From 3802418582cee9c37b08e6ad04d3705d3772913c Mon Sep 17 00:00:00 2001 From: timotheereausanofi Date: Fri, 20 Mar 2026 11:13:55 +0100 Subject: [PATCH] fix(argocd): multisource patch doc, Ingress grafana-onelab - Root cause: live Application kept spec.source; Argo ignored observability chart - Add jsonpatch-multisource.json + argocd/README.md migration steps - Grafana: disable subchart ingress; add templates/ingress-grafana-onelab.yaml Made-with: Cursor --- gitops/argocd/README.md | 27 ++++++++++++++ gitops/argocd/application.yaml | 3 ++ gitops/argocd/jsonpatch-multisource.json | 23 ++++++++++++ gitops/docs/BOOTSTRAP.md | 2 ++ gitops/docs/OBSERVABILITY.md | 4 +-- .../templates/ingress-grafana-onelab.yaml | 36 +++++++++++++++++++ gitops/observability/values.yaml | 25 +++++++------ 7 files changed, 105 insertions(+), 15 deletions(-) create mode 100644 gitops/argocd/README.md create mode 100644 gitops/argocd/jsonpatch-multisource.json create mode 100644 gitops/observability/templates/ingress-grafana-onelab.yaml diff --git a/gitops/argocd/README.md b/gitops/argocd/README.md new file mode 100644 index 0000000..7de2c60 --- /dev/null +++ b/gitops/argocd/README.md @@ -0,0 +1,27 @@ +# Argo CD Application + +Apply the Application: + +```bash +kubectl apply -f gitops/argocd/application.yaml +``` + +## Migrating from `spec.source` to `spec.sources` + +If the `onelab` Application was created **before** the observability stack, the live object may still have **`spec.source`** only. A plain `kubectl apply` of the new manifest often **does not remove** `spec.source`, so Argo never reconciles the second chart (Loki/Promtail/Grafana). + +**Check:** + +```bash +kubectl get application onelab -n argocd -o jsonpath='{.spec.source}{"\n"}{.spec.sources}{"\n"}' +``` + +If `source` is set and `sources` is empty, patch once: + +```bash +kubectl patch application onelab -n argocd --type json --patch-file gitops/argocd/jsonpatch-multisource.json +``` + +Then sync the app in Argo (or wait for auto-sync). + +Adjust `repoURL` in `jsonpatch-multisource.json` if your remote differs. diff --git a/gitops/argocd/application.yaml b/gitops/argocd/application.yaml index 198861f..778669d 100644 --- a/gitops/argocd/application.yaml +++ b/gitops/argocd/application.yaml @@ -1,5 +1,8 @@ # Syncs OneLab app + observability (Loki/Promtail/Grafana) into namespace onelab. # Requires Argo CD 2.6+ (spec.sources). Ensure repoURL matches your remote. +# +# If you already had this Application with spec.source only, kubectl apply may not drop +# source — see README.md in this folder and jsonpatch-multisource.json. apiVersion: argoproj.io/v1alpha1 kind: Application metadata: diff --git a/gitops/argocd/jsonpatch-multisource.json b/gitops/argocd/jsonpatch-multisource.json new file mode 100644 index 0000000..3f8bb41 --- /dev/null +++ b/gitops/argocd/jsonpatch-multisource.json @@ -0,0 +1,23 @@ +[ + {"op": "remove", "path": "/spec/source"}, + {"op": "add", "path": "/spec/sources", "value": [ + { + "repoURL": "https://git.luneski.fr/luneski/onelab-k8s.git", + "targetRevision": "main", + "path": "gitops/charts/onelab", + "helm": { + "releaseName": "onelab", + "valueFiles": ["../../values/k3s-example.yaml"] + } + }, + { + "repoURL": "https://git.luneski.fr/luneski/onelab-k8s.git", + "targetRevision": "main", + "path": "gitops/observability", + "helm": { + "releaseName": "onelab-obs", + "valueFiles": ["values.yaml"] + } + } + ]} +] diff --git a/gitops/docs/BOOTSTRAP.md b/gitops/docs/BOOTSTRAP.md index f8b722a..cb0f355 100644 --- a/gitops/docs/BOOTSTRAP.md +++ b/gitops/docs/BOOTSTRAP.md @@ -52,4 +52,6 @@ Secret `onelab-rabbit-tls` must exist before RabbitMQ starts (created once from `gitops/argocd/application.yaml` uses **`spec.sources`** (two Helm charts in one Application). Use **Argo CD 2.6 or newer**. +If the `onelab` Application was created earlier with **`spec.source` only**, Argo will **not** show the observability resources until you remove `source` and set `sources` (a plain `kubectl apply` often leaves the old field). Use [`gitops/argocd/jsonpatch-multisource.json`](../argocd/jsonpatch-multisource.json) as documented in [`gitops/argocd/README.md`](../argocd/README.md). + The second source installs Loki/Promtail/Grafana from `gitops/observability/` (`releaseName: onelab-obs`). Set a strong **`grafana.adminPassword`** in `gitops/observability/values.yaml` before production. Details: [OBSERVABILITY.md](OBSERVABILITY.md). diff --git a/gitops/docs/OBSERVABILITY.md b/gitops/docs/OBSERVABILITY.md index eb797be..0f0dd26 100644 --- a/gitops/docs/OBSERVABILITY.md +++ b/gitops/docs/OBSERVABILITY.md @@ -16,9 +16,9 @@ It is synced by the **same** Argo CD Application as the OneLab chart ([`gitops/a ## Access Grafana -An **Ingress** is enabled by default (Traefik + cert-manager), matching the OneLab web UI pattern in `gitops/values/k3s-example.yaml`: +An **Ingress** named **`grafana-onelab`** is created by the umbrella chart (`templates/ingress-grafana-onelab.yaml`), Traefik + cert-manager, matching the OneLab web UI pattern in `gitops/values/k3s-example.yaml`: -- Host: **`grafana.k8s.selair.it`** (edit in `gitops/observability/values.yaml` alongside `grafana.ini.server` `domain` / `root_url`). +- Host: **`grafana.k8s.selair.it`** — edit `grafanaOnelabIngress` and `grafana.ini.server` in `gitops/observability/values.yaml` together. - TLS Secret: **`grafana-tls-k8s-selair`** (cert-manager with `letsencrypt-prod`). Point DNS at your ingress, sync the app, then open `https:///` (user `admin` until you change values). diff --git a/gitops/observability/templates/ingress-grafana-onelab.yaml b/gitops/observability/templates/ingress-grafana-onelab.yaml new file mode 100644 index 0000000..2181650 --- /dev/null +++ b/gitops/observability/templates/ingress-grafana-onelab.yaml @@ -0,0 +1,36 @@ +{{- if .Values.grafanaOnelabIngress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana-onelab + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: grafana-onelab + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: observability + annotations: + argocd.argoproj.io/sync-wave: "0" + cert-manager.io/cluster-issuer: {{ .Values.grafanaOnelabIngress.clusterIssuer | quote }} + {{- with .Values.grafanaOnelabIngress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.grafanaOnelabIngress.className | quote }} + {{- if .Values.grafanaOnelabIngress.tls }} + tls: + - hosts: + - {{ .Values.grafanaOnelabIngress.host | quote }} + secretName: {{ .Values.grafanaOnelabIngress.tlsSecretName | quote }} + {{- end }} + rules: + - host: {{ .Values.grafanaOnelabIngress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ printf "%s-grafana" .Release.Name }} + port: + number: {{ .Values.grafanaOnelabIngress.servicePort }} +{{- end }} diff --git a/gitops/observability/values.yaml b/gitops/observability/values.yaml index 178b2d4..1599e60 100644 --- a/gitops/observability/values.yaml +++ b/gitops/observability/values.yaml @@ -87,7 +87,17 @@ promtail: mountPath: /onelab-host-logs readOnly: true -# Grafana Ingress: align host/TLS with gitops/values/k3s-example.yaml ingress (Traefik + cert-manager). +# Named Ingress grafana-onelab (templates/ingress-grafana-onelab.yaml). Grafana subchart ingress is disabled. +grafanaOnelabIngress: + enabled: true + className: traefik + host: grafana.k8s.selair.it + tls: true + tlsSecretName: grafana-tls-k8s-selair + clusterIssuer: letsencrypt-prod + servicePort: 80 + annotations: {} + grafana: adminUser: admin adminPassword: changeme @@ -102,18 +112,7 @@ grafana: domain: grafana.k8s.selair.it root_url: https://grafana.k8s.selair.it/ ingress: - enabled: true - ingressClassName: traefik - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - grafana.k8s.selair.it - path: / - pathType: Prefix - tls: - - secretName: grafana-tls-k8s-selair - hosts: - - grafana.k8s.selair.it + enabled: false datasources: datasources.yaml: apiVersion: 1