feat: unify all monitoring via grafana
diff --git a/playbooks/generate_workspace.yml b/playbooks/generate_workspace.yml
index 29d3d8d..59afcf2 100644
--- a/playbooks/generate_workspace.yml
+++ b/playbooks/generate_workspace.yml
@@ -208,6 +208,7 @@
       #               service type in order to generate the URLs
       vars:
         default_map:
+          kube_prometheus_stack_grafana_host: "grafana.{{ domain_name }}"
           openstack_helm_endpoints_region_name: "{{ region_name }}"
           openstack_helm_endpoints_barbican_api_host: "key-manager.{{ domain_name }}"
           openstack_helm_endpoints_cinder_api_host: "volume.{{ domain_name }}"
diff --git a/roles/kube_prometheus_stack/README.md b/roles/kube_prometheus_stack/README.md
index 9442f90..e069671 100644
--- a/roles/kube_prometheus_stack/README.md
+++ b/roles/kube_prometheus_stack/README.md
@@ -1,159 +1,19 @@
 # `kube_prometheus_stack`
 
-## Exposing data
+There is a Grafana deployemnt with a few dashboards that are created by default
+and a Prometheus deployment that is used to collect metrics from the cluster
+which sends alerts to AlertManager.  In addition, Loki is deployed to collect
+logs from the cluster using Vector.
 
-There are a few ways to expose both the monitoring services to view the health
-and the metrics and logs of the cluster.
+## Viewing data
 
-### Port forwarding
+By default, an `Ingress` is created for Grafana using the `kube_prometheus_stack_grafana_host`
+variable.  The default login is `admin` and the password is the value of
+`kube_prometheus_stack_grafana_admin_password`.
 
-The easiest way to expose the monitoring services is to use port forwarding
-using the built-in `kubectl` command.
-
-#### Grafana
-
-```bash
-kubectl -n monitoring port-forward svc/kube-prometheus-stack-grafana 3000:80
-```
-
-Once you run the command above, you'll be able to open `http://localhost:3000`
-on your local system and view the Grafana UI.  The default login is `admin` and
-the password is `prom-operator`.
-
-#### Prometheus
-
-```bash
-kubectl -n monitoring port-forward svc/kube-prometheus-stack-prometheus 9090
-```
-
-Once you run the command above, you'll be able to open `http://localhost:9090`
-on your local system and view the Prometheus UI.
-
-#### AlertManager
-
-```bash
-kubectl -n monitoring port-forward svc/kube-prometheus-stack-alertmanager 9093
-```
-
-Once you run the command above, you'll be able to open `http://localhost:9093`
-on your local system and view the AlertManager UI.
-
-### Unprotected access
-
-If you want to expose the monitoring services, you can use the following
-overrides which will create an `Ingress` for all the services.
-
-!!! danger
-
-    This will expose the monitoring services without any authentication or
-    authorization. This is not recommended for production environments or any
-    environment where the monitoring services are exposed to the public internet.
-
-```yaml
-kube_prometheus_stack_helm_values:
-  alertmanager:
-    ingress:
-      enabled: true
-      ingressClassName: atmosphere
-      annotations:
-        cert-manager.io/cluster-issuer: atmosphere
-      hosts:
-        - alertmanager.example.com
-      tls:
-        - secretName: alertmanager-tls
-          hosts:
-            - alertmanager.example.com
-    alertmanagerSpec:
-      externalUrl: https://alertmanager.example.com
-  prometheus:
-    ingress:
-      enabled: true
-      ingressClassName: atmosphere
-      annotations:
-        cert-manager.io/cluster-issuer: atmosphere
-      hosts:
-        - prometheus.example.com
-      tls:
-        - secretName: prometheus-certs
-          hosts:
-            - prometheus.example.com
-    prometheusSpec:
-      externalUrl: https://prometheus.example.com
-  grafana:
-    ingress:
-      enabled: true
-      ingressClassName: atmosphere
-      annotations:
-        cert-manager.io/cluster-issuer: atmosphere
-      hosts:
-        - grafana.example.com
-      tls:
-        - secretName: grafana-certs
-          hosts:
-            - grafana.example.com
-```
-
-### Protected access
-
-If you want to expose the monitoring services, you can use the following
-overrides which will create an `Ingress` for all the services.
-
-```yaml
-kube_prometheus_stack_helm_values:
-  alertmanager:
-    ingress:
-      enabled: true
-      ingressClassName: openstack
-      annotations:
-        cert-manager.io/cluster-issuer: atmosphere
-        nginx.ingress.kubernetes.io/auth-type: basic
-        nginx.ingress.kubernetes.io/auth-secret: prometheus-auth
-        nginx.ingress.kubernetes.io/auth-realm: Prometheus
-      hosts:
-        - alertmanager.example.com
-      tls:
-        - secretName: alertmanager-tls
-          hosts:
-            - alertmanager.example.com
-    alertmanagerSpec:
-      externalUrl: https://alertmanager.example.com
-  prometheus:
-    ingress:
-      enabled: true
-      ingressClassName: openstack
-      annotations:
-        cert-manager.io/cluster-issuer: atmosphere
-        nginx.ingress.kubernetes.io/auth-type: basic
-        nginx.ingress.kubernetes.io/auth-secret: prometheus-auth
-        nginx.ingress.kubernetes.io/auth-realm: Prometheus
-      hosts:
-        - prometheus.example.com
-      tls:
-        - secretName: prometheus-certs
-          hosts:
-            - prometheus.example.com
-    prometheusSpec:
-      externalUrl: https://prometheus.example.com
-```
-
-Once you've deployed with the overrides above, you'll need to create a secret
-with the username and password you want to use to access the monitoring
-services.
-
-```bash
-htpasswd -c auth monitoring
-```
-
-The above will generate a file called `auth` with the username and password,
-in this case the username is `monitoring`. You'll need to create a secret with
-the contents of the file.
-
-```bash
-kubectl -n monitoring create secret generic prometheus-auth --from-file=auth
-```
-
-Once you're done, you'll be able to access the monitoring services using the
-username and password you created.
+You can view the existing dashboards by going to _Manage_ > _Dashboards_.  You
+can also check any alerts that are currently firing by going to _Alerting_ >
+_Alerts_.
 
 ## Integrations
 
diff --git a/roles/kube_prometheus_stack/defaults/main.yml b/roles/kube_prometheus_stack/defaults/main.yml
index 1890fb9..2b04c19 100644
--- a/roles/kube_prometheus_stack/defaults/main.yml
+++ b/roles/kube_prometheus_stack/defaults/main.yml
@@ -18,3 +18,10 @@
 
 kube_prometheus_stack_helm_release_namespace: monitoring
 kube_prometheus_stack_helm_values: {}
+
+kube_prometheus_stack_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
+kube_prometheus_stack_grafana_ingress_class_name: "{{ kube_prometheus_stack_ingress_class_name }}"
+# kube_prometheus_stack_grafana_host:
+
+kube_prometheus_stack_admin_password: "{{ undef('You must specify a Grafana password using kube_prometheus_stack_admin_password') }}"
diff --git a/roles/kube_prometheus_stack/vars/main.yml b/roles/kube_prometheus_stack/vars/main.yml
index eeb27e8..ed62d7e 100644
--- a/roles/kube_prometheus_stack/vars/main.yml
+++ b/roles/kube_prometheus_stack/vars/main.yml
@@ -30,20 +30,56 @@
       nodeSelector: &node_selector
         openstack-control-plane: enabled
   grafana:
+    adminPassword: "{{ kube_prometheus_stack_grafana_admin_password }}"
     image:
       repository: "{{ atmosphere_images['grafana'] | vexxhost.kubernetes.docker_image('name') }}"
       tag: "{{ atmosphere_images['grafana'] | vexxhost.kubernetes.docker_image('tag') }}"
+    ingress:
+      enabled: true
+      ingressClassName: "{{ kube_prometheus_stack_grafana_ingress_class_name }}"
+      annotations:
+        cert-manager.io/cluster-issuer: atmosphere
+      hosts:
+        - "{{ kube_prometheus_stack_grafana_host }}"
+      tls:
+        - secretName: grafana-tls
+          hosts:
+            - "{{ kube_prometheus_stack_grafana_host }}"
     sidecar:
       image:
         repository: "{{ atmosphere_images['grafana_sidecar'] | vexxhost.kubernetes.docker_image('name') }}"
         tag: "{{ atmosphere_images['grafana_sidecar'] | vexxhost.kubernetes.docker_image('tag') }}"
+      datasources:
+        defaultDatasourceEnabled: false
     additionalDataSources:
+      - name: AlertManager
+        type: alertmanager
+        uid: alertmanager
+        url: '{% raw %}http://{{ printf "%s-alertmanager.%s" .Release.Name .Release.Namespace }}:9093{% endraw %}'
+        access: proxy
+        editable: false
+        jsonData:
+          implementation: prometheus
+          handleGrafanaManagedAlerts: true
+      - name: Prometheus
+        type: prometheus
+        uid: prometheus
+        url: '{% raw %}http://{{ printf "%s-prometheus.%s" .Release.Name .Release.Namespace }}:9090{% endraw %}'
+        access: proxy
+        isDefault: true
+        editable: false
+        jsonData:
+          timeInterval: 30s
+          alertmanagerUid: alertmanager
       - name: Loki
         type: loki
+        uid: loki
         access: proxy
         url: http://loki-gateway
         version: 1
         editable: false
+        jsonData:
+          alertmanagerUid: alertmanager
     serviceMonitor:
       relabelings: *relabelings_instance_to_pod_name
     nodeSelector: *node_selector