grafana.ts

Overview

The `grafana.ts` file is a Pulumi infrastructure-as-code module that defines Kubernetes resources necessary to expose a Grafana monitoring dashboard with secure ingress and TLS certificates. It primarily handles:

Provisioning a TLS certificate for Grafana’s ingress domain using cert-manager.
Creating Traefik IngressRoute resources to route HTTP/HTTPS traffic to the Grafana service.
Creating a fallback Kubernetes Ingress resource for basic routing.
Supporting optional additional domain configuration for flexible DNS routing.

This file abstracts the deployment details of Grafana ingress-related Kubernetes resources into a reusable Pulumi `ComponentResource` named `Ingress`, enabling easy integration into a larger monitoring infrastructure stack.

Classes and Interfaces

Interface: `deploymentArgs`

Defines the arguments required for the `Ingress` class constructor.

Property	Type	Description
`namespace`	`pulumi.Input`	Kubernetes namespace where Grafana and ingress resources reside.
`domain`	`string`	Primary domain name used to construct Grafana monitoring URLs (e.g., `example.com`).
`additionalDomain?`	`string` (optional)	Optional secondary domain for ingress routing, allowing multi-domain support.

Class: `Ingress`

A Pulumi `ComponentResource` encapsulating the creation of Kubernetes ingress resources and TLS certificates for the Grafana service.

Constructor

constructor(name: string, args: deploymentArgs, opts?: pulumi.ComponentResourceOptions)

Parameters

Parameter	Type	Description
`name`	`string`	Logical name prefix for all created Kubernetes resources.
`args`	`deploymentArgs`	Configuration options including namespace and domain information.
`opts`	`pulumi.ComponentResourceOptions` (optional)	Optional Pulumi resource options (e.g., parent resource, dependsOn).

Behavior

Calls the base ComponentResource constructor with type 'grafana'.
Creates a Certificate custom resource via cert-manager to request and manage a TLS certificate for monitoring.{domain}.
Defines a Traefik IngressRoute custom resource routing HTTP(S) traffic to the Grafana service in the namespace ${name}-monitoring.
- If additionalDomain is provided, the route matches either monitoring.{domain} or monitoring.{additionalDomain}.
Creates a fallback Kubernetes Ingress resource with a simple rule for monitoring.{domain}.
All resources use the same Pulumi options passed to the constructor for consistent lifecycle management.

Usage Example

import { Ingress, deploymentArgs } from './grafana'
import * as pulumi from '@pulumi/pulumi'

const args: deploymentArgs = {
  namespace: 'unchained-monitoring',
  domain: 'example.com',
  additionalDomain: 'example.org',
}

const grafanaIngress = new Ingress('unchained', args)

This example creates ingress resources for Grafana accessible via `monitoring.example.com` and `monitoring.example.org` in the `unchained-monitoring` namespace.

Implementation Details

TLS Certificate Provisioning

Uses cert-manager custom resource Certificate with API version cert-manager.io/v1.
Requests a certificate valid for 90 days (duration: 2160h) with renewal starting 15 days before expiration (renewBefore: 360h).
Uses RSA 2048-bit private key.
Certificate secret named grafana-cert-secret is stored in the specified namespace.
DNS name is set to monitoring.{domain}.

Traefik IngressRoute Setup

Defines an IngressRoute resource (traefik.containo.us/v1alpha1) that listens on entry points web and websecure.
Routes match either single or multiple domains using Traefik's Host() rule syntax.
Routes traffic to a service named {name}-grafana on port 80 in the {name}-monitoring namespace.
TLS enabled with the certificate secret grafana-cert-secret.

Kubernetes Ingress Fallback

Creates a standard Kubernetes networking.k8s.io/v1 Ingress resource.
Defines a rule for host monitoring.{domain}.
Does not specify backend service or TLS explicitly; serves as a fallback or minimal ingress.

Pulumi Resource Options

All Kubernetes custom resources and standard resources receive the same opts to control resource dependencies and parent-child relationships.

Interactions with Other System Components

Cert-Manager: The Certificate resource depends on cert-manager being installed in the cluster and configured with a ClusterIssuer named lets-encrypt.
Traefik: The IngressRoute resource is specific to Traefik ingress controller and integrates with it to route traffic to Grafana.
Grafana Service: The ingress routes traffic to the Grafana service named {name}-grafana in the {name}-monitoring namespace.
Pulumi Deployment: This component is typically instantiated as part of a larger Pulumi stack deploying the full monitoring stack, including Prometheus, Alertmanager, and Grafana.
DNS: Requires DNS entries for monitoring.{domain} (and optionally monitoring.{additionalDomain}) to point to the cluster ingress IP.

Summary

`grafana.ts` provides a clean abstraction for setting up secure, multi-domain ingress for a Grafana monitoring dashboard within a Kubernetes cluster using Pulumi. It automates TLS certificate management via cert-manager, traffic routing via Traefik, and fallback ingress for broader compatibility. This modular design helps ensure consistent, repeatable deployment of Grafana ingress resources as part of the overall monitoring infrastructure.

Mermaid Class Diagram

classDiagram
    class deploymentArgs {
        +namespace: pulumi.Input<string>
        +domain: string
        +additionalDomain?: string
    }

    class Ingress {
        +constructor(name: string, args: deploymentArgs, opts?: pulumi.ComponentResourceOptions)
        -secretName: string
        -domains: string
    }

    Ingress --> deploymentArgs : uses
    Ingress ..> pulumi.ComponentResource : extends

End of Documentation for `grafana.ts`