HomeInfra/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: deploy lightweight observability stack via Ansible
Some checks failed
Deploy Cluster / Terraform (push) Successful in 45s
Details
Deploy Cluster / Ansible (push) Has been cancelled
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-03-02 01:33:41 +00:00
parent 3e020b46c6
commit b30977a158
5 changed files with 225 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@@ -10,7 +10,7 @@ Production-ready Kubernetes cluster on Hetzner Cloud using Terraform and Ansible
| **Workers** | 4x CX33 |
| **Total Cost** | €28.93/mo |
| **K8s** | k3s (latest, HA) |
| **Addons** | Hetzner CCM + CSI |
| **Addons** | Hetzner CCM + CSI + Prometheus + Grafana + Loki |
| **Access** | SSH/API restricted to Tailnet |
| **Bootstrap** | Terraform + Ansible |
@@ -166,10 +166,40 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
| `S3_BUCKET` | S3 bucket name (e.g., `k8s-terraform-state`) |
| `TAILSCALE_AUTH_KEY` | Tailscale auth key for node bootstrap |
| `TAILSCALE_TAILNET` | Tailnet domain (e.g., `yourtailnet.ts.net`) |
| `GRAFANA_ADMIN_PASSWORD` | Optional admin password for Grafana (auto-generated if unset) |
| `RUNNER_ALLOWED_CIDRS` | Optional CIDR list for CI runner access if you choose to pass it via tfvars/secrets |
| `SSH_PUBLIC_KEY` | SSH public key content |
| `SSH_PRIVATE_KEY` | SSH private key content |
## Observability Stack
The Ansible playbook deploys a lightweight observability stack in the `observability` namespace:
- `kube-prometheus-stack` (Prometheus + Grafana)
- `loki`
- `promtail`
Services are kept internal for tailnet-first access.
### Access Grafana and Prometheus
Run from a tailnet-connected machine:
```bash
export KUBECONFIG=$(pwd)/outputs/kubeconfig
kubectl -n observability port-forward svc/kube-prometheus-stack-grafana 3000:80
kubectl -n observability port-forward svc/kube-prometheus-stack-prometheus 9090:9090
```
Then open:
- Grafana: http://127.0.0.1:3000
- Prometheus: http://127.0.0.1:9090
Grafana user: `admin`
Grafana password: value of `GRAFANA_ADMIN_PASSWORD` secret (or the generated value shown by Ansible output)
## File Structure
```
@@ -192,7 +222,8 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
│ │ ├── k3s-server/
│ │ ├── k3s-agent/
│ │ ├── ccm/
│ │ ── csi/
│ │ ── csi/
│ │ └── observability/
│ └── ansible.cfg
├── .gitea/
│ └── workflows/