fix(argocd): multisource patch doc, Ingress grafana-onelab

- Root cause: live Application kept spec.source; Argo ignored observability chart - Add jsonpatch-multisource.json + argocd/README.md migration steps - Grafana: disable subchart ingress; add templates/ingress-grafana-onelab.yaml Made-with: Cursor
2026-03-20 11:13:55 +01:00
parent b91c35c410
commit 3802418582
7 changed files with 105 additions and 15 deletions
--- a/gitops/argocd/README.md
+++ b/gitops/argocd/README.md
@@ -0,0 +1,27 @@
+# Argo CD Application
+
+Apply the Application:
+
+```bash
+kubectl apply -f gitops/argocd/application.yaml
+```
+
+## Migrating from `spec.source` to `spec.sources`
+
+If the `onelab` Application was created **before** the observability stack, the live object may still have **`spec.source`** only. A plain `kubectl apply` of the new manifest often **does not remove** `spec.source`, so Argo never reconciles the second chart (Loki/Promtail/Grafana).
+
+**Check:**
+
+```bash
+kubectl get application onelab -n argocd -o jsonpath='{.spec.source}{"\n"}{.spec.sources}{"\n"}'
+```
+
+If `source` is set and `sources` is empty, patch once:
+
+```bash
+kubectl patch application onelab -n argocd --type json --patch-file gitops/argocd/jsonpatch-multisource.json
+```
+
+Then sync the app in Argo (or wait for auto-sync).
+
+Adjust `repoURL` in `jsonpatch-multisource.json` if your remote differs.
--- a/gitops/argocd/application.yaml
+++ b/gitops/argocd/application.yaml
@@ -1,5 +1,8 @@
 # Syncs OneLab app + observability (Loki/Promtail/Grafana) into namespace onelab.
 # Requires Argo CD 2.6+ (spec.sources). Ensure repoURL matches your remote.
+#
+# If you already had this Application with spec.source only, kubectl apply may not drop
+# source — see README.md in this folder and jsonpatch-multisource.json.
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
--- a/gitops/argocd/jsonpatch-multisource.json
+++ b/gitops/argocd/jsonpatch-multisource.json
@@ -0,0 +1,23 @@
+[
+  {"op": "remove", "path": "/spec/source"},
+  {"op": "add", "path": "/spec/sources", "value": [
+    {
+      "repoURL": "https://git.luneski.fr/luneski/onelab-k8s.git",
+      "targetRevision": "main",
+      "path": "gitops/charts/onelab",
+      "helm": {
+        "releaseName": "onelab",
+        "valueFiles": ["../../values/k3s-example.yaml"]
+      }
+    },
+    {
+      "repoURL": "https://git.luneski.fr/luneski/onelab-k8s.git",
+      "targetRevision": "main",
+      "path": "gitops/observability",
+      "helm": {
+        "releaseName": "onelab-obs",
+        "valueFiles": ["values.yaml"]
+      }
+    }
+  ]}
+]
--- a/gitops/docs/BOOTSTRAP.md
+++ b/gitops/docs/BOOTSTRAP.md
@@ -52,4 +52,6 @@ Secret `onelab-rabbit-tls` must exist before RabbitMQ starts (created once from

 `gitops/argocd/application.yaml` uses **`spec.sources`** (two Helm charts in one Application). Use **Argo CD 2.6 or newer**.

+If the `onelab` Application was created earlier with **`spec.source` only**, Argo will **not** show the observability resources until you remove `source` and set `sources` (a plain `kubectl apply` often leaves the old field). Use [`gitops/argocd/jsonpatch-multisource.json`](../argocd/jsonpatch-multisource.json) as documented in [`gitops/argocd/README.md`](../argocd/README.md).
+
 The second source installs Loki/Promtail/Grafana from `gitops/observability/` (`releaseName: onelab-obs`). Set a strong **`grafana.adminPassword`** in `gitops/observability/values.yaml` before production. Details: [OBSERVABILITY.md](OBSERVABILITY.md).
--- a/gitops/docs/OBSERVABILITY.md
+++ b/gitops/docs/OBSERVABILITY.md
@@ -16,9 +16,9 @@ It is synced by the **same** Argo CD Application as the OneLab chart ([`gitops/a

 ## Access Grafana

-An **Ingress** is enabled by default (Traefik + cert-manager), matching the OneLab web UI pattern in `gitops/values/k3s-example.yaml`:
+An **Ingress** named **`grafana-onelab`** is created by the umbrella chart (`templates/ingress-grafana-onelab.yaml`), Traefik + cert-manager, matching the OneLab web UI pattern in `gitops/values/k3s-example.yaml`:

- Host: **`grafana.k8s.selair.it`** (edit in `gitops/observability/values.yaml` alongside `grafana.ini.server` `domain` / `root_url`).
+- Host: **`grafana.k8s.selair.it`** — edit `grafanaOnelabIngress` and `grafana.ini.server` in `gitops/observability/values.yaml` together.
 - TLS Secret: **`grafana-tls-k8s-selair`** (cert-manager with `letsencrypt-prod`).

 Point DNS at your ingress, sync the app, then open `https://<grafana-host>/` (user `admin` until you change values).
--- a/gitops/observability/templates/ingress-grafana-onelab.yaml
+++ b/gitops/observability/templates/ingress-grafana-onelab.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.grafanaOnelabIngress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana-onelab
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: grafana-onelab
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: observability
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+    cert-manager.io/cluster-issuer: {{ .Values.grafanaOnelabIngress.clusterIssuer | quote }}
+    {{- with .Values.grafanaOnelabIngress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.grafanaOnelabIngress.className | quote }}
+  {{- if .Values.grafanaOnelabIngress.tls }}
+  tls:
+    - hosts:
+        - {{ .Values.grafanaOnelabIngress.host | quote }}
+      secretName: {{ .Values.grafanaOnelabIngress.tlsSecretName | quote }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.grafanaOnelabIngress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ printf "%s-grafana" .Release.Name }}
+                port:
+                  number: {{ .Values.grafanaOnelabIngress.servicePort }}
+{{- end }}
--- a/gitops/observability/values.yaml
+++ b/gitops/observability/values.yaml
@@ -87,7 +87,17 @@ promtail:
      mountPath: /onelab-host-logs
      readOnly: true

-# Grafana Ingress: align host/TLS with gitops/values/k3s-example.yaml ingress (Traefik + cert-manager).
+# Named Ingress grafana-onelab (templates/ingress-grafana-onelab.yaml). Grafana subchart ingress is disabled.
+grafanaOnelabIngress:
+  enabled: true
+  className: traefik
+  host: grafana.k8s.selair.it
+  tls: true
+  tlsSecretName: grafana-tls-k8s-selair
+  clusterIssuer: letsencrypt-prod
+  servicePort: 80
+  annotations: {}
+
 grafana:
  adminUser: admin
  adminPassword: changeme
@@ -102,18 +112,7 @@ grafana:
      domain: grafana.k8s.selair.it
      root_url: https://grafana.k8s.selair.it/
  ingress:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-      - grafana.k8s.selair.it
-    path: /
-    pathType: Prefix
-    tls:
-      - secretName: grafana-tls-k8s-selair
-        hosts:
-          - grafana.k8s.selair.it
+    enabled: false
  datasources:
    datasources.yaml:
      apiVersion: 1