Was this page helpful?
Caution
You're viewing documentation for an unstable version of Scylla Operator. Switch to the latest stable version.
Exposing Grafana¶
This guide shows how to expose Grafana deployed by ScyllaDBMonitoring using an Ingress resource.
Note
For accessing the Grafana service from outside the Kubernetes cluster we document using an Ingress, although there are other options like an HTTPRoute from the Gateway API.
Use whatever method fits your use case best.
Prerequisites¶
This assumes that you have already deployed a ScyllaDBMonitoring in your cluster. If you haven’t done so, please follow the ScyllaDB Monitoring setup guide first.
In the example below we’re using the HAProxy Ingress Controller. You can deploy it in your Kubernetes cluster using the provided third-party example. If you already have it (or another Ingress Controller) deployed in your cluster, you can skip the below steps.
Install HAProxy Ingress¶
Deploy HAProxy Ingress using kubectl:
kubectl apply -n haproxy-ingress --server-side -f=https://raw.githubusercontent.com/scylladb/scylla-operator/master/examples/third-party/haproxy-ingress.yaml
Wait for HAProxy Ingress to roll out:
kubectl -n haproxy-ingress rollout status --timeout=5m deployments.apps/haproxy-ingress
Expose Grafana using Ingress¶
Scylla Operator creates a ClusterIP Service named <scyllaDBMonitoringName>-grafana for each ScyllaDBMonitoring.
Grafana serves TLS using a self-signed certificate that’s signed by a CA stored in a Secret named <scyllaDBMonitoringName>-grafana-serving-ca by default.
Note
You can use your own serving certificate by setting ScyllaDBMonitoring’s spec.components.grafana.servingCertSecretName field.
Create the following Ingress resource that will route requests with test-grafana.test.svc.cluster.local SNI to the Grafana:
1apiVersion: networking.k8s.io/v1
2kind: Ingress
3metadata:
4 name: "example-grafana"
5 namespace: "scylla"
6 annotations:
7 haproxy.org/server-ssl: "true" # HA Proxy should use TLS when connecting to the backend.
8 haproxy.org/server-ca: "default/example-grafana-serving-ca" # HA Proxy should trust the Grafana serving certificate signed by this CA.
9spec:
10 ingressClassName: haproxy
11 tls:
12 - hosts:
13 - "test-grafana.test.svc.cluster.local"
14 rules:
15 - host: "test-grafana.test.svc.cluster.local"
16 http:
17 paths:
18 - backend:
19 service:
20 name: "example-grafana"
21 port:
22 number: 3000
23 path: /
24 pathType: Prefix
You can apply the above manifest using kubectl:
kubectl apply -n scylla --server-side -f=https://raw.githubusercontent.com/scylladb/scylla-operator/master/examples/monitoring/v1alpha1/grafana-haproxy.ingress.yaml
Note
In production, you should make sure that the Ingress controller properly terminates TLS using certificates issued by a trusted CA, e.g. using cert-manager to automatically issue and renew certificates from Let’s Encrypt.
Verify connection¶
Get Grafana credentials¶
To access Grafana, you need to collect the credentials.
GRAFANA_USER="$( kubectl -n scylla get secret/example-grafana-admin-credentials --template '{{ index .data "username" }}' | base64 -d )"
GRAFANA_PASSWORD="$( kubectl -n scylla get secret/example-grafana-admin-credentials --template '{{ index .data "password" }}' | base64 -d )"
Get Ingress IP and Port¶
If your cluster supports LoadBalancer services, your Ingress should be assigned an external IP address. You can get it by running:
INGRESS_IP="$( kubectl -n haproxy-ingress get svc haproxy-ingress --template '{{ index .status.loadBalancer.ingress 0 "ip" }}' )"
INGRESS_PORT="443"
Otherwise, if you’re running this locally (e.g. using minikube or kind), you can port-forward the Ingress controller service to your local machine:
kubectl -n haproxy-ingress port-forward svc/haproxy-ingress 8443:443 &
INGRESS_IP="127.0.0.1"
INGRESS_PORT="8443"
Test connection¶
Now, you can verify the connection to the Grafana through the Ingress.
curl --fail -s -o /dev/null -w '%{http_code}' -k \
--resolve "test-grafana.test.svc.cluster.local:${INGRESS_PORT}:${INGRESS_IP}" \
--user "${GRAFANA_USER}:${GRAFANA_PASSWORD}" \
"https://test-grafana.test.svc.cluster.local:${INGRESS_PORT}/"
You should see 200 as the output, indicating a successful connection.