 'admin') && 'Admin' || 'Viewer'"
      ingress:
        enabled: true
        ingressClassName: traefik
        annotations:
          cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
        hosts: ["grafana.n0ball.tw"]
        tls:
          - secretName: grafana-tls
            hosts: ["grafana.n0ball.tw"]
    alertmanager:
      alertmanagerSpec:
        storage:
          volumeClaimTemplate:
            spec:
              storageClassName: longhorn
              accessModes: ["ReadWriteOnce"]
              resources:
                requests:
                  storage: 2Gi